0xDEADBEEF
-
Posts
361 -
Joined
-
Days Won
3
Posts posted by 0xDEADBEEF
-
-
ESET detects a popular official game downloader as Generik trojan for some days. The sample 768596273459d8c3e01c77ffcc0f631bf79f3b6c.zip is uploaded to ftp server.
Original file is downloaded from here
Also I am wondering if these two apks (in the ftp server d693ae624fa9c0ebfbbf019cb53def036a51e719d693a.zip and fc3a46a4bbbee9ca2c053b388873bfdb9bd93f57.zip) are malicious or not. ESET detects them as a variant of Android/Obfus.AY and a variant of Android/TrojanDownloader.Agent.KU. They both are relatively popular android apps downloaded from the official website.
This game file is detected as malicious by ESET (82233f28e7badb481d7cb016b791056fc48fa71582233.zip in the ftp server), not sure if it is correct or not.
-
25 minutes ago, novice said:
Have you tried RanSim on ESET? Nothing is being detected , with the explanation: we know that is a simulator, but in real life ESET will behave differently.
Here is the real life: this rapid ransomware sample , where you end up having several files encrypted.
RanSim from my view is not a correct way to test ransomware protection. Since itman has more info on that, I will skip those details.
The art of detecting the malware automatically is to precisely locate the difference between it and benign programs. This can be very subtle in some cases because antivirus has limited view on program’s intention. Take winrar as an example, if a bad guy use it to silently batch encrypt all your docs and delete the original files without telling you, this legitimate program is a “ransomware”. In that sense how does an antivirus know if these behaviors should be allowed or not? The answer perhaps is: user prompt. But the truth of such fall back method is essentially offloading the decision back to human, while human ( I mean ordinary users) can be easily fooled to click allow in such case with some social engineering tricks. On the other hand, if the user clicks deny in such case, it is actually the user instead of the AV itself that manage to recognize the ransomware.
So different vendors have different ways to deal with this pain point. Some use whitelist to only allow common program to modify files in key folders. RanSim might be blocked in such case but as soon as one use a legitimate program outside a whitelist, things become troublesome (they might even auto quarantine the legitimate program!) Some simply rely on user decision, but humans are always the weakest part in such attack. Some use heuristic rules to guess if a program is ransomware or not, and this is how ESET and some other vendors deal with this. You have a balance between FPs and detection ratio, and of course malware can play by such rules as AVs can hardly be smart enough.
I feel like with so many different security product, each with a different design philosophy on the market, one have abundant choice to pick a security solution that best fit him/herself. If one wants more control on such events, enabling custom HIPS rules in ESET or change to other security product with more aggressive blocking (and hence FPs) might be a better choice.
-
3 hours ago, itman said:
this will silence those that believe Eset does not employ behavioral analysis in its ransomware detection methods
ESET indeed has behavioral analysis against ransomware from my own testing (and the Beh.XXX family which is used to flag potential ransomware behavior now has more members), it is rare to see it being effective though because most samples are already detected by the scan engine already (some slip through the defense though) ? Actually this is also the first time I encounter a real-world fresh sample being caught by the ransomware shield.
Ransomware shield is the last defense layer in such case with the cost of some files being encrypted. Of course ESET can further implement the roll-back as some other vendors do. But the performance implication and the protection robustness remain a problem.
Still, there is no perfect auto-blocking solution against ransomware so far, while ESET is so insistent on protection with minimal user interaction. I've evaluated several other vendors so-called "ransom shield" designs using white samples or realworld malicious samples. Most of them are effective against typical malicious ransom behaviors, but are also way too sensitive to white programs (some even mark legitimate archive program as suspicious without the help of a sufficiently large whitelist).
Generally not knowing the true intention of a file modification behavior makes recognizing ransomware a particularly hard problem, and one can't expect computer program to fully understand this because sometimes even human can't without careful analysis
-
15 minutes ago, itman said:
I am confused here.
If Eset's ransomware detection was triggered, was the process terminated and quarantined? Or, was an alert thrown requiring user interaction?
You state the cloud detected it as malicious. Do you mean LiveGrid detected it as malicious? If so, why was the process allowed to run? Or was the LiveGrid lookup processing triggered by the ransomware shield detection?
the ransomware detection was triggered, the process is terminated and the original binary is quarantined (yes there is a threat prompt). However, some images are encrypted already, and the malware has successfully achieved persistence. So in the next boot the ransomware shield is triggered again, and more files are unfortunately encrypted. The major threat is cleaned only after the second ransomware shield quarantine event.
By saying the cloud detected it as malicious, I was referring to EDTD's detection. The file is marked as malicious by EDTD upon the first encounter already, so I expect it to be blacklisted as suspicious object soon, but apparently as Marcos explained, this doesn't happen due to some FP concerns at that time.
-
1 hour ago, Marcos said:
It is detected now. At the time we received it for the first time the sample didn't reach sufficient confidence level in order to be detected (there was a collision with a legitimate uninstaller), otherwise automatic detection would have been added instantly. Soon Augur will be made more aggressive to block samples like this on download automatically, however, we need to improve performance on the internal anti-FP mechanisms first.
Thanks for the explanation. Looking forward to seeing Augur's improvements
-
I've encountered a rapid ransomware sample around 15 hours ago. At that time, ESET's scanner couldn't detect it (while other major vendors already detected it on VT). The ransomware shield can stop it before it encrypting more of my images. The cloud also detect it as malicious at that time. However the scan engine/cloud blacklisting is still not updated to detect such sample as of now. Wondering if this is expected or not.. the sample is uploaded with the name 713995310B25497E94432F22D262B84EF196AEA3.zip
BTW the scan engine takes a while to scan this 4MB file, which is a bit unusual.
-
7 hours ago, BunzLee said:
I don't know if I'm supposed to upload them here.
Debugging log may contain private info, so sending through private message is the correct way to do it.
BTW the issue reports I saw previously have similar symptom: they also reported that re-install might work but after reboot the problem comes back again. So hopefully ESET can identify and fix the issue with your help.
-
I have seen sporadic reports recently saying the new 11.2 significantly slows down Tencent QQ start up (takes nearly a minute, while in normal situation will only be a second or two to show the login window). They said rolling back to 11.1 helped. This doesn't happen on all users with Tencent QQ installed, most people report that they don't have such issue. Currently I don't have sufficient info (e.g. if they also install other security software) so I didn't raise this in the forum, but this post seems to be related to the issue reports I saw.
-
Surprised that other users didn't report this in the forum...
-
Mine detects it, but I have to disable my adblock plugin to see ESET's prompt because my adblock will block the mining script before ESET kicks in.
-
I'd like to participate in the early access program ?
-
1 hour ago, itman said:
Hum …..…. this one had me "scratching my head."
I guess if the rule was set to "ask" mode, it would function as a global rule to monitor for selected activity. Versus, the "hassle" of running in interactive mode and having to set multiple allow rules for everything.
Note that "ask" mode will revert to "allow" mode if not responded to within the timeout period. This would prevent any "borks" at boot time.
yes, but waiting for each ask prompt to timeout generally makes the system unusable upon a boot. Therefore I hope ESET can add such reminder for rules of this type.
-
5 hours ago, Marcos said:
I for one don't think that having a rule with no source and target applications selected but limited to specific operations should be considered too general.
My view is that enabling one or several operations with all src and target monitored (block or ask) will have the potential to prevent the system from working correctly. Of course one may feel that customizing HIPS rule is for pros and then it is their responsibility to make it right. I, however, suggest to also add a warning at least when adding such rule because it is easy to make such mistake and it just happened to a user yesterday.
-
I noticed that the HIPS rule sanity check (the mechanism that remind the user that "the created rule is too generic and may crash the system") only applies when both source apps and target app files are set to "all" AND when all application operations are enabled.
Shouldn't this check be effective as long as the source and target are both set to "all"? I am asking this because I saw someone locked himself out by accidentally adding a rule that only blocks the application start and with src and target set to "all". In this case the sanity check doesn't notify the user of the danger of such rule and the computer will crash in the subsequent boot.
-
23 minutes ago, itman said:
No. I was referring to this web site: https://attack.mitre.org/wiki/Main_Page
ah ok
-
1 hour ago, itman said:
Hybrid-Analysis uses Cloudstrike's Falcon AI engine running in the Cookoo sandbox I believe
They are using their own in-house kernel logging sandbox... Current version of cuckoo is too easy for sandbox evasion
Is MITRE ATT&CK a sandbox service? The visualization seems pretty nice and more behaviors of these two samples get unrolled
-
23 hours ago, Daedalus said:
If you have the file, you can use the following website to see what it does:
Cool, I have the analysis report attached here:
Now ESET detect it as dropper btw.
-
18 hours ago, itman said:
Is this bugger always bundled in another software installer or can it be stand alone downloaded?
I am not sure, seems to be legitimate software/PUA but some apparently flag it as rootkit ?
-
6 hours ago, Peter Randziak said:
Hello guys,
I do not have access to that sample personally, do you happen to know what it does i.e. what kind of rootkit like behavior does it perform?
Regards, P.R.
Hi I've sent you a message with the link to the sample, thanks
-
sha256: ed3d2b851d8427973ef3bff301e4cc09d9422fb38a2bd4ab85b339d87ee177d6
ESET only detected it as generic PUA
-
31 minutes ago, itman said:
I assume you are referring to AMS
Not really.. I kinda get what AMS's trigger is. The startup scanner is a bit different.
My current observation is the startup scanner encompasses two major scanning methods: the file scan and the memory scan. When the realtime monitoring is disabled, not all malware that can be detected by the default scan engine will trigger the startup scanner detection. I can imagine if a malware drops a binary to a key location (e.g. some autorun folder), it will trigger a file scan activity from startup scanner. I am not sure about any other cases. Behaviorally, It is not as trivial as the realtime monitoring that one can expect a scan whenever a file is created/executed.
-
31 minutes ago, itman said:
You do so via the Eset GUI -> Tools -> More Tools -> Scheduler and then just disable (uncheck) any scans you don't want to run.
though I don't think disabling the scheduler will disable the malware triggered startup scan detection.. I will do an experiment tonight and see
Actually I am more interested in the triggers of such scanner (not the triggers by the scheduled task)
-
9 minutes ago, itman said:
If you are referring to any startup scan that might run after realtime scanning has been disabled via desktop option, it not running seems reasonable to me. However, the realtime scanner if paused will auto activate at the next subsequent system boot. Therefore, any scheduled startup scan should run unimbedded.
The confusing part is:
1. disabling realtime filesystem protection permanently (means reboot will keep it off) will still have startup scan detection.
2. there is no setting to enable/disable startup scan in the settings. It will be triggered when certain types of malware execute (likely the ones that try to be persistent), so it is triggered by a malware event, instead of a periodic task. I have yet tried to disable the related entries in the task schedule to see if they are related
3. pausing protection will then have no alerts from either realtime scan or startup scan. AMS still works though. So that's why I think pausing protection also pauses startup scan.
4. And startup scan also scans memory object (I saw threat detected in memory alert from startup scan for some samples). Does it mean that startup scan includes both file scan like realtime monitoring and memory scan like AMS?
I saw no document documenting this scanner.. that's why I post the question here.
-
4 minutes ago, Marcos said:
Pausing protection has no effect on startup scans, AMS, etc. It simply pauses real-time protection, web and email protection, document protection, etc.
Hmm, I saw behaviors different from your description in EES7. If I simply disable the realtime monitoring permanently in the setting, executing an old cerber sample will result in a detection from a start up scanner. However, pausing the protection using the tray menu (without disabling realtime monitoring in the setting) moves the detection of the same sample to AMS. That's why I think pausing the protection also pause the startup scanner. Other samples have similar situation.
website bug?
in General Discussion
Posted · Edited by 0xDEADBEEF
Not sure if this is a bug or issues only on my computer. It seems ESET's official website will change web content according to the browser's user agent.. So when I browse using Ubuntu, the top portion is missing, as shown below... If I use a user agent switcher and change to IE for example, the top part is fine..
My browser's user agent string is: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0