Jump to content


Most Valued Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by 0xDEADBEEF

  1. Cool thanks. Wondering if this is the settings for configuring the startup scanning? BTW, am I correct that pausing the protection using the right click menu in the tray will also pause startup scan? Seems there is no standalone knob for turning this on or off in the setting menu.
  2. I noticed even with the realtime file scanning disabled, there is something called startup scanner that will detect some threat before the advanced memory scanner kick in. Is the startup scanner a special monitoring layer? What's the difference between it and the realtime scanner? How to disable/configure it?
  3. Sha256:13eb6bfa41a350b44a12e2f45419e409f7ff51acb82262ba6c3ec0bfc7dbea46 ESET didn't flag it as malicious Seems to me like a false positive from other vendors on VT
  4. Also, some free AV vendors have the nasty history of copying non-free vendor's detection (even the detection name!). They will blacklist whatever some trusted vendors (like ESET) think it is malicious in hours without even examining the samples themselves. They don't pay those trustable vendors and don't get caught and get good scores on some 3rd party tests. This also creates an illusion that they always catch more than some non-free vendors.
  5. yeah this makes sense. Usually AMS detection will have some harmless side-effects remaining on the test machine, so if these side-effects are counted as failure, ESET will for sure to get a bit lower score...
  6. however, the result from page 5 seems to be inconsistent with real-world case..
  7. I think it is doable, as long as the client engine can extract feature vectors locally and only send those information to the cloud for large model verdict... As they showed in the article, the detonation-based model (cloud sandbox) requires minutes, but preliminary static examination takes much less, similar to Avira's strategy However, I've not used WD for a long time, so I don't know if their claims match the what the actual product does. I guess document protection is sort of different from WD's cloud scan. And I agree with your comment about the smartscreen, it is sort of anti
  8. perhaps they are targeting large enterprise customer. Their sample report seems to be very detailed Plus, some more discussions about the countermeasures against some evasion techniques I mentioned in the prev post: https://www.first.org/resources/papers/conf2017/Countering-Innovative-Sandbox-Evasion-Techniques-Used-by-Malware.pdf I should have found these materials earlier.. guess I should try more search keywords next time. I believe ESET and perhaps other large AV vendors also have in-house sandbox with such capability, otherwise there will be a lot of samples that will slip
  9. My best guess is they have their in-house kernel logging implemented in the cloud. hah, I found this article: https://www.vmray.com/blog/analyzing-environment-sensitive-malware/ To detect environment-sensitive malware and thus hidden functionality, we combine Intel’s new Processor Tracing Feature with powerful analysis techniques and sophisticated heuristics: We utilize Processor Tracing information to determine code coverage in memory dumps of the monitored processes, i.e. identify all code locations that have not been executed during analysis. From these untrigge
  10. Yes, most modern sandboxes are now able to skip basic sleep functions. However, there are many ways to sleep so there is no all-in-one solution to avoid this issue (last year I found a simple method to bypass MSE Engine's such counter measure, not sure if they have fixed it) Yes. Though I am not referring to sandbox that is used for this purpose. I personally find sandbox of this usage very confusing regarding user experience. It is more for pros and doesn't help tell if a untrusted file is malicious or not (unless the malicious behavior is too obvious) Yes, I can't tell how ma
  11. There is a question that long baffles me... Since the Turing machine cannot decide whether a certain portion of code will be executed or not, detecting malware is theoretically undecidable unless the malicious code is triggered under some conditions. One might argue that the problem will be partially solved by constantly monitoring the program behaviors in the background. However, I feel this is particularly a bottleneck for detection methods that execute the sample, collect the behavioral trace, and gives a verdict within a limit amount of time. For example, how does the automatic sandbo
  12. As additional info, today I got another such document sample which is not detected by ESET scan using latest virus db First look at VT result: Note the first submission of this sample to VT is 12:12 UTC, and I am testing at around 14:00 UTC, around 2 hrs difference in time. Seems to be a tragic result for ESET right? Open it.. Well it is a very typical mal-doc, and ask one to enable macros. Enable, then OK, first internal URL blacklist blocked some Then realtime filesystem monitoring kicked in And finally the botnet protection blocked t
  13. My experience is ESET tends to block malware-carrying documents at later stage instead of at scanning stage. VirusTotal only shows scan results. I partially agree that there are more cases that ESET didn't detect the document or other archives that are commonly seen in malware-spreading spams at early exposure stage through scanning (i.e. other scanners in VT already detect it but ESET doesn't). But after opening/executing these files I usually found the actual payload were blocked either by internal URL blacklists or AMS or later defense layers. These experiences include "realworld" ones
  14. I appreciate if ESET can disclose some detailed reasons behind this detection. It can help me evaluate whether to whitelist this software or not (and the truth is most Chinese users simply whitelist this detection... therefore knowing the reason serves as a better justification for not whitelisting this PUA )
  15. hmm, was wondering what kind of signature is extracted from that exploit script BTW I am curious about the malicious behaviors of this Tencent.O. Since it is a very popular IM software in China, I don't think ESET will detect this without a good reason.
  16. I've noticed ESET detects Tencent IM's installer as Tencent.O PUA. May I ask what's the reason for ESET to categorize it as PUA? Link to the installer: https://dldir1.qq.com/qqfile/qq/TIM2.2.0/23808/TIM2.2.0.exe
  17. yes... my test machine is still with old office 2007 BTW this sample is spread through spam, so it is a "real-world" one
  18. thanks! originally I intended to ask if ESET has generic exploit detection like other vendors in VT as shown in that webpage. From the updated detection name, I can see what's happening
  19. Was wondering why ESET scan usually doesn't detect documents with exploit. For example this file (scan shows clean with 17430): https://www.virustotal.com/#/file/84a7c1eac6e1a130cb66126fa48258e9c7c8b60a2a5fd0fcd564305775757641/detection The exec of this sample in a virtual machine successfully download the payload and exec it through the equation editor exploit, and ESET detects the payload post-execution as FareIt using AMS. But I feel like detecting it at early stages is better?
  20. Some more testing reveals that some vendors closely monitor and quickly blacklist VT samples. They can get very bad detection rate when the samples fall outside VT collections This forms a severely biased result: for people who test these products for fun, the samples are likely to be collected from VT or at least been scanned in VT (note that a lot of online sandbox also upload sample to VT as a static verdict). Vendors which closely monitor and blacklist VT samples might get pretty good result because they always get the sample before one can get it due to such sampling bias, so it crea
  21. Actually WD has an emulation engine, but a rather poor one. Can be easily fingerprinted and bypassed. I personally feel it is more because it lacks caching capability, so its emulation engine needs to busy emulate executables even they are not new to the machine. Not sure why they didn't add caching. One interesting note is that both ESET and WD have noticeable impact on program start up speed, but ESET is more due to AMS because the realtime scanner has caches. Thanks for the info of the cloud scanner (I remember seeing some detection names with cl as the suffix, perhaps that's i
  22. I was more curious about the yellow bar in WIndows Defender score. I am not sure what alert is counted as a user dependent event... smart screen?
  23. This reminds me of another interesting observation: a year ago I was always wondering why ESET is scored very badly in some 3rd party performance impact eval, because it is very counter intuitive from my own experience. After some leisure time benchmarking and analysis across different products, I start to see some reasons behind the numbers. Some tests "successfully" avoided many scenario a caching mechanism may help. Installing new apps, starting an application, etc., all fall outside this range, and they may take up a large portion of the performance score. As performance optimizations
  24. As I said, having bad FP score indicates bad product, but having a good FP score doesn't necessarily mean the actual FP of a product is low. I can easily make an innocent hello world program (without obfuscation techniques) and let several products which have low num of FPs in the AV test (say, 1~4) raise a false alarm. It is not easy to make ESET do so. Real world is much more complex than this (note their FP test only executed ~50 samples to test behavior blockers, which is more prone to FPs.) I have even experienced one product with good looking FP score flag PCMark as malicious and auto qu
  • Create New...