SeriousHoax

It's a relatively new ransomware named: GoRansom POC Ransomware ESET doesn't have a signature for it yet. On execution it failed to detect encryption made by the ransomware. On a side note: Kaspersky which is very well known to protect against ransomware failed to stop this ransomware as well. So, seems like a serious one. My reason of posting is not to blame ESET but want to know what's so special about this ransomware that other reputable AVs ransomware protection module is failing as well. Hopefully ESET will analyze and protect users from similar ransomwares in the future. A link of the ESET test: https://malwaretips.com/threads/goransom-poc-ransomware-20-09-2019.95105/post-835332 The sample has already been sent to ESET. I can share the sample here if you want. This is the sha-256 file hash: 83b3dc0ce9250636c0a19335e7991e90646e46b2e0fc376c0d3fa1abf013104d

If you're in a hurry you can download this. I uploaded this from my pc. If you have any doubt about the authenticity of the file, then after downloading check the file on virustotal and also check the digital signatures. Sha-1 hash of the file: 74A946136D9F040E7A368BFA46ED81581EC1A9F1 This is a one time only downloadable link: https://send.firefox.com/download/cbfcdc63a6c5ad9a/#ZhkV5ctf8D3sgzZl5Ogtzw

Yes, you are right. ESET is always around the 98% mark. A test before this one they scored 98.4% which was lower than every other (Except Total Defense). So, everyone else doing better. I'm pretty sure too that it's not related to PUA. Eset is pretty good at detecting those. The report of the February-May 2019 test was more detailed. It showed Eset failed to detect 12 threats out of 752 but didn't mention what type of threats those were: https://www.av-comparatives.org/tests/real-world-protection-test-february-may-2019/ Also, check the report of the February-May test. They categorized by prevalence of the false positive from Very low, low, medium and high and most of the WD false positives were on the group of very low and low. So, rarely an average user would face false positive issue. Maybe most of those detected false positive samples were blocked by SmartScreen. SmartScreen is mostly reputation based so it's a possibility.

Everything can be done via this tool. One tool for everything related to Windows Defender: https://github.com/AndyFul/ConfigureDefender

Here's the latest AV-Comparatives Real-World Protection Test Jul-Aug 2019: https://www.av-comparatives.org/tests/real-world-protection-test-jul-aug-2019-factsheet/ Comparison chart: https://www.av-comparatives.org/comparison/?usertype=consumer&chart_chart=chart2&chart_year=2019&chart_month=Jul-Aug&chart_sort=1&chart_zoom=2 ESET blocked 98.3% with 1 False positive. While 98.3% is not a bad result but ESET finished last in this test and likes of McAfee, Tencent finishing ahead of ESET is what bothering me the most. Did you get a detailed result of the types of malwares ESET missed in this test? Were ESET able to detect them after executing or the execution is done in this test too?

I see. In my PC WD often randomly uses high CPU. Didn't face any performance issue though, even while gaming but ESET is definitely lighter. Anyway, keep testing them together and let us know how things go.

I have this rules active on ESET HIPS as well. Very useful. I have enabled some SRP which covers almost all of these but it's nice that ESET has such options.

Do you not feel any slowdown with two of them together? WD is a lot heavier than ESET. I always use ESET with Voodoshield free version. A great companion.

I'm kinda confused. So, you're using ESET and Windows Defender at the same time but ESET real time protection is turned off? Some features of both AVs are active and some are not? Hybrid? Something like, ESET Defender? lol. What are the exact feature that you enabled/disabled?

I thought Windows Defender Controlled Folders works alongside other AVs but it doesn't 😐

Yes, that is correct. I'm familiar with the other entries but I'm seeing these Windows Defender related entries only after upgrading to 12.2.29.0.

Also found multiples entries of this from the HIPS log. Related to Windows Defender starting at startup I guess.

I installed ESET IS and registration to Windows Security Center was successful but like mentioned above, WD is starting for some minutes at startup. There used to be an option to ask the user before performing a program update. Why was it removed? I installed the 12.2.23.0 version from the offline installer and after the first update it automatically updated to 12.2.29.0. Who thought it would be a better idea to remove the option to ask the user??!! A lot of us could've avoided this if the option was still there.

I see. That makes sense. Since their cloud AI server is bigger, they are able to process more files at a time than surely any other AV which has such protection. Hmm that's understandable. Ok I found the video: Cloud malware protection system It says typical response time is under 20 minutes. So like you said there's other factors too so I guess I got my answer. Thanks.

Ow hmm you are right. I skimmed through this blog post few days ago. WD of course has improved over the last 2-3 years but still some other established AVs are currently ahead of it. Beside, WD is still pretty buggy which is bothering me. I might get back to ESET sooner than I expected. I hope the issue of the latest version 12.2.29.0 gets fixed very soon.

Well, what I mean is, recently I ran a fresh malware on Sanboxie with Windows Defender installed. WD failed to detect this malware and the malware also created startup entries. 2 minutes later I tried to delete the contents of Sandboxie and as soon as my pc accessed that file again, WD notified me and deleted the threat. I re scanned the sample on my pc and WD detected that as well while 2 minutes ago it didn't. So, probably after executing the malware WD sent the sample to the cloud and their AI sent back a verdict that the file was malicious so WD detected it later and also seems like a signature was saved locally. AVs like Kaspersky is pretty fast in similar scenarios in my experience but that takes more time. Maybe 10-15 minutes or more I'm not sure. Microsoft claims that they only require few milliseconds. I was more or less skeptical about it but from the above experience it seems they are right about it as in my particular case it was less than 2 minutes. My question is, how fast is ESET in such case with the help of Live grid? In a official video from few years ago I think they said 15 minutes. My post is not about comparing ESET with Windows Defender. I came across this yesterday so was just wondering, that's it.

I was talking about this as well. More or less 6-7 months ago I once enabled it to check it out and after that it wasn't deleting any malware. I don't know if it's still buggy or not.

I'm not sure how WD handle that but here's a recent article about fileless malware and Microsoft's take on it. What is fileless malware and how do you protect against it? Actually, WD's sandbox feature is not stable yet and it acted weird the last time enabled it. So I have kept it off. Hopefully they will make it stable and turn it on by default soon. Thanks for this suggestion. But actually I've already enabled some ASR rule and also added some additional protection feature on WD via this two tool. I wouldn't use WD otherwise I think. Hard_Configurator ConfigureDefender Anyway, I haven't moved to WD permanently. ESET's web protection, signature and performance is superior to WD. I never gave WD a try before so thought about giving it a go now. Also, I see some people are having problem with the latest ESET update so it's ok to stay away for some time.

Yes, surprising indeed. Maybe those sync with cloud first and they create signatures later. I don't know but WD is massively cloud depended and it's serving them pretty well lately so maybe they focus less on local signatures. ESET is kind of the opposite. ESET relies on signatures a lot and that's not a bad thing because available signature of a new malware is always better than protecting via other modules. About this test, you should keep in mind that, this is the only test that was done in Windows 7. As far as I know Windows Defender is not available in Windows 7. Did they use Microsoft Security Essential! Even if it's possible maybe in Enterprise level, it's always going to be a lot weaker than it is in Windows 10 with Exploit Protection and etc. So, I think there's this flaw in that test.

Anyway, I think I made my point so don't wanna waste my time anymore on this. If ESET don't want to add a simple yet strong feature and like to stay behind other AVs then it's their wish. I'm using Windows Defender at the moment and really impressed. Signature is a lot weaker than ESET but their cloud protection is performing a lot better against newer threats than ESET so overall doing a better job. Controlled folder access works with other AVs too so I'll come back to ESET later.

Yes, it is aggressive. It blocks any attempts to modify the contents of protected folders. It doesn't matter whether it's a trusted application or not. That's why it's not enabled by default. It's for advanced users only. But if implemented in ESET, user should be able to set it in ask/interactive mode so it would be more user friendly for advanced users. Yes, exactly. If they can provide such option then why can't ESET? I think these products don't have it enabled by default but users have the option to do so. I don't think ESET would do that. This seems like too much work for an antivirus. Unless ESET can do something similar to what Kaspersky does with System Watcher there's no way. Kaspersky has set an example in the industry with their System Watcher module. It's extremely good and I think it's the best behavior blocker of all. But of course this is not 100% bulletproof but very capable and Marcos already discussed they thought about it but weren't able to do so because of performance issue. I don't think anyone claims such feature is bulletproof. Here it depends on the capability of ESET HIPS. If it can block modifications for the protected folders then it should do the job. Besides ESET has other capabilities against Ransomwares and this protected folders option is gonna be only an additional option. ESET can experimentally add this feature on ESET beta. If it does what it's supposed to do and receive positive feedback from the beta testers then it would be added to the main product. I'll gladly become a beta tester.

This seems like sad but true.

I think it doesn't matter whether it's a trivial feature or an advanced one. As long as it's effective there shouldn't be any problem to implement this as an optional feature. This shouldn't matter either. ESET's HIPS already gives users the freedom to set rules to Ask, Allow or Deny. Like the example I gave above about my host file rule. It doesn't matter whether it's a trusted file or not ESET asks me when any programs tries to modify the file. If it can be done for files then why not for folders? I'm not asking for anything huge and new. Windows Defender, Bitdefender, F-Secure, Trend-Micro etc AVs have this feature. Even if a ransomware bypass ESET my protected folders would be safe. This feature shouldn't be enabled by default. It's an advanced feature for advanced users.

But isn't that a bit more complicating? More so for average users. It would be much easier to simply have the ability protect folders. Windows Defenders Controlled Access Folder gives that option and it also lets you allow any programs you trust. For ESET another example, personally my ESET is set to ask me when any program tries to modify my host file. I don't need to permanently allow or disallow any application. I can simply click Allow or Deny every time it happens. I find this extremely useful. I want the exact same thing for folders.

Pardon me if this topic has already been discussed here or somewhere else on the forum Description: Protect folders using the HIPS module Details: Currently HIPS can protect specific files from modifications which I personally think is one of the coolest feature but the same can't be done for folders. I wanna protect my important folders from ransomwares or any other programs from modifying the contents of it. Like normal HIPS rules for files, user should be able to set whether ESET would ask the user for permission or always deny modification. Many other AVs have implemented this with their Ransomware protection module. ESET probably has the best and most customizable HIPS module of all the consumer AVs out there but it's missing this important feature at the moment. It should be one of the top priorities. I guess it won't be hard to implemented this.