Jump to content

SeriousHoax

Members
  • Content Count

    161
  • Joined

  • Last visited

  • Days Won

    4

Kudos

  1. Upvote
    SeriousHoax received kudos from peteyt in Windows 10 Security and ESET   
    Turn it on. It's not related to ESET, it's smartscreen that's built into the system. It doesn't usually turn off automatically so not sure what happened there. 
  2. Upvote
    SeriousHoax received kudos from shocked in Rude and unhelpful customer support   
    We can't change what happened and you're unlucky that a non-authorized seller sold you a pirated license 2 years ago.
    Now if you're still reluctant to buy from your local ESET website then you may go to one of the authorized partner by yourself and buy a physical copy of it from there and this time make sure to register the ESET license to your ESET account. An account isn't needed but it lets you see if the license you is being used on a PC or not.
    https://www.eset.com/lt/platintojai/
  3. Upvote
    SeriousHoax received kudos from itman in Rude and unhelpful customer support   
    We can't change what happened and you're unlucky that a non-authorized seller sold you a pirated license 2 years ago.
    Now if you're still reluctant to buy from your local ESET website then you may go to one of the authorized partner by yourself and buy a physical copy of it from there and this time make sure to register the ESET license to your ESET account. An account isn't needed but it lets you see if the license you is being used on a PC or not.
    https://www.eset.com/lt/platintojai/
  4. Upvote
    SeriousHoax gave kudos to itman in "pyrate", Behavior Blocker Bypass POC   
    It's been a slow forum posting weekend and it appears this thread has run its course. We have all had the opportunity to "rant and rave" about Eset Home version protection features we all wished we had and in reality, probably never will have. So it is time to expose this Python POC for what it is - fake ransonware. Err ..... what, you say? The POC encrypted files. Well so does a lot of legit encryption and other apps including user created ones. So lets get into this.
    A few years back, the NextGen security software vendors were trying "to get traction" against the established AV vendors with their supposed superior behavior detection methods. Corresponding to this was the appearance a proliferation of ransomware "simulators" where one was encouraged to test their existing AV solution with. The most infamous of these was RanSim produced by KnowBe4: https://www.knowbe4.com/ransomware-simulator . I wrote a thread about the methodology used by this product and similar ones here: https://forum.eset.com/topic/10792-ransomware-simulators-a-detailed-analysis/ . Eset subsequently commented upon Ransim tactics in their own publish article on Eset ransomware protection:
    https://cdn1.esetstatic.com/ESET/INT/Docs/Others/eset-vs-crypto-ransomware.PDF
    So let's get into some details on the POC. First, note this from the POC's author posting about it at malwaretips.com:
    Next is why no vendor on Virus Total detected the POC initially and I believe presently. That one is pretty straightforward. The ransomware portion of the POC never ran. The POC pauses program execution waiting for user input to continue. VT's automated sandbox analysis timed out waiting for input it does not respond to.
    In summary, I am not 100% ruling out that techniques used in the POC could bypass existing Eset ransomware detection methods. However, a POC must be developed deploying real world ransomware deployment and execution methods with the most important being the program runs uninterrupted and encryption activities performed against all existing files in C:\Users\xxxx\Documents\*, etc. directories.
     
  5. Upvote
    SeriousHoax received kudos from NewbyUser in "pyrate", Behavior Blocker Bypass POC   
    All the ASR are available for Windows Defender too.
  6. Upvote
    SeriousHoax received kudos from Kubo123 in Multiple Eset securities detected when installing oculus app   
    You can use FRST to delete that registry entry from windows security integration. Reinstall ESET only after doing so.
    hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
  7. Upvote
    SeriousHoax received kudos from Kubo123 in Multiple Eset securities detected when installing oculus app   
    You can try scanning by the tool. It will open two logs after scanning then search ESET to check whether it exist.
  8. Upvote
    SeriousHoax received kudos from micky_aurthor in Online + Offline Installer and First update after installation   
    Ok Live installer it is. Just a synonym but the meaning should be the same. The live installer can still determine the OS and install the full product from online and then install it. Maybe it would be even possible to implement something like multi-threaded download so that the download speed should be fast unlike the in product download speed which is terribly slow for me which is also I mentioned above.
    Is 85 mb would be the size of the installer for the whole package? I see that ESET currently downloads around 150 mb during the first update. So if the compressed version in an offline installer is only 85 mb then I think that's not big at all. That's probably the smallest I've seen. Even with my not so good internet it would only take over a minute to download that. Even a 150 mb installer shouldn't be considered huge and many other AVs have a lot larger ones. Also like you said, the live installer's job is to download the product without worrying about OS versions, etc so most people are likely to download the live installer anyway so a 85 mb or even a bit larger optional offline installer is fine and seems more appropriate than the current one.
  9. Upvote
    SeriousHoax received kudos from micky_aurthor in Online + Offline Installer and First update after installation   
    I'm stating two issues here in one topic.
    First, ESET has two types of installers, one is an online installer and the other is offline. But both are totally misleading. The offline installer is merely a 53 mb file which only installs the product but the all the modules data is downloaded after installing. Then the online installer which should do what the name suggests but it doesn't. All it does is downloads that 53 mb installer and install and of course downloads all the modules data after installing. Why even say it an online installer while it's definitely not! Highly misleading. Literally every AV I ever tried, all of their online installer download the whole product including modules and signatures, etc. ESET is the only exceptional one. Same goes for which is supposed to be ESET's offline installer. Almost all AV who still provides an offline installer installs the full product and only download the required new updates after installing unlike ESET. I don't understand! If you want to give users the option for an offline installer then that should contain every modules, updates till the day of creation and for the online installer it must download everything first then install the product.
    The second issue is, ESET update downloading speed right after installing is always very slow for me. Most of the time it only use 10-20% of my bandwidth even when there is no other internet activity. I started using ESET when version 12 came out and so far it has always been this way. My internet is already pretty slow so only using 10-20% bandwidth makes the process extremely annoying. Update download speed is always slow I guess but since the daily signature updates are only a few kilobytes, those are not noticeable but the first update is. Why does this happen? Why can't ESET make use of the rest of the free internet bandwidth?
  10. Upvote
    SeriousHoax received kudos from mallard65 in Online + Offline Installer and First update after installation   
    Ok Live installer it is. Just a synonym but the meaning should be the same. The live installer can still determine the OS and install the full product from online and then install it. Maybe it would be even possible to implement something like multi-threaded download so that the download speed should be fast unlike the in product download speed which is terribly slow for me which is also I mentioned above.
    Is 85 mb would be the size of the installer for the whole package? I see that ESET currently downloads around 150 mb during the first update. So if the compressed version in an offline installer is only 85 mb then I think that's not big at all. That's probably the smallest I've seen. Even with my not so good internet it would only take over a minute to download that. Even a 150 mb installer shouldn't be considered huge and many other AVs have a lot larger ones. Also like you said, the live installer's job is to download the product without worrying about OS versions, etc so most people are likely to download the live installer anyway so a 85 mb or even a bit larger optional offline installer is fine and seems more appropriate than the current one.
  11. Upvote
    SeriousHoax received kudos from mallard65 in Online + Offline Installer and First update after installation   
    I'm stating two issues here in one topic.
    First, ESET has two types of installers, one is an online installer and the other is offline. But both are totally misleading. The offline installer is merely a 53 mb file which only installs the product but the all the modules data is downloaded after installing. Then the online installer which should do what the name suggests but it doesn't. All it does is downloads that 53 mb installer and install and of course downloads all the modules data after installing. Why even say it an online installer while it's definitely not! Highly misleading. Literally every AV I ever tried, all of their online installer download the whole product including modules and signatures, etc. ESET is the only exceptional one. Same goes for which is supposed to be ESET's offline installer. Almost all AV who still provides an offline installer installs the full product and only download the required new updates after installing unlike ESET. I don't understand! If you want to give users the option for an offline installer then that should contain every modules, updates till the day of creation and for the online installer it must download everything first then install the product.
    The second issue is, ESET update downloading speed right after installing is always very slow for me. Most of the time it only use 10-20% of my bandwidth even when there is no other internet activity. I started using ESET when version 12 came out and so far it has always been this way. My internet is already pretty slow so only using 10-20% bandwidth makes the process extremely annoying. Update download speed is always slow I guess but since the daily signature updates are only a few kilobytes, those are not noticeable but the first update is. Why does this happen? Why can't ESET make use of the rest of the free internet bandwidth?
  12. Upvote
    SeriousHoax gave kudos to itman in Windows Registry Helps Find Malicious Docs Behind Infections   
    This is a great article on how to perform security forensics after a malware attack to determine the source MS Office entity responsible:
    https://www.bleepingcomputer.com/news/security/windows-registry-helps-find-malicious-docs-behind-infections/
  13. Upvote
    SeriousHoax gave kudos to itman in Hips Configuration   
    Actually, there are better ways to deliver script based malware. That is, convert the script to a .exe.
    Here's an article on how to do so for a PowerShell script: https://www.ilovefreesoftware.com/19/windows/powershell-to-exe-converter.html . This will also allow me to password protect my script code so Eset can't scan it via hueristics. I then phish the target into entering the password via e-mail etc..
    Here's one for .bat scripts: https://www.addictivetips.com/windows-tips/convert-a-bat-script-to-an-exe-on-windows-10/ . Note this runs hidden.
    One for .vbs scripts: https://www.snapfiles.com/get/vbstoexe.html
    Finally and my favorite, one for Python scripts: https://ourcodeworld.com/articles/read/273/how-to-create-an-executable-exe-from-a-python-script-in-windows-using-pyinstaller . Note that Win AMSI does not scan Python scripts.
  14. Upvote
    SeriousHoax gave kudos to itman in Hips Configuration   
    One other important point in regards to ransomware protection and any other malware that deploys scripts.
    Eset firewall rules need to be created to monitor outbound network traffic done by scripts and other commonly abused processes used by malware developers. Additionally, these firewall rules will serve as a backup mechanism to any like HIPS created rules in the event malware was able to bypass those. A very common technique employed by malware developers to use scripts to connect to their remote C&C servers for the purpose of downloading their malicious payload executable or to stage a remote execution attack. How to create these firewall rules are given here: https://support.eset.com/en/kb6132-configure-firewall-rules-for-eset-endpoint-security-to-protect-against-ransomware .
    Finally, Eset best practices recommendations should be reviewed for additional ways to mitigate ransomware: https://support.eset.com/en/kb3433-best-practices-to-protect-against-filecoder-ransomware-malware .
  15. Upvote
    SeriousHoax gave kudos to Marcos in Files encrypted by ransomware   
    In fact, I provided a proof that on Windows 10 ESET detected and blocked execution of the ransomware and protected the user where the other "free" AV failed. If you have a proof that ESET doesn't protect users well, please provide a proof and support it with logs and other necessary stuff.
  16. Upvote
    SeriousHoax gave kudos to itman in Files encrypted by ransomware   
    Since regasm.exe was used in this Nemty ransomware sample, I will point out that there are more stealthy methods to deploy it for malicious purposes as noted here: https://securelist.com/using-legitimate-tools-to-hide-malicious-code/83074/ . One would be advised to monitor its execution per Mitre's recommendation: https://attack.mitre.org/techniques/T1121/ or at least minimally, monitor via firewall rules any outbound communication from it.
  17. Upvote
    SeriousHoax gave kudos to itman in Files encrypted by ransomware   
    I have long argued that what is need is a "professional" version of Eset consumer products. For example, the above mentioned EES 7.2 aggressive option could be one feature provided. Another I would like to see is more aggressive reputational scanning options such as the ability to alert/block unknown non-system processes and the like. Etc., etc..
    To date, this has fallen "on deaf" Eset ears.
  18. Upvote
    SeriousHoax gave kudos to Nightowl in Files encrypted by ransomware   
    It's now detected by ESET : Win32/Filecoder.NZG
    In my opinion what needs to be improved is the machine learning and HIPS , but I am not expert like those who program at ESET for sure , also as SeriousHoax said , Application Manager and Reputation(rep is already there) , to be combined with everything , so the AI could try to decide if this app is trying to do malicious things or it's not.
    But I could be mistaken , I don't know , but also as ITman said , nothing is 100% safe.
  19. Upvote
    SeriousHoax gave kudos to BALTAGY in Files encrypted by ransomware   
    I think learning machine and Ransomware Shield and Hips need to be improved

    I did test another one also with no alert from ESET
  20. Upvote
    SeriousHoax received kudos from BeanSlappers in Applications in the Eset firewall   
    I suggested this in the Future changes couple of months ago mentioning Kaspersky as an example. Less detailed than Kaspersky but G-Data has this too. ESET can upgrade their running processes tool and turned that into something similar to Kaspersky's Application Control.
  21. Upvote
    SeriousHoax gave kudos to itman in Time For A Formal Augur Test?   
    That's what BitDefender did with their 100% machine learning based behavioral protection at A-V Comparatives: https://www.av-comparatives.org/wp-content/uploads/2019/10/spc_fdt_bitdefender_201909_en.pdf . Score was pretty impressive although false positives were a bit high.
    Also detection rate for this ML scanner is shown separately on Virus Total.
  22. Upvote
    SeriousHoax gave kudos to beancounter in uTorrent problem after 13.0.22.0 install   
    Yes. I got rid of utorrent and installed qbittorrent and the problem went away
  23. Upvote
    SeriousHoax received kudos from ram1220 in uTorrent problem after 13.0.22.0 install   
    Well surely this is not a direct solution to your problem but don't use uTorrent, use open source, ad free alternative Qbittorrent: https://www.qbittorrent.org/
  24. Upvote
    SeriousHoax received kudos from elquenunca in uTorrent problem after 13.0.22.0 install   
    Well surely this is not a direct solution to your problem but don't use uTorrent, use open source, ad free alternative Qbittorrent: https://www.qbittorrent.org/
  25. Upvote
    SeriousHoax gave kudos to itman in ESET failed to protect against a Ransomware   
    This is far from the first ransomware employing XOR techniques. Here are a few other examples:
    https://www.rsa.com/en-us/blog/2017-05/how-ransomware-uses-tmp-files-and-the-temp-folder
    https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack
    https://blog.malwarebytes.com/threat-analysis/2018/04/lockcrypt-ransomware/
    So my guess is how it was deployed is new and this is why it wasn't detected by a number of solutions.
    This is a perfect example of why everyone needs to backup their User files and keep them off-line; or the online backup location locked down access-wise.
    Also another strong case for use of the anti-ransomware solutions like AppCheck or Checkpoint's solution. These use "bait" files to detect file modification and therefore are not dependant upon detecting ransomware behavior methods.
×
×
  • Create New...