Jump to content

SeriousHoax

Members
  • Content Count

    45
  • Joined

  • Last visited


Kudos

  1. Upvote
    SeriousHoax gave kudos to itman in ESET failed to protect against a Ransomware   
    This is far from the first ransomware employing XOR techniques. Here are a few other examples:
    https://www.rsa.com/en-us/blog/2017-05/how-ransomware-uses-tmp-files-and-the-temp-folder
    https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack
    https://blog.malwarebytes.com/threat-analysis/2018/04/lockcrypt-ransomware/
    So my guess is how it was deployed is new and this is why it wasn't detected by a number of solutions.
    This is a perfect example of why everyone needs to backup their User files and keep them off-line; or the online backup location locked down access-wise.
    Also another strong case for use of the anti-ransomware solutions like AppCheck or Checkpoint's solution. These use "bait" files to detect file modification and therefore are not dependant upon detecting ransomware behavior methods.
  2. Upvote
    SeriousHoax gave kudos to itman in ESET failed to protect against a Ransomware   
    No need for the ASR mitigation.
    Assumed is WD's cloud sandbox has Controlled Folders enabled. Unknown process performing repeated file modification activities to same is enough to flag the unknown process. This is why MS had a sig. for it so quickly.
  3. Upvote
    SeriousHoax gave kudos to itman in ESET failed to protect against a Ransomware   
    Of note is none of the Next Gen solutions on VT are detecting this. This would be a clear indication that behavior employed by this ransomware is new and their ML engines haven't been tuned to detect it.
  4. Upvote
    SeriousHoax gave kudos to itman in ESET failed to protect against a Ransomware   
    More details on this ransomware is here: https://translate.google.ru/translate?hl=ru&tab=wT&sl=ru&tl=en&u=https%3A%2F%2Fid-ransomware.blogspot.com%2F2019%2F09%2Fgoransom-poc-ransomware.html
    It is using XOR for encryption activities. Suspect this is why it is "flying under the radar" of security solutions monitoring for specific crypto API's.
  5. Upvote
    SeriousHoax gave kudos to fabioquadros_ in AV-Comparatives Real-World Protection Test Jul-Aug 2019   
    Maybe Lack of a REAL behavior blocker.
  6. Upvote
    SeriousHoax received kudos from fabioquadros_ in AV-Comparatives Real-World Protection Test Jul-Aug 2019   
    Yes, you are right. ESET is always around the 98% mark. A test before this one they scored 98.4% which was lower than every other (Except Total Defense). So, everyone else doing better.
    I'm pretty sure too that it's not related to PUA. Eset is pretty good at detecting those. The report of the February-May 2019 test was more detailed. It showed Eset failed to detect 12 threats out of 752 but didn't mention what type of threats those were: https://www.av-comparatives.org/tests/real-world-protection-test-february-may-2019/
    Also, check the report of the February-May test. They categorized by prevalence of the false positive from Very low, low, medium and high and most of the WD false positives were on the group of very low and low. So, rarely an average user would face false positive issue. Maybe most of those detected false positive samples were blocked by SmartScreen. SmartScreen is mostly reputation based so it's a possibility.
  7. Upvote
    SeriousHoax received kudos from fabioquadros_ in AV-Comparatives Real-World Protection Test Jul-Aug 2019   
    Here's the latest AV-Comparatives Real-World Protection Test Jul-Aug 2019: https://www.av-comparatives.org/tests/real-world-protection-test-jul-aug-2019-factsheet/
    Comparison chart: https://www.av-comparatives.org/comparison/?usertype=consumer&chart_chart=chart2&chart_year=2019&chart_month=Jul-Aug&chart_sort=1&chart_zoom=2
    ESET blocked 98.3% with 1 False positive. While 98.3% is not a bad result but ESET finished last in this test and likes of McAfee, Tencent finishing ahead of ESET is what bothering me the most.
    Did you get a detailed result of the types of malwares ESET missed in this test? Were ESET able to detect them after executing or the execution is done in this test too?
  8. Upvote
    SeriousHoax received kudos from BeanSlappers in AV-Comparatives Real-World Protection Test Jul-Aug 2019   
    Yes, you are right. ESET is always around the 98% mark. A test before this one they scored 98.4% which was lower than every other (Except Total Defense). So, everyone else doing better.
    I'm pretty sure too that it's not related to PUA. Eset is pretty good at detecting those. The report of the February-May 2019 test was more detailed. It showed Eset failed to detect 12 threats out of 752 but didn't mention what type of threats those were: https://www.av-comparatives.org/tests/real-world-protection-test-february-may-2019/
    Also, check the report of the February-May test. They categorized by prevalence of the false positive from Very low, low, medium and high and most of the WD false positives were on the group of very low and low. So, rarely an average user would face false positive issue. Maybe most of those detected false positive samples were blocked by SmartScreen. SmartScreen is mostly reputation based so it's a possibility.
  9. Upvote
    SeriousHoax received kudos from BeanSlappers in AV-Comparatives Real-World Protection Test Jul-Aug 2019   
    Here's the latest AV-Comparatives Real-World Protection Test Jul-Aug 2019: https://www.av-comparatives.org/tests/real-world-protection-test-jul-aug-2019-factsheet/
    Comparison chart: https://www.av-comparatives.org/comparison/?usertype=consumer&chart_chart=chart2&chart_year=2019&chart_month=Jul-Aug&chart_sort=1&chart_zoom=2
    ESET blocked 98.3% with 1 False positive. While 98.3% is not a bad result but ESET finished last in this test and likes of McAfee, Tencent finishing ahead of ESET is what bothering me the most.
    Did you get a detailed result of the types of malwares ESET missed in this test? Were ESET able to detect them after executing or the execution is done in this test too?
  10. Upvote
    SeriousHoax gave kudos to itman in Controlled Folder feature   
    Another thing about WD is that it can be bypassed as noted here: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
    My gut is telling me that even if Win 10 1903 WD self-protection was enabled, the registry mod implemented by this WMI event would have bypassed it. Perhaps the ASR mitigation to prevent WMI events from being created would have helped. But ASR mitigations would only be deployed by advanced users and in themselves, can cause operational issues in that they a absolutely block the activity.
  11. Upvote
    SeriousHoax received kudos from Pete12 in update from 12.2.23 to 12.2.29   
    I installed ESET IS and registration to Windows Security Center was successful but like mentioned above, WD is starting for some minutes at startup.
    There used to be an option to ask the user before performing a program update. Why was it removed? I installed the 12.2.23.0 version from the offline installer and after the first update it automatically updated to 12.2.29.0. Who thought it would be a better idea to remove the option to ask the user??!! A lot of us could've avoided this if the option was still there.
  12. Upvote
    SeriousHoax gave kudos to itman in update from 12.2.23 to 12.2.29   
    It appears to me that Eset is doing some type of "kluge" processing where it fools Win 10 into thinking no other AV/firewall is installed at boot time. That is what is causing the event log entries. My guess is Eset is not loading its ELAM driver. This will cause later Win 10 versions to startup Windows Defender and run it in parallel with the third party AV solution. Or the OS in the mean time seeing that no third party AV is installed, starts up the Win firewall front-end plus Windows Defender.
    Eset then later registers itself with Windows Security Center and all is well in that regard. Once the Eset registration with Security Center completes, then the OS switches over to recognizing Eset as the firewall plus AV real-time provider and terminates the Windows Defender engine process.
    The problem with the above is while Windows Defender is active, it is performing activities like trying to update its definitions and God only knows what else. There is also the issue of malware that runs at start-up "sneaking through" due to the fact two real-time AV solutions are running. What happens if WD detects the malware first but is not fully functional?
    Eset really needs to do its initialization with Security Center properly as was done with ver. 12.2.23 and prior versions.
  13. Upvote
    SeriousHoax received kudos from fabioquadros_ in Controlled Folder feature   
    Yes, surprising indeed. Maybe those sync with cloud first and they create signatures later. I don't know but WD is massively cloud depended and it's serving them pretty well lately so maybe they focus less on local signatures. ESET is kind of the opposite. ESET relies on signatures a lot and that's not a bad thing because available signature of a new malware is always better than protecting via other modules.
    About this test, you should keep in mind that, this is the only test that was done in Windows 7. As far as I know Windows Defender is not available in Windows 7. Did they use Microsoft Security Essential! Even if it's possible maybe in Enterprise level, it's always going to be a lot weaker than it is in Windows 10 with Exploit Protection and etc. So, I think there's this flaw in that test.
  14. Upvote
    SeriousHoax received kudos from fabioquadros_ in Controlled Folder feature   
    Yes, it is aggressive. It blocks any attempts to modify the contents of protected folders. It doesn't matter whether it's a trusted application or not. That's why it's not enabled by default. It's for advanced users only. But if implemented in ESET, user should be able to set it in ask/interactive mode so it would be more user friendly for advanced users.
    Yes, exactly. If they can provide such option then why can't ESET? I think these products don't have it enabled by default but users have the option to do so.
    I don't think ESET would do that. This seems like too much work for an antivirus. Unless ESET can do something similar to what Kaspersky does with System Watcher there's no way. Kaspersky has set an example in the industry with their System Watcher module. It's extremely good and I think it's the best behavior blocker of all. But of course this is not 100% bulletproof but very capable and Marcos already discussed they thought about it but weren't able to do so because of performance issue.
     
    I don't think anyone claims such feature is bulletproof. Here it depends on the capability of ESET HIPS. If it can block modifications for the protected folders then it should do the job. Besides ESET has other capabilities against Ransomwares and this protected folders option is gonna be only an additional option.
    ESET can experimentally add this feature on ESET beta. If it does what it's supposed to do and receive positive feedback from the beta testers then it would be added to the main product. I'll gladly become a beta tester.
  15. Upvote
    SeriousHoax received kudos from fabioquadros_ in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Description: A Manage application section like Kaspersky or an Application network rules section like Kaspersky or maybe both.
    Details: Currently there is no way to know which programs I ran on my PC that was trusted by Eset or not. By having an Application manager it would make really easy give a detailed representation. Eset already kind of has this but that's for running processes only but not for all the products and also this window just shows information but I can't interact with it like it's possible in Kaspersky.

    And for Firewall, it's possible to add rules for specific programs of course but it would be better if there was list of all applications to show what is set to allowed by Eset and what not. This should be interactive too so if a user want to deny let's say "Cleaner" internet connection then the he/she would select Ccleaner from the list and deny it internet access instead of the current situation where user need to manually browser the program to block it in Firewall. The current implementation should always be there of course but my proposed interface would make everything much easier. Also a program can have multiple files that access to the internet. From this list it would be much easier to find that out. So, overall user experience would improve a lot.

    To have a closer look you may try installing Kaspersky to understand how this two mode works on their product. I don't want Eset to have the exact same to same that Kaspersky has but the basic idea should be the same.
    I love Eset because it's great product and super lite. But I want Eset to have these features. I'm sure it's not just me but everybody would appreciate it and it will make the product even better.
    Examples:


  16. Upvote
    SeriousHoax gave kudos to itman in Ransomware   
    Some additional comments on how Live Grid should be configured by Eset.
    1. The risky status alert option would be an "Advanced option" setting for the existing Live Grid setting in Eset's GUI. It would be disabled by default. Hence and God forbid, Eset gets "dinged" on an AV lab test because of it.
    2. It is assumed that Eset already has in place criteria for handling of known assumed safe apps such as OS apps in their respective directories, etc.. I will state that I have never seen any process set to "Red" status in viewing Live Grid's status screen. As such, I am assuming the "Red" status is reserved for unknown reputation apps performing questionable system modification activities.
    3. The alert would display additional descriptive information such as signing status, publisher, creation date, directory location, etc.
    As I see it, the most that could happen in blocking the process from running would be some app installation or some process .exe you purposely downloaded is blocked/borked. App installers can always be rerun.
    The above would allow one to submit the process to VirusTotal for additional verification or Hybrid-Analysis for a detailed sandbox analysis. Win 10 1903 users could additionally run the process in the  Windows sandbox.
    Unfortunately, these Live Grid operational modifications have been suggested by me and others in the past and have "fallen on deaf ears" as far as Eset is concerned. After all, Eset always knows best when it comes to security features.
  17. Upvote
    SeriousHoax gave kudos to wraith in Ransomware   
    In general ESET is usually one of the first to come with signatures. So 3 days seems pretty old to me. Many other vendors already have a signature for it. Btw did the researchers/analysts find anything about this sample?
  18. Upvote
    SeriousHoax gave kudos to peteyt in Ransomware   
    I'm new to this topic but just wanted to ask something and unsure if its been asked.
    Firstly - I have no issue with Eset - I know nothing can ever be 100 percent.  However in regards to ransomware would there not be a way to detect something is encrypting files which in turn could force an alert from Eset.
    I'm not talking about new unknown viruses, zero day etc but the act of encrypting itself. Basically could Eset not set it by default to alert users if it detects file encrypting and possibly even be set to pause the encryption until a user tells Eset to either allow or remove.
    Surely with that approach it wouldn't matter if it was a new virus unseen that eset didn't know as it would still see the encrypting part. Or are these viruses able to hide that they are encrypting things until it is too late? I don't have a lot of knowledge on these things so sorry if it is a lot more complex than that.
  19. Upvote
    SeriousHoax gave kudos to itman in Ransomware   
    One final comment in regards to Live Grid's performance in this incident.
    Refer back in this thread to the posted Live Grid screen shot showing ransom.exe running. Note the red color. What does that mean? Per Eset online v12 help:
    Hum ........ It certainly appears Eset's front-end heuristic scanning did its job.
    So why can't Eset offer an option to be alerted to "risky" processes pre-execution? It most certainly appears to be the correct and logical action to take. For me, I can only conclude the following:
    1. Eset has such little faith in Live Grid's reputational analysis that it doesn't trust it for user alert purposes. In this case, get rid of the feature and just perform any submission activities in the background.
    2. Eset's avoidance of a false positive detection has reached the level that it is jeopardizing overall system security.
  20. Upvote
    SeriousHoax gave kudos to wraith in Ransomware   
    Absolutely not. I'm taking about this ransomware scenario which we're discussing. This is an exe file. ESET doesn't have a signature and so it's not detected by the real time scanner. When I executed the file it spawned a process that began encrypting files. My point is that when the process started encrypting the files why didn't the anti ransomware module kick in and alert me that if I want to continue the operation or block it. This is the simple question for which I'm trying to get a reliable response nothing more.
  21. Upvote
    SeriousHoax gave kudos to wraith in Ransomware   
    Yeah that's why I don't like these features. I just gave them as examples since you asked about what block at first sight is. Moreover these make the AV heavy to use and I don't want ESET to become heavy like the other AV's. But I really want ESET to have a dedicated PROACTIVE Ransomware Module, not a REACTIVE one since all the complaints I receive regarding ESET only relates to ransomwares, nothing else.
×
×
  • Create New...