Jump to content

SeriousHoax

Most Valued Members
  • Posts

    355
  • Joined

  • Last visited

  • Days Won

    10

Kudos

  1. Upvote
    SeriousHoax received kudos from peteyt in JS/Spy.Banker.LP trojan   
    FYI, I have tested some other top products on the site and none of them detected anything. ESET's detection is correct for sure as confirmed by Marcos. This once again proves (to me at least) that ESET is the best at detecting malicious scripts on websites. Many times, ESET is the only one/the first one to detect such things. 
  2. Upvote
    SeriousHoax received kudos from AdamM in Web Access Protection and Encrypted Client Hello (ECH)   
    The thing is ESET's HTTPS scanning feature breaks Encrypted Client Hello. According to tests, SNI's aren't encrypted with default ESET. This is not just ESET of course, any product with HTTPS traffic scanning breaks it.
    Only Adguard For Windows can apply ECH( even though it decrypts TLS connection like ESET) if you allow its DNS protection feature (enabled by default) and enable ECH from Advanced settings. It makes Adguard handle the DNS and apply ECH.
    So maybe this is not possible unless AV products with HTTPS scanning feature like ESET handles DNS encryption by supporting ECH.
    ECH is still not finalized and currently mainly supported by cloudflare services I think. But looks like eventually it will become a standard.
    So I'm curious how ESET is going to handle this case.
    Sites to test if ECH is working or not:
    https://tls-ech.dev/
    https://defo.ie/ech-check.php
    https://crypto.cloudflare.com/cdn-cgi/trace/
    For the last test site, you'll have to check if, sni=plaintext/encrypted.
  3. Upvote
    SeriousHoax received kudos from M-SOC in Web Access Protection and Encrypted Client Hello (ECH)   
    The thing is ESET's HTTPS scanning feature breaks Encrypted Client Hello. According to tests, SNI's aren't encrypted with default ESET. This is not just ESET of course, any product with HTTPS traffic scanning breaks it.
    Only Adguard For Windows can apply ECH( even though it decrypts TLS connection like ESET) if you allow its DNS protection feature (enabled by default) and enable ECH from Advanced settings. It makes Adguard handle the DNS and apply ECH.
    So maybe this is not possible unless AV products with HTTPS scanning feature like ESET handles DNS encryption by supporting ECH.
    ECH is still not finalized and currently mainly supported by cloudflare services I think. But looks like eventually it will become a standard.
    So I'm curious how ESET is going to handle this case.
    Sites to test if ECH is working or not:
    https://tls-ech.dev/
    https://defo.ie/ech-check.php
    https://crypto.cloudflare.com/cdn-cgi/trace/
    For the last test site, you'll have to check if, sni=plaintext/encrypted.
  4. Upvote
    SeriousHoax received kudos from peteyt in Stealers not detected   
    Yeah, they are now detected indeed. Thanks for helping in sending to the malware analysts.
    But just now I tested again and turns out, if I run the samples then they can still "Steal" the data anyway. There was no reaction from ESET. It's only detected if I scan the file instead of running it. So, the flaw of ESET not detecting these via real-time protection remains. Sooner or later after execution real-time protection needs to catch it.
    Can you test on your end? If you can reproduce, then report the issue to the responsible team. 
  5. Upvote
    SeriousHoax received kudos from itman in Stealers not detected   
    Yeah, they are now detected indeed. Thanks for helping in sending to the malware analysts.
    But just now I tested again and turns out, if I run the samples then they can still "Steal" the data anyway. There was no reaction from ESET. It's only detected if I scan the file instead of running it. So, the flaw of ESET not detecting these via real-time protection remains. Sooner or later after execution real-time protection needs to catch it.
    Can you test on your end? If you can reproduce, then report the issue to the responsible team. 
  6. Upvote
    SeriousHoax received kudos from Nightowl in Stealers not detected   
    It's not just UDS. They have multiple signatures for this, including PDM detections, which are post execution behavior based. I tried changing hash which eliminates the UDS detections, but they are still detected after running. Their Big Data Analysis system which can co-relate similar file hashes and behavior automatically is doing a good job against this malware at the moment.
    https://opentip.kaspersky.com/d4524f9c529ffd945c789b8379116b8bb6227de2ffa045729f47a4131f3d5cfb/results?tab=lookup
  7. Upvote
    SeriousHoax received kudos from Nightowl in Discord Token Stealer   
    Here, just got a reply from Kaspersky. They have now blocked the site as well.

  8. Upvote
    SeriousHoax received kudos from 5Z4 in FALSE ALERTS of System Informer   
    Looks like it got 100% only because of detection from other vendors. Everything else is Suspicious Indicators only. So the score would have been much lower without these AV detections. 
    I'm also a fan of System Informer. It has some nice features not present in others. I would just use Process Explorer if MS had made it equivalent to it. Both have some unique features, so I use both.
  9. Upvote
    SeriousHoax received kudos from Israeli in FALSE ALERTS of System Informer   
    Looks like it got 100% only because of detection from other vendors. Everything else is Suspicious Indicators only. So the score would have been much lower without these AV detections. 
    I'm also a fan of System Informer. It has some nice features not present in others. I would just use Process Explorer if MS had made it equivalent to it. Both have some unique features, so I use both.
  10. Upvote
    SeriousHoax received kudos from AnthonyQ in Protection against MBR modification/destruction in ESET   
    If it's that easy to evade LiveGuard then I have to say that LiveGuard seems very basic and ineffective. There are emulators/sandbox out there that can simulate user clicks. There are also malware that tries to fool such sandbox's but countermeasure can be taken to detect such evasion techniques which would indicate that the file is malicious. You can read all about it and much more here:
    https://evasions.checkpoint.com/techniques/human-like-behavior.html#check-mouse-movement:~:text=a sample emulation.-,2.2. Check via a request for user interaction,-Some malware samples
    It doesn't make much sense to charge premium price for LiveGuard when it can't even do this. LiveGuard would give safe verdict to such samples and users may end up getting infected. Samples marked as safe by LiveGuard probably aren't sent to malware analysts, so till they get their hands on such samples, it's a lost cause. There's a huge room for improvements here for ESET.
  11. Upvote
    SeriousHoax received kudos from itman in Protection against MBR modification/destruction in ESET   
    If it's that easy to evade LiveGuard then I have to say that LiveGuard seems very basic and ineffective. There are emulators/sandbox out there that can simulate user clicks. There are also malware that tries to fool such sandbox's but countermeasure can be taken to detect such evasion techniques which would indicate that the file is malicious. You can read all about it and much more here:
    https://evasions.checkpoint.com/techniques/human-like-behavior.html#check-mouse-movement:~:text=a sample emulation.-,2.2. Check via a request for user interaction,-Some malware samples
    It doesn't make much sense to charge premium price for LiveGuard when it can't even do this. LiveGuard would give safe verdict to such samples and users may end up getting infected. Samples marked as safe by LiveGuard probably aren't sent to malware analysts, so till they get their hands on such samples, it's a lost cause. There's a huge room for improvements here for ESET.
  12. Upvote
    SeriousHoax received kudos from Dmitry228 in Protection against MBR modification/destruction in ESET   
    If it's that easy to evade LiveGuard then I have to say that LiveGuard seems very basic and ineffective. There are emulators/sandbox out there that can simulate user clicks. There are also malware that tries to fool such sandbox's but countermeasure can be taken to detect such evasion techniques which would indicate that the file is malicious. You can read all about it and much more here:
    https://evasions.checkpoint.com/techniques/human-like-behavior.html#check-mouse-movement:~:text=a sample emulation.-,2.2. Check via a request for user interaction,-Some malware samples
    It doesn't make much sense to charge premium price for LiveGuard when it can't even do this. LiveGuard would give safe verdict to such samples and users may end up getting infected. Samples marked as safe by LiveGuard probably aren't sent to malware analysts, so till they get their hands on such samples, it's a lost cause. There's a huge room for improvements here for ESET.
  13. Upvote
    SeriousHoax received kudos from notimportant in HTML/ScrInject.B trojan   
    Not Marcos but, I see that there are still many more rubbish popups on the website which opens up if no adblocker is installed. Tested in a VM with Avast multiple times before and after you removed the suggested domain and Avast still blocks many more as malvertisement and blacklisted URLs. 

    Having ads on your website is fine but don't add popup ads that leads to potential malware or adware.
  14. Upvote
    SeriousHoax gave kudos to constexpr in How to remove green border from Google Chrome tabs?   
    Behavior of disabled "Browser's green frame" will change in the prepared update, after that there will be no frame at all
  15. Upvote
    SeriousHoax gave kudos to itman in Eset win   
    Yes. This MS article just states Microsoft Defender: https://www.microsoft.com/en-us/security/blog/2022/08/18/hardware-based-threat-defense-against-increasingly-complex-cryptojackers/ . However note that no where in the article is mentioned ransomware protection.
  16. Upvote
    SeriousHoax gave kudos to JamesR in powershell/psw.coinstealer.b   
    @itman
    They were not drivers.  They were text files containing PowerShell scripting and saved as .sys files.  Just a simple technique to try and hide on a system.  I always advise against relying on a file name and/or file path to decide what a file contains or is.
    In this case, the malware is reading the contents of the .sys files, and converting them to UTF8 to get PowerShell code to execute.  Here is a snip it of the command being executed to read from the file, prior to executing the contents.

  17. Upvote
    SeriousHoax gave kudos to Pumaferox in Scheduled Scans   
    Description: Show all the tools when clicking on "Tools", not only three of them
    Detail: It seems rather unnecessary that you have to click on "Tools" and then on "More Tools" since the "Tools" page only shows 3 tools, completely wasting space. 
    Also, take a look at ESET Endpoint Security ver.5. It was way better this way; just a click on "Tools" brings you a complete overview, nice and tidy. Please bring it back this way!

  18. Upvote
    SeriousHoax gave kudos to itman in Another Reason Not To Use Secure All Protected Browsers Mode.   
    If you do and your browser is Firefox, your Win Security-Mitigations event log - kernel mode will be full of the following blocked entries;

  19. Upvote
    SeriousHoax received kudos from Guilhermesene in ESET Security For Windows 16.0.22.0 Slow!   
    Similar experience here for many years. Sometimes the initial update is fast, but most of the time it's very slow. My average download speed is 3.2 MB/s, but ESET's initial update most of the time speeds between 20-80 KB/s for me. 
  20. Upvote
    SeriousHoax gave kudos to Trooper in there is release date of version 16?   
    I agree.  I do not care for it either.
  21. Upvote
    SeriousHoax received kudos from Trooper in there is release date of version 16?   
    So people now also can't run their browser in Sandboxie I guess because ESET itself is making the browser run sandboxed all the time. I don't know if it's really a good idea to run browsers 24x7 is a sandbox by the AV. Improvement in security maybe, but could break things in future browser updates. Browser vendors already don't like security software meddling with their browser.
    https://www.wilderssecurity.com/threads/eis-update-do-not-allow-ff-to-run-sandboxed.448495/
  22. Upvote
    SeriousHoax received kudos from Trooper in there is release date of version 16?   
    I already see many users complaining about the green frame. It needs to go completely when the user disables the "Browser's green frame" option.
  23. Upvote
    SeriousHoax received kudos from cofer123 in there is release date of version 16?   
    So people now also can't run their browser in Sandboxie I guess because ESET itself is making the browser run sandboxed all the time. I don't know if it's really a good idea to run browsers 24x7 is a sandbox by the AV. Improvement in security maybe, but could break things in future browser updates. Browser vendors already don't like security software meddling with their browser.
    https://www.wilderssecurity.com/threads/eis-update-do-not-allow-ff-to-run-sandboxed.448495/
  24. Upvote
    SeriousHoax received kudos from cofer123 in there is release date of version 16?   
    I already see many users complaining about the green frame. It needs to go completely when the user disables the "Browser's green frame" option.
  25. Upvote
    SeriousHoax received kudos from peteyt in there is release date of version 16?   
    Hmm, that's not a bad point. I ran an unsupported browser where the green frame wasn't shown. So yeah, it could be useful in that scenario.
×
×
  • Create New...