Jump to content

SeriousHoax

Members
  • Posts

    201
  • Joined

  • Last visited

  • Days Won

    4

Kudos

  1. Upvote
    SeriousHoax received kudos from micky_aurthor in Online + Offline Installer and First update after installation   
    I'm stating two issues here in one topic.
    First, ESET has two types of installers, one is an online installer and the other is offline. But both are totally misleading. The offline installer is merely a 53 mb file which only installs the product but the all the modules data is downloaded after installing. Then the online installer which should do what the name suggests but it doesn't. All it does is downloads that 53 mb installer and install and of course downloads all the modules data after installing. Why even say it an online installer while it's definitely not! Highly misleading. Literally every AV I ever tried, all of their online installer download the whole product including modules and signatures, etc. ESET is the only exceptional one. Same goes for which is supposed to be ESET's offline installer. Almost all AV who still provides an offline installer installs the full product and only download the required new updates after installing unlike ESET. I don't understand! If you want to give users the option for an offline installer then that should contain every modules, updates till the day of creation and for the online installer it must download everything first then install the product.
    The second issue is, ESET update downloading speed right after installing is always very slow for me. Most of the time it only use 10-20% of my bandwidth even when there is no other internet activity. I started using ESET when version 12 came out and so far it has always been this way. My internet is already pretty slow so only using 10-20% bandwidth makes the process extremely annoying. Update download speed is always slow I guess but since the daily signature updates are only a few kilobytes, those are not noticeable but the first update is. Why does this happen? Why can't ESET make use of the rest of the free internet bandwidth?
  2. Upvote
    SeriousHoax received kudos from micky_aurthor in Online + Offline Installer and First update after installation   
    Ok Live installer it is. Just a synonym but the meaning should be the same. The live installer can still determine the OS and install the full product from online and then install it. Maybe it would be even possible to implement something like multi-threaded download so that the download speed should be fast unlike the in product download speed which is terribly slow for me which is also I mentioned above.
    Is 85 mb would be the size of the installer for the whole package? I see that ESET currently downloads around 150 mb during the first update. So if the compressed version in an offline installer is only 85 mb then I think that's not big at all. That's probably the smallest I've seen. Even with my not so good internet it would only take over a minute to download that. Even a 150 mb installer shouldn't be considered huge and many other AVs have a lot larger ones. Also like you said, the live installer's job is to download the product without worrying about OS versions, etc so most people are likely to download the live installer anyway so a 85 mb or even a bit larger optional offline installer is fine and seems more appropriate than the current one.
  3. Upvote
    SeriousHoax received kudos from mallard65 in Online + Offline Installer and First update after installation   
    I'm stating two issues here in one topic.
    First, ESET has two types of installers, one is an online installer and the other is offline. But both are totally misleading. The offline installer is merely a 53 mb file which only installs the product but the all the modules data is downloaded after installing. Then the online installer which should do what the name suggests but it doesn't. All it does is downloads that 53 mb installer and install and of course downloads all the modules data after installing. Why even say it an online installer while it's definitely not! Highly misleading. Literally every AV I ever tried, all of their online installer download the whole product including modules and signatures, etc. ESET is the only exceptional one. Same goes for which is supposed to be ESET's offline installer. Almost all AV who still provides an offline installer installs the full product and only download the required new updates after installing unlike ESET. I don't understand! If you want to give users the option for an offline installer then that should contain every modules, updates till the day of creation and for the online installer it must download everything first then install the product.
    The second issue is, ESET update downloading speed right after installing is always very slow for me. Most of the time it only use 10-20% of my bandwidth even when there is no other internet activity. I started using ESET when version 12 came out and so far it has always been this way. My internet is already pretty slow so only using 10-20% bandwidth makes the process extremely annoying. Update download speed is always slow I guess but since the daily signature updates are only a few kilobytes, those are not noticeable but the first update is. Why does this happen? Why can't ESET make use of the rest of the free internet bandwidth?
  4. Upvote
    SeriousHoax gave kudos to itman in Windows Registry Helps Find Malicious Docs Behind Infections   
    This is a great article on how to perform security forensics after a malware attack to determine the source MS Office entity responsible:
    https://www.bleepingcomputer.com/news/security/windows-registry-helps-find-malicious-docs-behind-infections/
  5. Upvote
    SeriousHoax gave kudos to itman in Hips Configuration   
    Actually, there are better ways to deliver script based malware. That is, convert the script to a .exe.
    Here's an article on how to do so for a PowerShell script: https://www.ilovefreesoftware.com/19/windows/powershell-to-exe-converter.html . This will also allow me to password protect my script code so Eset can't scan it via hueristics. I then phish the target into entering the password via e-mail etc..
    Here's one for .bat scripts: https://www.addictivetips.com/windows-tips/convert-a-bat-script-to-an-exe-on-windows-10/ . Note this runs hidden.
    One for .vbs scripts: https://www.snapfiles.com/get/vbstoexe.html
    Finally and my favorite, one for Python scripts: https://ourcodeworld.com/articles/read/273/how-to-create-an-executable-exe-from-a-python-script-in-windows-using-pyinstaller . Note that Win AMSI does not scan Python scripts.
  6. Upvote
    SeriousHoax gave kudos to itman in Hips Configuration   
    One other important point in regards to ransomware protection and any other malware that deploys scripts.
    Eset firewall rules need to be created to monitor outbound network traffic done by scripts and other commonly abused processes used by malware developers. Additionally, these firewall rules will serve as a backup mechanism to any like HIPS created rules in the event malware was able to bypass those. A very common technique employed by malware developers to use scripts to connect to their remote C&C servers for the purpose of downloading their malicious payload executable or to stage a remote execution attack. How to create these firewall rules are given here: https://support.eset.com/en/kb6132-configure-firewall-rules-for-eset-endpoint-security-to-protect-against-ransomware .
    Finally, Eset best practices recommendations should be reviewed for additional ways to mitigate ransomware: https://support.eset.com/en/kb3433-best-practices-to-protect-against-filecoder-ransomware-malware .
  7. Upvote
    SeriousHoax gave kudos to Marcos in Files encrypted by ransomware   
    In fact, I provided a proof that on Windows 10 ESET detected and blocked execution of the ransomware and protected the user where the other "free" AV failed. If you have a proof that ESET doesn't protect users well, please provide a proof and support it with logs and other necessary stuff.
  8. Upvote
    SeriousHoax gave kudos to itman in Files encrypted by ransomware   
    Since regasm.exe was used in this Nemty ransomware sample, I will point out that there are more stealthy methods to deploy it for malicious purposes as noted here: https://securelist.com/using-legitimate-tools-to-hide-malicious-code/83074/ . One would be advised to monitor its execution per Mitre's recommendation: https://attack.mitre.org/techniques/T1121/ or at least minimally, monitor via firewall rules any outbound communication from it.
  9. Upvote
    SeriousHoax gave kudos to itman in Files encrypted by ransomware   
    I have long argued that what is need is a "professional" version of Eset consumer products. For example, the above mentioned EES 7.2 aggressive option could be one feature provided. Another I would like to see is more aggressive reputational scanning options such as the ability to alert/block unknown non-system processes and the like. Etc., etc..
    To date, this has fallen "on deaf" Eset ears.
  10. Upvote
    SeriousHoax gave kudos to Nightowl in Files encrypted by ransomware   
    It's now detected by ESET : Win32/Filecoder.NZG
    In my opinion what needs to be improved is the machine learning and HIPS , but I am not expert like those who program at ESET for sure , also as SeriousHoax said , Application Manager and Reputation(rep is already there) , to be combined with everything , so the AI could try to decide if this app is trying to do malicious things or it's not.
    But I could be mistaken , I don't know , but also as ITman said , nothing is 100% safe.
  11. Upvote
    SeriousHoax gave kudos to BALTAGY in Files encrypted by ransomware   
    I think learning machine and Ransomware Shield and Hips need to be improved

    I did test another one also with no alert from ESET
  12. Upvote
    SeriousHoax gave kudos to itman in Time For A Formal Augur Test?   
    That's what BitDefender did with their 100% machine learning based behavioral protection at A-V Comparatives: https://www.av-comparatives.org/wp-content/uploads/2019/10/spc_fdt_bitdefender_201909_en.pdf . Score was pretty impressive although false positives were a bit high.
    Also detection rate for this ML scanner is shown separately on Virus Total.
  13. Upvote
    SeriousHoax gave kudos to beancounter in uTorrent problem after 13.0.22.0 install   
    Yes. I got rid of utorrent and installed qbittorrent and the problem went away
  14. Upvote
    SeriousHoax received kudos from ram1220 in uTorrent problem after 13.0.22.0 install   
    Well surely this is not a direct solution to your problem but don't use uTorrent, use open source, ad free alternative Qbittorrent: https://www.qbittorrent.org/
  15. Upvote
    SeriousHoax received kudos from elquenunca in uTorrent problem after 13.0.22.0 install   
    Well surely this is not a direct solution to your problem but don't use uTorrent, use open source, ad free alternative Qbittorrent: https://www.qbittorrent.org/
  16. Upvote
    SeriousHoax gave kudos to itman in ESET failed to protect against a Ransomware   
    This is far from the first ransomware employing XOR techniques. Here are a few other examples:
    https://www.rsa.com/en-us/blog/2017-05/how-ransomware-uses-tmp-files-and-the-temp-folder
    https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack
    https://blog.malwarebytes.com/threat-analysis/2018/04/lockcrypt-ransomware/
    So my guess is how it was deployed is new and this is why it wasn't detected by a number of solutions.
    This is a perfect example of why everyone needs to backup their User files and keep them off-line; or the online backup location locked down access-wise.
    Also another strong case for use of the anti-ransomware solutions like AppCheck or Checkpoint's solution. These use "bait" files to detect file modification and therefore are not dependant upon detecting ransomware behavior methods.
  17. Upvote
    SeriousHoax gave kudos to itman in ESET failed to protect against a Ransomware   
    No need for the ASR mitigation.
    Assumed is WD's cloud sandbox has Controlled Folders enabled. Unknown process performing repeated file modification activities to same is enough to flag the unknown process. This is why MS had a sig. for it so quickly.
  18. Upvote
    SeriousHoax gave kudos to itman in ESET failed to protect against a Ransomware   
    Of note is none of the Next Gen solutions on VT are detecting this. This would be a clear indication that behavior employed by this ransomware is new and their ML engines haven't been tuned to detect it.
  19. Upvote
    SeriousHoax gave kudos to itman in ESET failed to protect against a Ransomware   
    More details on this ransomware is here: https://translate.google.ru/translate?hl=ru&tab=wT&sl=ru&tl=en&u=https%3A%2F%2Fid-ransomware.blogspot.com%2F2019%2F09%2Fgoransom-poc-ransomware.html
    It is using XOR for encryption activities. Suspect this is why it is "flying under the radar" of security solutions monitoring for specific crypto API's.
  20. Upvote
    SeriousHoax gave kudos to fabioquadros_ in AV-Comparatives Real-World Protection Test Jul-Aug 2019   
    Maybe Lack of a REAL behavior blocker.
  21. Upvote
    SeriousHoax received kudos from fabioquadros_ in AV-Comparatives Real-World Protection Test Jul-Aug 2019   
    Yes, you are right. ESET is always around the 98% mark. A test before this one they scored 98.4% which was lower than every other (Except Total Defense). So, everyone else doing better.
    I'm pretty sure too that it's not related to PUA. Eset is pretty good at detecting those. The report of the February-May 2019 test was more detailed. It showed Eset failed to detect 12 threats out of 752 but didn't mention what type of threats those were: https://www.av-comparatives.org/tests/real-world-protection-test-february-may-2019/
    Also, check the report of the February-May test. They categorized by prevalence of the false positive from Very low, low, medium and high and most of the WD false positives were on the group of very low and low. So, rarely an average user would face false positive issue. Maybe most of those detected false positive samples were blocked by SmartScreen. SmartScreen is mostly reputation based so it's a possibility.
  22. Upvote
    SeriousHoax received kudos from fabioquadros_ in AV-Comparatives Real-World Protection Test Jul-Aug 2019   
    Here's the latest AV-Comparatives Real-World Protection Test Jul-Aug 2019: https://www.av-comparatives.org/tests/real-world-protection-test-jul-aug-2019-factsheet/
    Comparison chart: https://www.av-comparatives.org/comparison/?usertype=consumer&chart_chart=chart2&chart_year=2019&chart_month=Jul-Aug&chart_sort=1&chart_zoom=2
    ESET blocked 98.3% with 1 False positive. While 98.3% is not a bad result but ESET finished last in this test and likes of McAfee, Tencent finishing ahead of ESET is what bothering me the most.
    Did you get a detailed result of the types of malwares ESET missed in this test? Were ESET able to detect them after executing or the execution is done in this test too?
  23. Upvote
    SeriousHoax gave kudos to itman in Controlled Folder feature   
    Another thing about WD is that it can be bypassed as noted here: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
    My gut is telling me that even if Win 10 1903 WD self-protection was enabled, the registry mod implemented by this WMI event would have bypassed it. Perhaps the ASR mitigation to prevent WMI events from being created would have helped. But ASR mitigations would only be deployed by advanced users and in themselves, can cause operational issues in that they a absolutely block the activity.
  24. Upvote
    SeriousHoax received kudos from Pete12 in update from 12.2.23 to 12.2.29   
    I installed ESET IS and registration to Windows Security Center was successful but like mentioned above, WD is starting for some minutes at startup.
    There used to be an option to ask the user before performing a program update. Why was it removed? I installed the 12.2.23.0 version from the offline installer and after the first update it automatically updated to 12.2.29.0. Who thought it would be a better idea to remove the option to ask the user??!! A lot of us could've avoided this if the option was still there.
  25. Upvote
    SeriousHoax gave kudos to itman in update from 12.2.23 to 12.2.29   
    It appears to me that Eset is doing some type of "kluge" processing where it fools Win 10 into thinking no other AV/firewall is installed at boot time. That is what is causing the event log entries. My guess is Eset is not loading its ELAM driver. This will cause later Win 10 versions to startup Windows Defender and run it in parallel with the third party AV solution. Or the OS in the mean time seeing that no third party AV is installed, starts up the Win firewall front-end plus Windows Defender.
    Eset then later registers itself with Windows Security Center and all is well in that regard. Once the Eset registration with Security Center completes, then the OS switches over to recognizing Eset as the firewall plus AV real-time provider and terminates the Windows Defender engine process.
    The problem with the above is while Windows Defender is active, it is performing activities like trying to update its definitions and God only knows what else. There is also the issue of malware that runs at start-up "sneaking through" due to the fact two real-time AV solutions are running. What happens if WD detects the malware first but is not fully functional?
    Eset really needs to do its initialization with Security Center properly as was done with ver. 12.2.23 and prior versions.
×
×
  • Create New...