Jump to content

L0ckJaw

Members
  • Content Count

    13
  • Joined

  • Last visited


Kudos

  1. Upvote
    L0ckJaw received kudos from The Rectifier in Introduce yourself   
    Hi All !
    L0ckJaw here, i am a Microsoft professional and living in the Netherlands.
    I am also a Malware tester for the Malwaretips community, and so far ESET did very good.
    Love ESET because of its lightness, great signatures.
    Keep up the good work!
  2. Upvote
    L0ckJaw gave kudos to itman in Ransomware   
    This is the problem. I would gladly switch to Endpoint. However, I don't want to buy 5 licenses which it appears is Eset's purchase minimum for the product. Eset should have a single license purchase option with a higher cost which would be perfectly acceptable.
    Another suggestion is Eset offer an "advanced" Internet Security version which in effect would be a "re-bagged" Endpoint version.
  3. Upvote
    L0ckJaw gave kudos to aranud87 in Ransomware   
    As i say many time, it would be nice to have rules based on the livegrid if user want.
    Full Green Know/safe : allow
    Yellow : ask for launch / ask with high HIPS rules / ask for firewall
    Red : block 
     
  4. Upvote
    L0ckJaw gave kudos to wraith in Ransomware   
    It can run on a standard user but won't be able to encrypt system files. It can encrypt your personal files though. I agree with you. A process that is unsigned and new to LiveGrid, trying to encrypt files, should be blocked immediately by ESET even though it may be a false positive(although the chances would be extremely thin for a FP). I would rather deal with a FP than having my important files encrypted. 
  5. Upvote
    L0ckJaw gave kudos to peteyt in Ransomware   
    I'm new to this topic but just wanted to ask something and unsure if its been asked.
    Firstly - I have no issue with Eset - I know nothing can ever be 100 percent.  However in regards to ransomware would there not be a way to detect something is encrypting files which in turn could force an alert from Eset.
    I'm not talking about new unknown viruses, zero day etc but the act of encrypting itself. Basically could Eset not set it by default to alert users if it detects file encrypting and possibly even be set to pause the encryption until a user tells Eset to either allow or remove.
    Surely with that approach it wouldn't matter if it was a new virus unseen that eset didn't know as it would still see the encrypting part. Or are these viruses able to hide that they are encrypting things until it is too late? I don't have a lot of knowledge on these things so sorry if it is a lot more complex than that.
  6. Upvote
    L0ckJaw gave kudos to wraith in Ransomware   
    In general ESET is usually one of the first to come with signatures. So 3 days seems pretty old to me. Many other vendors already have a signature for it. Btw did the researchers/analysts find anything about this sample?
  7. Upvote
    L0ckJaw received kudos from wraith in Ransomware   
    I understand what you are saying, but people rely on their AV program to intercept any suspicious file.
    If they do not see the double extention, and think its a .pdf they are infected. So in my opinion a AV program should block these immediately.
    Thats why File Insight or a Sonar like active protection module should be in place to intercept any suspicious file.
  8. Upvote
    L0ckJaw gave kudos to itman in Ransomware   
    For those who want to "get into the nitty gritty" of this bugger, Dr. Web has a full behavior analysis here: https://www.virustotal.com/gui/file/32db24cc3456965ba75319617ef2094c9549874533b5fc6c13769a994dc57877/behavior/Dr.Web vxCube . I can see one reason this "flew under the Eset ransomware behavior detection radar." It's a "system hostage" ransomware. Appears to encrypt everything related to existing installed apps. I didn't see one reference to user personal directories being encrypted. Very strange ransomware. Also don't understand what it is trying to accomplish since system repair (Win 10 only) plus app re-installation would bring everything back to normal.
    -EDIT- It is possible one of the system files it encrypted will block access to user personal directory files giving the impression that all your files have been encrypted.
  9. Upvote
    L0ckJaw gave kudos to wraith in Ransomware   
    With the only difference being SONAR can detect and stop ransomwares that are not detected by signatures whereas ESET cannot. ☹️
  10. Upvote
    L0ckJaw gave kudos to wraith in Ransomware   
    Please let me know what the analysts came up with and also if possible why the anti ransomware didn't kick in for this particular sample. Thanks. 😀
  11. Upvote
    L0ckJaw gave kudos to wraith in Ransomware   
    Absolutely not. I'm taking about this ransomware scenario which we're discussing. This is an exe file. ESET doesn't have a signature and so it's not detected by the real time scanner. When I executed the file it spawned a process that began encrypting files. My point is that when the process started encrypting the files why didn't the anti ransomware module kick in and alert me that if I want to continue the operation or block it. This is the simple question for which I'm trying to get a reliable response nothing more.
  12. Upvote
    L0ckJaw gave kudos to wraith in Ransomware   
    Yeah that's why I don't like these features. I just gave them as examples since you asked about what block at first sight is. Moreover these make the AV heavy to use and I don't want ESET to become heavy like the other AV's. But I really want ESET to have a dedicated PROACTIVE Ransomware Module, not a REACTIVE one since all the complaints I receive regarding ESET only relates to ransomwares, nothing else.
  13. Upvote
    L0ckJaw gave kudos to wraith in Ransomware   
    I know all these are there but I've never seen the Behaviour Blocker and Anti-Ransomware shield in action. If there is a new ransomware that is not in the signatures, there is literally no warning from ESET and the ransomware easily manages to encrypt all the files. The advanced machine learning seems to be a welcome addition.😀
  14. Upvote
    L0ckJaw gave kudos to TomFace in AV-TEST and ESET   
    I use the daily "seat of my pants" results. I know what works for me.
    No A/V program is 100%...that's why they get updated and evolve.
    In my opinion, these A-V test results (no matter who publishes them) only provide the trolls with food (in addition to being (for me) worthless data). We all know (or at least should know) that you never feed a troll.
    Regards,
    Tom
×
×
  • Create New...