Jump to content

L0ckJaw

Members
  • Posts

    13
  • Joined

  • Last visited

Kudos

  1. Upvote
    L0ckJaw received kudos from The Rectifier in Introduce yourself   
    Hi All !
    L0ckJaw here, i am a Microsoft professional and living in the Netherlands.
    I am also a Malware tester for the Malwaretips community, and so far ESET did very good.
    Love ESET because of its lightness, great signatures.
    Keep up the good work!
  2. Upvote
    L0ckJaw gave kudos to itman in Ransomware   
    This is the problem. I would gladly switch to Endpoint. However, I don't want to buy 5 licenses which it appears is Eset's purchase minimum for the product. Eset should have a single license purchase option with a higher cost which would be perfectly acceptable.
    Another suggestion is Eset offer an "advanced" Internet Security version which in effect would be a "re-bagged" Endpoint version.
  3. Upvote
    L0ckJaw gave kudos to aranud87 in Ransomware   
    As i say many time, it would be nice to have rules based on the livegrid if user want.
    Full Green Know/safe : allow
    Yellow : ask for launch / ask with high HIPS rules / ask for firewall
    Red : block 
     
  4. Upvote
    L0ckJaw gave kudos to wraith in Ransomware   
    It can run on a standard user but won't be able to encrypt system files. It can encrypt your personal files though. I agree with you. A process that is unsigned and new to LiveGrid, trying to encrypt files, should be blocked immediately by ESET even though it may be a false positive(although the chances would be extremely thin for a FP). I would rather deal with a FP than having my important files encrypted. 
  5. Upvote
    L0ckJaw gave kudos to peteyt in Ransomware   
    I'm new to this topic but just wanted to ask something and unsure if its been asked.
    Firstly - I have no issue with Eset - I know nothing can ever be 100 percent.  However in regards to ransomware would there not be a way to detect something is encrypting files which in turn could force an alert from Eset.
    I'm not talking about new unknown viruses, zero day etc but the act of encrypting itself. Basically could Eset not set it by default to alert users if it detects file encrypting and possibly even be set to pause the encryption until a user tells Eset to either allow or remove.
    Surely with that approach it wouldn't matter if it was a new virus unseen that eset didn't know as it would still see the encrypting part. Or are these viruses able to hide that they are encrypting things until it is too late? I don't have a lot of knowledge on these things so sorry if it is a lot more complex than that.
  6. Upvote
    L0ckJaw gave kudos to wraith in Ransomware   
    In general ESET is usually one of the first to come with signatures. So 3 days seems pretty old to me. Many other vendors already have a signature for it. Btw did the researchers/analysts find anything about this sample?
  7. Upvote
    L0ckJaw received kudos from wraith in Ransomware   
    I understand what you are saying, but people rely on their AV program to intercept any suspicious file.
    If they do not see the double extention, and think its a .pdf they are infected. So in my opinion a AV program should block these immediately.
    Thats why File Insight or a Sonar like active protection module should be in place to intercept any suspicious file.
  8. Upvote
    L0ckJaw gave kudos to itman in Ransomware   
    For those who want to "get into the nitty gritty" of this bugger, Dr. Web has a full behavior analysis here: https://www.virustotal.com/gui/file/32db24cc3456965ba75319617ef2094c9549874533b5fc6c13769a994dc57877/behavior/Dr.Web vxCube . I can see one reason this "flew under the Eset ransomware behavior detection radar." It's a "system hostage" ransomware. Appears to encrypt everything related to existing installed apps. I didn't see one reference to user personal directories being encrypted. Very strange ransomware. Also don't understand what it is trying to accomplish since system repair (Win 10 only) plus app re-installation would bring everything back to normal.
    -EDIT- It is possible one of the system files it encrypted will block access to user personal directory files giving the impression that all your files have been encrypted.
  9. Upvote
    L0ckJaw gave kudos to wraith in Ransomware   
    With the only difference being SONAR can detect and stop ransomwares that are not detected by signatures whereas ESET cannot. ☹️
  10. Upvote
    L0ckJaw gave kudos to wraith in Ransomware   
    Please let me know what the analysts came up with and also if possible why the anti ransomware didn't kick in for this particular sample. Thanks. 😀
  11. Upvote
    L0ckJaw gave kudos to wraith in Ransomware   
    Absolutely not. I'm taking about this ransomware scenario which we're discussing. This is an exe file. ESET doesn't have a signature and so it's not detected by the real time scanner. When I executed the file it spawned a process that began encrypting files. My point is that when the process started encrypting the files why didn't the anti ransomware module kick in and alert me that if I want to continue the operation or block it. This is the simple question for which I'm trying to get a reliable response nothing more.
  12. Upvote
    L0ckJaw gave kudos to wraith in Ransomware   
    Yeah that's why I don't like these features. I just gave them as examples since you asked about what block at first sight is. Moreover these make the AV heavy to use and I don't want ESET to become heavy like the other AV's. But I really want ESET to have a dedicated PROACTIVE Ransomware Module, not a REACTIVE one since all the complaints I receive regarding ESET only relates to ransomwares, nothing else.
  13. Upvote
    L0ckJaw gave kudos to wraith in Ransomware   
    I know all these are there but I've never seen the Behaviour Blocker and Anti-Ransomware shield in action. If there is a new ransomware that is not in the signatures, there is literally no warning from ESET and the ransomware easily manages to encrypt all the files. The advanced machine learning seems to be a welcome addition.😀
  14. Upvote
    L0ckJaw gave kudos to itman in JS/Adware.Agent.AA Application   
    A very strong warning here.
    I just performed a detail scan of this web site using Quttera. It found a whopping 19 malware instances; all Javascript based:

    https://quttera.com/detailed_report/watchdoctorwhoonline.com
  15. Upvote
    L0ckJaw gave kudos to TomFace in AV-TEST and ESET   
    I use the daily "seat of my pants" results. I know what works for me.
    No A/V program is 100%...that's why they get updated and evolve.
    In my opinion, these A-V test results (no matter who publishes them) only provide the trolls with food (in addition to being (for me) worthless data). We all know (or at least should know) that you never feed a troll.
    Regards,
    Tom
  16. Upvote
    L0ckJaw gave kudos to TomFace in no files in qurantine   
    Marcos, thank you for the information and for protecting the legitimacy of the Forum.
    Best regards,
    Tom  
  17. Upvote
    L0ckJaw gave kudos to Marcos in no files in qurantine   
    He has asked to cancel his account here. But yes, it's not normal that a user of a trial license would request a response within 1-2 hours 24x7 that is granted to VIP customers at an extra fee. Moreover, the problems with LiveGrid authentication suggesting an invalid username/password being used was highly suspicious too.
  18. Upvote
    L0ckJaw received kudos from TomFace in issue number 2 (live grid)   
    Your answer is in the screenshot :

    You use incorrect credentials.
  19. Upvote
    L0ckJaw gave kudos to TomFace in issue number 2 (live grid)   
    Yes valid credentials are essential. I'm sure s/he will be able to find some somewhere.
  20. Upvote
    L0ckJaw gave kudos to Marcos in Eset updates   
    Modules are stored in "C:\Program Files\ESET\ESET Security\Modules" by default.
  21. Upvote
    L0ckJaw gave kudos to Marcos in ransomware attack   
    Just came across a case when a user was hit by Filecoder.Phobos and asked how come they got infected with ESET installed. After analyzing logs, we found out that:
    - the detection for the ransomware was added at least 2 months before the incident
    - password protection of ESET's settings was not enabled
    - detection of potentially unsafe applications was disabled

    We also found out that:
    1, A brute-force RDP attack was performed:
    - Administrator had 22 377 failed login attempts
    - ADMINISTRATOR had 5 438 failed login attempts
    - ADMINISTRADOR had 1 102 failed login attempts
    - ADMIN had 710 failed login attempts
    2, There was a suspicious RDP connection from a foreign country
    3, A local user GhostUser has been created recently
    4, A legitimate tool that can be misused to kill security software has been installed recently (detected as pot. unsafe application)
    5, Event logs have been recently cleared.

    This is a proof that just having a security software installed is not enough; firstly RDP must be secured. Secondly, all critical operating system updates must be installed. Fourthly, ESET must be protected with a password and detection of potentially unsafe applications enabled to prevent protection from being tampered by unauthorized persons.
×
×
  • Create New...