wraith

Anyways it seems pointless to discuss this since the mods will not implement it because according to them it's basically useless. I can also say that ESET can implement a smart firewall like Norton where the firewall will block known malicious applications from making outbound connections, allow safe apps to connect and ask for unknown apps when they try to connect to the internet. But again the same answer will come up that this will lead to false positives and inconvenience for some users. Again I can say that this smart feature can be disabled by default but will be enabled by advanced users but again I will be replied that ESET interactive mode will do the job. Basically this goes on in a loop and so I quit giving suggestions to improve ESET.

I just simply can't buy their explanations of false positives. Kaspersky has trusted application mode, avast and avg have hardened mode. But these are not enabled by default since they may cause false positives and hence are enabled only by the advanced users. So what's the problem with ESET in implementing it like that? Only advanced users will enable those features since by default it will be disabled. Marcos states that ESET employs proactive mechanisms but I'm sorry to say that in that case it's one of the worst implementations ever made. ESET is terrible in proactive protection. Kaspersky, Norton, BitDefender are vastly superior. Even free AV's like AVG and Avast have superior dynamic protection. If static detection fails, most of the time the PC is compromised. You don't need to take my word for it. Google it, look at YouTube tests results, static detection is excellent but dynamic detection is one of the worst. Still then the mods never pay any heed to the users who suggest to make the dynamic protection strong.

I think this thread should be disabled. ESET mods will NEVER listen to any user feedback rather they'll counter your every argument with a baseless one. Simply they think that they have made a 100% bulletproof product and any change to it will always result in False positives. I'm done and fed up posting in this forum. The moderators do not listen to any user feedback. It's sad but true in this way the future looks bleak for ESET. Many old users will switch to other competitive products simply because they listen to the users and implement the rational features. But here only you get is defensive posts about ESET. The developers are NEVER open to constructive or positive criticism.

Ok that sounds reasonable. But ESET can surely implement the idea of protected folders. Let it be disabled by default. Advanced users who want that can enable that but at least provide it as an option.

I'll send you the logs once I reach home from work, although I highly doubt it would be useful since I always run any unknown file in shadow defender shadow mode before executing in the real mode.

Imho ESET should add some advanced features like itman suggested. Keep them switched off by default so that only advanced users can enable them. I agree with the LiveGrid implementation part. Allow all safe processes(green), monitor the activities of non-popular(yellow) and alert upon suspicious behaviour and block for unsafe processes(red). If that sounds too much, implement a protected folders feature like defender, trend micro, BitDefender, avast so that files in those folders can only be accessed by safe applications and will be prompted if accessed by unknown applications.

It can run on a standard user but won't be able to encrypt system files. It can encrypt your personal files though. I agree with you. A process that is unsigned and new to LiveGrid, trying to encrypt files, should be blocked immediately by ESET even though it may be a false positive(although the chances would be extremely thin for a FP). I would rather deal with a FP than having my important files encrypted.

In general ESET is usually one of the first to come with signatures. So 3 days seems pretty old to me. Many other vendors already have a signature for it. Btw did the researchers/analysts find anything about this sample?

I have been using ESET since version 2.5(NOD32). You have an amazing team of analysts and researchers. I don't think it would be that much hard for your team to design an efficient anti-ransomware module that can block any unsigned process trying to encrypt files. That way the probability of false positives will be greatly reduced. You can argue that signed malware and malware those exploit lolbins could still encrypt the files, but then I can argue that no antivirus can catch 100% threats, so why use ESET or any other AV? If you implement this one simple rule, ESET will be able to stop more than 50% ransomwares for which it does not have a signature for. But then again, I somehow feel that the ESET team is not open to suggestions or positive/constructive criticism.

The sample managed to encrypt all my document files i.e. docx, pdf, etc in my documents folder. I sent an encrypted file to marcos.

if only ESET displayed this warning for each and every unsigned file that tries to encrypt files.

I don't know that but ESET should have added a signature for that ransomware. It's pretty old and most AV vendors detect it.

If you don't mind me asking, can you please provide me with a screenshot of ESET Anti Ransomware in action stopping a ransomware for which ESET did not have any signatures?

BINGO!!! That's what I'm trying to point out. Products with dedicated Anti-Ransomware Module should proactively block the ransomwares when they detect that they are trying to encrypt files. ESET is not doing that in spite of having a dedicated Ransomware Module. Creating HIPS rules is another topic. Since ESET already employs anti-ransomware module, why doesn't it kick into action when all the others can like Kaspersky System Watcher? Finally someone got my point.

ESET doesn't need to have the same capability as SONAR. If the anti-ransomware module works proactively, it will be enough. Take this example. I executed the same ransomware while having AppCheck running in the background. It immediately stopped the ransomware based on it's behaviour since it was encrypting a large number of files. My question is why can't ESET ransomware module do the same?