wraith

Anyways it seems pointless to discuss this since the mods will not implement it because according to them it's basically useless. I can also say that ESET can implement a smart firewall like Norton where the firewall will block known malicious applications from making outbound connections, allow safe apps to connect and ask for unknown apps when they try to connect to the internet. But again the same answer will come up that this will lead to false positives and inconvenience for some users. Again I can say that this smart feature can be disabled by default but will be enabled by advanced users but again I will be replied that ESET interactive mode will do the job. Basically this goes on in a loop and so I quit giving suggestions to improve ESET.

I just simply can't buy their explanations of false positives. Kaspersky has trusted application mode, avast and avg have hardened mode. But these are not enabled by default since they may cause false positives and hence are enabled only by the advanced users. So what's the problem with ESET in implementing it like that? Only advanced users will enable those features since by default it will be disabled. Marcos states that ESET employs proactive mechanisms but I'm sorry to say that in that case it's one of the worst implementations ever made. ESET is terrible in proactive protection. Kaspersky, Norton, BitDefender are vastly superior. Even free AV's like AVG and Avast have superior dynamic protection. If static detection fails, most of the time the PC is compromised. You don't need to take my word for it. Google it, look at YouTube tests results, static detection is excellent but dynamic detection is one of the worst. Still then the mods never pay any heed to the users who suggest to make the dynamic protection strong.

I think this thread should be disabled. ESET mods will NEVER listen to any user feedback rather they'll counter your every argument with a baseless one. Simply they think that they have made a 100% bulletproof product and any change to it will always result in False positives. I'm done and fed up posting in this forum. The moderators do not listen to any user feedback. It's sad but true in this way the future looks bleak for ESET. Many old users will switch to other competitive products simply because they listen to the users and implement the rational features. But here only you get is defensive posts about ESET. The developers are NEVER open to constructive or positive criticism.

Ok that sounds reasonable. But ESET can surely implement the idea of protected folders. Let it be disabled by default. Advanced users who want that can enable that but at least provide it as an option.

I'll send you the logs once I reach home from work, although I highly doubt it would be useful since I always run any unknown file in shadow defender shadow mode before executing in the real mode.

Imho ESET should add some advanced features like itman suggested. Keep them switched off by default so that only advanced users can enable them. I agree with the LiveGrid implementation part. Allow all safe processes(green), monitor the activities of non-popular(yellow) and alert upon suspicious behaviour and block for unsafe processes(red). If that sounds too much, implement a protected folders feature like defender, trend micro, BitDefender, avast so that files in those folders can only be accessed by safe applications and will be prompted if accessed by unknown applications.

It can run on a standard user but won't be able to encrypt system files. It can encrypt your personal files though. I agree with you. A process that is unsigned and new to LiveGrid, trying to encrypt files, should be blocked immediately by ESET even though it may be a false positive(although the chances would be extremely thin for a FP). I would rather deal with a FP than having my important files encrypted.

In general ESET is usually one of the first to come with signatures. So 3 days seems pretty old to me. Many other vendors already have a signature for it. Btw did the researchers/analysts find anything about this sample?

I have been using ESET since version 2.5(NOD32). You have an amazing team of analysts and researchers. I don't think it would be that much hard for your team to design an efficient anti-ransomware module that can block any unsigned process trying to encrypt files. That way the probability of false positives will be greatly reduced. You can argue that signed malware and malware those exploit lolbins could still encrypt the files, but then I can argue that no antivirus can catch 100% threats, so why use ESET or any other AV? If you implement this one simple rule, ESET will be able to stop more than 50% ransomwares for which it does not have a signature for. But then again, I somehow feel that the ESET team is not open to suggestions or positive/constructive criticism.

The sample managed to encrypt all my document files i.e. docx, pdf, etc in my documents folder. I sent an encrypted file to marcos.

if only ESET displayed this warning for each and every unsigned file that tries to encrypt files.

I don't know that but ESET should have added a signature for that ransomware. It's pretty old and most AV vendors detect it.

If you don't mind me asking, can you please provide me with a screenshot of ESET Anti Ransomware in action stopping a ransomware for which ESET did not have any signatures?

BINGO!!! That's what I'm trying to point out. Products with dedicated Anti-Ransomware Module should proactively block the ransomwares when they detect that they are trying to encrypt files. ESET is not doing that in spite of having a dedicated Ransomware Module. Creating HIPS rules is another topic. Since ESET already employs anti-ransomware module, why doesn't it kick into action when all the others can like Kaspersky System Watcher? Finally someone got my point.

ESET doesn't need to have the same capability as SONAR. If the anti-ransomware module works proactively, it will be enough. Take this example. I executed the same ransomware while having AppCheck running in the background. It immediately stopped the ransomware based on it's behaviour since it was encrypting a large number of files. My question is why can't ESET ransomware module do the same?

Yes LiveGrid is Enabled and I have set it to submit all files (including documents).

With the only difference being SONAR can detect and stop ransomwares that are not detected by signatures whereas ESET cannot. ☹️

Please let me know what the analysts came up with and also if possible why the anti ransomware didn't kick in for this particular sample. Thanks. 😀

Absolutely not. I'm taking about this ransomware scenario which we're discussing. This is an exe file. ESET doesn't have a signature and so it's not detected by the real time scanner. When I executed the file it spawned a process that began encrypting files. My point is that when the process started encrypting the files why didn't the anti ransomware module kick in and alert me that if I want to continue the operation or block it. This is the simple question for which I'm trying to get a reliable response nothing more.

I agree about the RDP part. That's why the first thing I disable is remote access and smb 1. But then again I have a simple question. If ESET is so proactive why doesn't the ransomware shield kick in when it detects that files are getting encrypted?

Yeah that's why I don't like these features. I just gave them as examples since you asked about what block at first sight is. Moreover these make the AV heavy to use and I don't want ESET to become heavy like the other AV's. But I really want ESET to have a dedicated PROACTIVE Ransomware Module, not a REACTIVE one since all the complaints I receive regarding ESET only relates to ransomwares, nothing else.

I think he meant like Windows Defender Block at first sight/ Kaspersky Trusted Application Mode/ Avast Hardened Mode where only safe and whitelisted files will be allowed to run. Basically it's like a hybrid default-deny.

With the never ending growth of malwares, it's foolish just to rely on signatures alone for protection. Even if ESET didn't have a signature for it, shouldn't the proactive Anti-Ransomware module kick-in when it detects that a large number of files are getting encrypted at once? Once again it's back to the original post in which I stated that ESET Anti-Ransomware is not working as it's supposed to work. An anti-ransomware module should block a process when it detects that the process is encrypting files or at least ask the user with an alert if the process should be allowed to continue.

It spawned an independent process. Here's a screenshot of the LiveGrid.