[Controlled Folder feature]

Anyways it seems pointless to discuss this since the mods will not implement it because according to them it's basically useless. I can also say that ESET can implement a smart firewall like Norton where the firewall will block known malicious applications from making outbound connections, allow safe apps to connect and ask for unknown apps when they try to connect to the internet. But again the same answer will come up that this will lead to false positives and inconvenience for some users. Again I can say that this smart feature can be disabled by default but will be enabled by advanced users but again I will be replied that ESET interactive mode will do the job. Basically this goes on in a loop and so I quit giving suggestions to improve ESET. 

[Controlled Folder feature]

9 minutes ago, itman said:

The developers do not actively participate in the forum. Rather, they receive input from the Eset forum moderators and that input is selective at best and done to rectify existing "bugs" and operational issues in existing features.

Even if the developers were active participants, they do not initiate product revisions on their own. That is done like in most organizations under management direction and approval.

So what gets management's immediate attention? A sudden and prolonged drop in sales revenue most certainly would. As of late, Eset sales revenue is surging. Until that changes, don't expect any radical changes in existing Eset product offerings.

I just simply can't buy their explanations of false positives. Kaspersky has trusted application mode, avast and avg have hardened mode. But these are not enabled by default since they may cause false positives and hence are enabled only by the advanced users. So what's the problem with ESET in implementing it like that? Only advanced users will enable those features since by default it will be disabled. Marcos states that ESET employs proactive mechanisms but I'm sorry to say that in that case it's one of the worst implementations ever made. ESET is terrible in proactive protection. Kaspersky, Norton, BitDefender are vastly superior. Even free AV's like AVG and Avast have superior dynamic protection. If static detection fails, most of the time the PC is compromised. You don't need to take my word for it. Google it, look at YouTube tests results, static detection is excellent but dynamic detection is one of the worst. Still then the mods never pay any heed to the users who suggest to make the dynamic protection strong. 

[Controlled Folder feature]

I think this thread should be disabled. ESET mods will NEVER listen to any user feedback rather they'll counter your every argument with a baseless one. Simply they think that they have made a 100% bulletproof product and any change to it will always result in False positives. I'm done and fed up posting in this forum. The moderators do not listen to any user feedback. It's sad but true in this way the future looks bleak for ESET. Many old users will switch to other competitive products simply because they listen to the users and implement the rational features. But here only you get is defensive posts about ESET. The developers are NEVER open to constructive or positive criticism.

[Ransomware]

2 hours ago, Marcos said:

Windows update files may be also suspicious from the beginning (yellow) so blocking them just because of this could crash Windows updates or the whole OS for instance (not every binary is signed by MS). Or imagine explorer.exe being continuously terminated if there were no antiFP mechanisms. We need to be careful about FPs; a single serious FP could cause bigger damage than actual undetected malware.

Ok that sounds reasonable. But ESET can surely implement the idea of protected folders. Let it be disabled by default. Advanced users who want that can enable that but at least provide it as an option.

[Ransomware]

On 9/3/2019 at 7:40 PM, Marcos said:

 

@wraith, please collect logs with ESET Log Collector from the machine where you tested the sample and provide me with the generated archive. It looks like we didn't get it via the LiveGrid feedback system and couldn't react to it earlier.

I'll send you the logs once I reach home from work, although I highly doubt it would be useful since I always run any unknown file in shadow defender shadow mode before executing in the real mode.

[Ransomware]

Imho ESET should add some advanced features like itman suggested. Keep them switched off by default so that only advanced users can enable them. I agree with the LiveGrid implementation part. Allow all safe processes(green), monitor the activities of non-popular(yellow) and alert upon suspicious behaviour and block for unsafe processes(red). If that sounds too much, implement a protected folders feature like defender, trend micro, BitDefender, avast so that files in those folders can only be accessed by safe applications and will be prompted if accessed by unknown applications.

[Ransomware]

9 minutes ago, peteyt said:

Does encryption run on a standard home user computer without them knowing.

What I mean is I have windows pro but don't use any encryption software so surely if something started encrypting something there would be a cause for alarm. I've thankfully never came across ransomware but I thought for a general home computer the fact something is being encrypted would look suspicious in itself

It can run on a standard user but won't be able to encrypt system files. It can encrypt your personal files though. I agree with you. A process that is unsigned and new to LiveGrid, trying to encrypt files, should be blocked immediately by ESET even though it may be a false positive(although the chances would be extremely thin for a FP). I would rather deal with a FP than having my important files encrypted. 

[Ransomware]

21 minutes ago, Marcos said:

Re. the age of the sample, it seems to be 3 days old:

VirusTotal:

Creation Time: 2019-08-31 07:13:29

First Submission: 2019-08-31 07:18:44

Info from LG: Age: 3 days Cnt: 1 Rep: Bad (9)

 

In general ESET is usually one of the first to come with signatures. So 3 days seems pretty old to me. Many other vendors already have a signature for it. Btw did the researchers/analysts find anything about this sample?

[Ransomware]

18 minutes ago, Marcos said:

@peteyt, encryption of files is not a bad thing per se. There are many legitimate tools that are used to encrypt files, such as PGP and thus cannot be detected. On the other hand, they can be misused either directly by ransomware or an attacker can use them to encrypt files after connecting to a system via RDP. Moreover, even common archive packers support encryption by setting a password which was also misused by ransomware to generate password protected self-extracting archives.

I have been using ESET since version 2.5(NOD32). You have an amazing team of analysts and researchers. I don't think it would be that much hard for your team to design an efficient anti-ransomware module that can block any unsigned process trying to encrypt files. That way the probability of false positives will be greatly reduced. You can argue that signed malware and malware those exploit lolbins could still encrypt the files, but then I can argue that no antivirus can catch 100% threats, so why use ESET or any other AV? If you implement this one simple rule, ESET will be able to stop more than 50% ransomwares for which it does not have a signature for. But then again, I somehow feel that the ESET team is not open to suggestions or positive/constructive criticism.

[Ransomware]

10 hours ago, itman said:

For those who want to "get into the nitty gritty" of this bugger, Dr. Web has a full behavior analysis here: https://www.virustotal.com/gui/file/32db24cc3456965ba75319617ef2094c9549874533b5fc6c13769a994dc57877/behavior/Dr.Web vxCube . I can see one reason this "flew under the Eset ransomware behavior detection radar." It's a "system hostage" ransomware. Appears to encrypt everything related to existing installed apps. I didn't see one reference to user personal directories being encrypted. Very strange ransomware. Also don't understand what it is trying to accomplish since system repair (Win 10 only) plus app re-installation would bring everything back to normal.

-EDIT- It is possible one of the system files it encrypted will block access to user personal directory files giving the impression that all your files have been encrypted.

The sample managed to encrypt all my document files i.e. docx, pdf, etc in my documents folder. I sent an encrypted file to marcos. 

[Ransomware]

16 hours ago, Marcos said:

if only ESET displayed this warning for each and every unsigned file that tries to encrypt files.

[Ransomware]

12 hours ago, Marcos said:

It's unlikely that such file would be undetected by ESET if downloaded or received via email.

I don't know that but ESET should have added a signature for that ransomware. It's pretty old and most AV vendors detect it.

[Ransomware]

7 minutes ago, Marcos said:

Well, I'm not sure if the 3rd party blockers are installed on millions of machines both in home user and business environments without adverse effect on various applications that are used there. We have to take into account false positives seriously as they could cause issues especially in business environment and not to detect every process that manipulates with files. Also we have to take into account impact on performance so creating some snapshots of files (especially of bigger files) would be really a problem. While it was thought of as a possible solution, it was denied because of the performance impact and the need for a lot of free disk space if I remember correctly.

Also I tend to believe that if we took any of the 3rd party ransomware blocker, it would not withstand attacks by various ransomware. If I remember correctly, we've analyzed several solutions and always found they failed at some point.

Last but not least, I'd like to remind that any further comments without investigation of the sample in question are futile.

If you don't mind me asking, can you please provide me with a screenshot of ESET Anti Ransomware in action stopping a ransomware for which ESET did not have any signatures?

[Ransomware]

17 minutes ago, itman said:

Most of the dedicated anti-ransomware solutions do the same. BTW - Checkpoint has an excellent anti-ransomware solution that costs around $15 USD w/yearly subscription.

I believe Kaspersky also works the same way. In addition if its System Watcher feature is enabled, it will use a snapshot to restore any files encrypted prior to its ransomware detection mechanism kicking in.

As far as Eset goes, your best solution is to create HIPS rules to monitor file modification activities against any of your User folders. This really shouldn't be too much of an inconvenience for the average user since those directories are not updated that frequently in normal daily use. For business environments, process exceptions would have to be created increasing the risk of ramsonware succeeding due to malware modification of those processes.

BINGO!!! That's what I'm trying to point out. Products with dedicated Anti-Ransomware Module should proactively block the ransomwares when they detect that they are trying to encrypt files. ESET is not doing that in spite of having a dedicated Ransomware Module. Creating HIPS rules is another topic. Since ESET already employs anti-ransomware module, why doesn't it kick into action when all the others can like Kaspersky System Watcher? Finally someone got my point.

[Ransomware]

8 hours ago, Marcos said:

The fact thatba file is new and only very few users have encountered it doesn't make it malicious. The example above appears to have been detected by a signature as Linux/Mirai.

ESET doesn't need to have the same capability as SONAR. If the anti-ransomware module works proactively, it will be enough. Take this example. I executed the same ransomware while having AppCheck running in the background. It immediately stopped the ransomware based on it's behaviour since it was encrypting a large number of files. My question is why can't ESET ransomware module do the same? 

[Ransomware]

6 hours ago, itman said:

LiveGrid only submits suspicious processes to Eset servers for analysis. It won't alert or stop the process from executing.

It does raise the question that given the testing the OP was doing with this sample previously, it had to have been submitted some time ago to Eset servers for analysis. @wraith you do have LiveGrid enabled and also the option to submit suspicious files to Eset for analysis?

Yes LiveGrid is Enabled and I have set it to submit all files (including documents).

[Ransomware]

5 minutes ago, Marcos said:

I've checked a description of the said technology but didn't find anything that ESET wouldn't already employ (https://www.eset.com/int/about/technology/) :

SONAR is a real-time protection that detects potentially malicious applications when they run on your computers. SONAR provides "zero-day" protection because it detects threats before traditional virus and spyware detection definitions have been created to address the threats.

SONAR uses heuristics as well as reputation data to detect emerging and unknown threats. SONAR provides an additional level of protection on your client computers and complements your existing Virus and Spyware Protection, intrusion prevention, Memory Exploit Mitigation, and firewall protection

SONAR uses a heuristics system that leverages online intelligence network with proactive local monitoring on your client computers to detect emerging threats. SONAR also detects changes or behavior on your client computers that you should monitor.

With the only difference being SONAR can detect and stop ransomwares that are not detected by signatures whereas ESET cannot. ☹️

[Ransomware]

1 minute ago, Marcos said:

I've already written above that the sample was passed to analysts for investigation.

Please let me know what the analysts came up with and also if possible why the anti ransomware didn't kick in for this particular sample. Thanks. 😀

[Ransomware]

6 minutes ago, Marcos said:

Do you mean why Ransomware shield doesn't detect the operation when the protection is paused by an attacker after connecting via RDP?

Absolutely not. I'm taking about this ransomware scenario which we're discussing. This is an exe file. ESET doesn't have a signature and so it's not detected by the real time scanner. When I executed the file it spawned a process that began encrypting files. My point is that when the process started encrypting the files why didn't the anti ransomware module kick in and alert me that if I want to continue the operation or block it. This is the simple question for which I'm trying to get a reliable response nothing more.

[Ransomware]

5 minutes ago, Marcos said:

All technologies employed by ESET are proactive. There are some that work upon execution (EB, Ransomware shield, Deep Behavior Inspection) that monitor the behavior of running processes and may not stop a process immediately after it's started.

As for the complaints you receive about ransomware, feel free to contact me privately. 99,99% of ransomware cases that we deal with are caused by unsecured RDP when an attacker manages to log in with administrator rights, pause AV protection and then run ransomware undetected. It often turns our that the detection for the ransomware used in attacks was added years ago.

I agree about the RDP part. That's why the first thing I disable is remote access and smb 1. But then again I have a simple question. If ESET is so proactive why doesn't the ransomware shield kick in when it detects that files are getting encrypted? 

[Ransomware]

Just now, Marcos said:

There are dozens of thousands of applications and new binaries being created on a daily basis which are untrusted and not whitelisted. It would cause a lot of issues, believe me. Maybe not for you but for dozens of thousands of other users.

Yeah that's why I don't like these features. I just gave them as examples since you asked about what block at first sight is. Moreover these make the AV heavy to use and I don't want ESET to become heavy like the other AV's. But I really want ESET to have a dedicated PROACTIVE Ransomware Module, not a REACTIVE one since all the complaints I receive regarding ESET only relates to ransomwares, nothing else.

[Ransomware]

2 minutes ago, Marcos said:

Not sure what you mean by "block-at-first-sight" capability.

I think he meant like Windows Defender Block at first sight/ Kaspersky Trusted Application Mode/ Avast Hardened Mode where only safe and whitelisted files will be allowed to run. Basically it's like a hybrid default-deny.

[Ransomware]

3 minutes ago, itman said:

One nasty ransomware. It's disguised to appear to be a .pdf file using the xxxxx.pdf.exe naming convention.

Appears to be one of these dreaded compile on the fly .Net .dll malware buggers and then inject that .dll into legit process. Hook a thread to the .dll and we're off and running encryption wise.

I would say the major complaint Eset-wise is why it didn't have a sig. for this when 37 other VT vendors did.

Notice how it targeted WD and Malwarbytes via legit Net process use?

Will say that this sample is a perfect example of why Eset needs "block-at-first-sight" capability; not just for Enterprise subscribers of EED.

With the never ending growth of malwares, it's foolish just to rely on signatures alone for protection. Even if ESET didn't have a signature for it, shouldn't the proactive Anti-Ransomware module kick-in when it detects that a large number of files are getting encrypted at once? Once again it's back to the original post in which I stated that ESET Anti-Ransomware is not working as it's supposed to work. An anti-ransomware module should block a process when it detects that the process is encrypting  files or at least ask the user with an alert if the process should be allowed to continue.

[Ransomware]

27 minutes ago, itman said:

It would be also beneficial to know how the ransomware was executed. You can submit it to Hybrid-Analysis which will provide a detailed analysis of it: https://www.hybrid-analysis.com/ . My gut is telling me a Windows "living off the land" .exe was deployed.

 

[Ransomware]

8 minutes ago, itman said:

It would be also beneficial to know how the ransomware was executed. You can submit it to Hybrid-Analysis which will provide a detailed analysis of it: https://www.hybrid-analysis.com/ . My gut is telling me a Windows "living off the land" .exe was deployed.

It spawned an independent process. Here's a screenshot of the LiveGrid.