-
Posts
35 -
Joined
-
Last visited
-
Days Won
2
Kudos
-
-
wraith gave kudos to itman in Ransomware
Most of the dedicated anti-ransomware solutions do the same. BTW - Checkpoint has an excellent anti-ransomware solution that costs around $15 USD w/yearly subscription.
I believe Kaspersky also works the same way. In addition if its System Watcher feature is enabled, it will use a snapshot to restore any files encrypted prior to its ransomware detection mechanism kicking in.
As far as Eset goes, your best solution is to create HIPS rules to monitor file modification activities against any of your User folders. This really shouldn't be too much of an inconvenience for the average user since those directories are not updated that frequently in normal daily use. For business environments, process exceptions would have to be created increasing the risk of ramsonware succeeding due to malware modification of those processes.
-
wraith received kudos from fabioquadros_ in Ransomware
With the only difference being SONAR can detect and stop ransomwares that are not detected by signatures whereas ESET cannot. ☹️
-
wraith received kudos from fabioquadros_ in Ransomware
Please let me know what the analysts came up with and also if possible why the anti ransomware didn't kick in for this particular sample. Thanks. 😀
-
wraith received kudos from fabioquadros_ in Ransomware
Absolutely not. I'm taking about this ransomware scenario which we're discussing. This is an exe file. ESET doesn't have a signature and so it's not detected by the real time scanner. When I executed the file it spawned a process that began encrypting files. My point is that when the process started encrypting the files why didn't the anti ransomware module kick in and alert me that if I want to continue the operation or block it. This is the simple question for which I'm trying to get a reliable response nothing more.
-
wraith received kudos from fabioquadros_ in Ransomware
Yeah that's why I don't like these features. I just gave them as examples since you asked about what block at first sight is. Moreover these make the AV heavy to use and I don't want ESET to become heavy like the other AV's. But I really want ESET to have a dedicated PROACTIVE Ransomware Module, not a REACTIVE one since all the complaints I receive regarding ESET only relates to ransomwares, nothing else.
-
wraith gave kudos to Marcos in Ransomware
There are dozens of thousands of applications and new binaries being created on a daily basis which are untrusted and not whitelisted. It would cause a lot of issues, believe me. Maybe not for you but for thousands of other users. That's not the way we want to go and create issues for many of our users.
-
wraith gave kudos to Marcos in Ransomware
As I wrote already, the sample was passed to researchers. We'll see what findings they will come up with.
It's possible that it somehow fooled the ransomware shield. Without analysis, it's impossible to comment on it any further at this moment.
Like there is nothing like 100% malware detection and protection, one can't expect ransomware shield to detect 100% of ransomware.
-
wraith gave kudos to itman in Ransomware
One nasty ransomware. It's disguised to appear to be a .pdf file using the xxxxx.pdf.exe naming convention.
Appears to be one of these dreaded compile on the fly .Net .dll malware buggers and then inject that .dll into legit process. Hook a thread to the .dll and we're off and running encryption wise.
I would say the major complaint Eset-wise is why it didn't have a sig. for this when 37 other VT vendors did.
Notice how it targeted WD and Malwarbytes via legit Net process use?
Will say that this sample is a perfect example of why Eset needs "block-at-first-sight" capability; not just for Enterprise subscribers of EED.
-
wraith gave kudos to Marcos in Ransomware
I don't think that AMSI would play a role in this case since the malware is an executable and not a script.
We'll see what findings researchers will come up with.
-
wraith received kudos from fabioquadros_ in Ransomware
I know all these are there but I've never seen the Behaviour Blocker and Anti-Ransomware shield in action. If there is a new ransomware that is not in the signatures, there is literally no warning from ESET and the ransomware easily manages to encrypt all the files. The advanced machine learning seems to be a welcome addition.😀