Jump to content

fabioquadros_

Members
  • Content Count

    7
  • Joined

  • Last visited

Kudos

  1. Upvote
    fabioquadros_ gave kudos to wraith in Ransomware   
    Ok that sounds reasonable. But ESET can surely implement the idea of protected folders. Let it be disabled by default. Advanced users who want that can enable that but at least provide it as an option.
  2. Upvote
    fabioquadros_ gave kudos to itman in Ransomware   
    This is the problem. I would gladly switch to Endpoint. However, I don't want to buy 5 licenses which it appears is Eset's purchase minimum for the product. Eset should have a single license purchase option with a higher cost which would be perfectly acceptable.
    Another suggestion is Eset offer an "advanced" Internet Security version which in effect would be a "re-bagged" Endpoint version.
  3. Upvote
    fabioquadros_ gave kudos to itman in Ransomware   
    Now we are getting "at the meat" of the issue.
    How about an ecmds initiated "aggressive" FP setting? This setting would do globally what you stated; loosen existing anti-FP detection. By keeping the setting out of the Eset GUI, it would prevent Eset "experimental" users from enabling it and subsequently complaining Eset is throwing alerts on some garbage they are trying to install.
    At least, Eset should do something in this area to prevent long time users like myself from moving on to security solutions that have such capability.
  4. Upvote
    fabioquadros_ gave kudos to itman in Ransomware   
    Since the above Eset's requested enhancements to Live Grid falls into the category of "wishful thinking," let's talk about a free solution built into Win 10 that has such capability. That is Windows Defender's Advanced Surface Reduction; i.e. ASR mitigations:
    Since we are on that topic, let's list all the ASR mitigations available:
    https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction
  5. Upvote
    fabioquadros_ gave kudos to itman in Ransomware   
    Some additional comments on how Live Grid should be configured by Eset.
    1. The risky status alert option would be an "Advanced option" setting for the existing Live Grid setting in Eset's GUI. It would be disabled by default. Hence and God forbid, Eset gets "dinged" on an AV lab test because of it.
    2. It is assumed that Eset already has in place criteria for handling of known assumed safe apps such as OS apps in their respective directories, etc.. I will state that I have never seen any process set to "Red" status in viewing Live Grid's status screen. As such, I am assuming the "Red" status is reserved for unknown reputation apps performing questionable system modification activities.
    3. The alert would display additional descriptive information such as signing status, publisher, creation date, directory location, etc.
    As I see it, the most that could happen in blocking the process from running would be some app installation or some process .exe you purposely downloaded is blocked/borked. App installers can always be rerun.
    The above would allow one to submit the process to VirusTotal for additional verification or Hybrid-Analysis for a detailed sandbox analysis. Win 10 1903 users could additionally run the process in the  Windows sandbox.
    Unfortunately, these Live Grid operational modifications have been suggested by me and others in the past and have "fallen on deaf ears" as far as Eset is concerned. After all, Eset always knows best when it comes to security features.
  6. Upvote
    fabioquadros_ gave kudos to wraith in Ransomware   
    It can run on a standard user but won't be able to encrypt system files. It can encrypt your personal files though. I agree with you. A process that is unsigned and new to LiveGrid, trying to encrypt files, should be blocked immediately by ESET even though it may be a false positive(although the chances would be extremely thin for a FP). I would rather deal with a FP than having my important files encrypted. 
  7. Upvote
    fabioquadros_ gave kudos to peteyt in Ransomware   
    Does encryption run on a standard home user computer without them knowing.
    What I mean is I have windows pro but don't use any encryption software so surely if something started encrypting something there would be a cause for alarm. I've thankfully never came across ransomware but I thought for a general home computer the fact something is being encrypted would look suspicious in itself
  8. Upvote
    fabioquadros_ gave kudos to wraith in Ransomware   
    In general ESET is usually one of the first to come with signatures. So 3 days seems pretty old to me. Many other vendors already have a signature for it. Btw did the researchers/analysts find anything about this sample?
  9. Upvote
    fabioquadros_ gave kudos to wraith in Ransomware   
    if only ESET displayed this warning for each and every unsigned file that tries to encrypt files.
  10. Upvote
    fabioquadros_ gave kudos to peteyt in Ransomware   
    I'm new to this topic but just wanted to ask something and unsure if its been asked.
    Firstly - I have no issue with Eset - I know nothing can ever be 100 percent.  However in regards to ransomware would there not be a way to detect something is encrypting files which in turn could force an alert from Eset.
    I'm not talking about new unknown viruses, zero day etc but the act of encrypting itself. Basically could Eset not set it by default to alert users if it detects file encrypting and possibly even be set to pause the encryption until a user tells Eset to either allow or remove.
    Surely with that approach it wouldn't matter if it was a new virus unseen that eset didn't know as it would still see the encrypting part. Or are these viruses able to hide that they are encrypting things until it is too late? I don't have a lot of knowledge on these things so sorry if it is a lot more complex than that.
  11. Upvote
    fabioquadros_ gave kudos to itman in Ransomware   
    One final comment in regards to Live Grid's performance in this incident.
    Refer back in this thread to the posted Live Grid screen shot showing ransom.exe running. Note the red color. What does that mean? Per Eset online v12 help:
    Hum ........ It certainly appears Eset's front-end heuristic scanning did its job.
    So why can't Eset offer an option to be alerted to "risky" processes pre-execution? It most certainly appears to be the correct and logical action to take. For me, I can only conclude the following:
    1. Eset has such little faith in Live Grid's reputational analysis that it doesn't trust it for user alert purposes. In this case, get rid of the feature and just perform any submission activities in the background.
    2. Eset's avoidance of a false positive detection has reached the level that it is jeopardizing overall system security.
  12. Upvote
    fabioquadros_ gave kudos to itman in Ransomware   
    Most of the dedicated anti-ransomware solutions do the same. BTW - Checkpoint has an excellent anti-ransomware solution that costs around $15 USD w/yearly subscription.
    I believe Kaspersky also works the same way. In addition if its System Watcher feature is enabled, it will use a snapshot to restore any files encrypted prior to its ransomware detection mechanism kicking in.
    As far as Eset goes, your best solution is to create HIPS rules to monitor file modification activities against any of your User folders. This really shouldn't be too much of an inconvenience for the average user since those directories are not updated that frequently in normal daily use. For business environments, process exceptions would have to be created increasing the risk of ramsonware succeeding due to malware modification of those processes.
  13. Upvote
    fabioquadros_ gave kudos to wraith in Ransomware   
    With the only difference being SONAR can detect and stop ransomwares that are not detected by signatures whereas ESET cannot. ☹️
  14. Upvote
    fabioquadros_ gave kudos to wraith in Ransomware   
    Please let me know what the analysts came up with and also if possible why the anti ransomware didn't kick in for this particular sample. Thanks. 😀
  15. Upvote
    fabioquadros_ gave kudos to wraith in Ransomware   
    Absolutely not. I'm taking about this ransomware scenario which we're discussing. This is an exe file. ESET doesn't have a signature and so it's not detected by the real time scanner. When I executed the file it spawned a process that began encrypting files. My point is that when the process started encrypting the files why didn't the anti ransomware module kick in and alert me that if I want to continue the operation or block it. This is the simple question for which I'm trying to get a reliable response nothing more.
  16. Upvote
    fabioquadros_ gave kudos to wraith in Ransomware   
    Yeah that's why I don't like these features. I just gave them as examples since you asked about what block at first sight is. Moreover these make the AV heavy to use and I don't want ESET to become heavy like the other AV's. But I really want ESET to have a dedicated PROACTIVE Ransomware Module, not a REACTIVE one since all the complaints I receive regarding ESET only relates to ransomwares, nothing else.
  17. Upvote
    fabioquadros_ gave kudos to wraith in Ransomware   
    I know all these are there but I've never seen the Behaviour Blocker and Anti-Ransomware shield in action. If there is a new ransomware that is not in the signatures, there is literally no warning from ESET and the ransomware easily manages to encrypt all the files. The advanced machine learning seems to be a welcome addition.😀
  18. Upvote
    fabioquadros_ gave kudos to wraith in Ransomware   
    I have been using ESET IS for the last 5 years and have an active subscription till 2021. It's the lightest AV out there with stellar detection, excellent firewall and web filter along with a really light footprint. However ESET does miss out on certain features that other competitive AV's like BitDefender, Kaspersky, Trend Micro, Norton, Mcafee provide. ESET has zero dynamic protection since the HIPS in automatic mode is useless. Imo I think it would be a lot better if ESET can provide a good Behaviour Monitor instead of the HIPS(the BB ESET has now is in hibernation mode, it rarely works). Another very important feature could be the Protected Folders option where the user can decide which folders to protect against ransomware.
  19. Upvote
    fabioquadros_ gave kudos to wraith in Ransomware   
    Imho ESET should add some advanced features like itman suggested. Keep them switched off by default so that only advanced users can enable them. I agree with the LiveGrid implementation part. Allow all safe processes(green), monitor the activities of non-popular(yellow) and alert upon suspicious behaviour and block for unsafe processes(red). If that sounds too much, implement a protected folders feature like defender, trend micro, BitDefender, avast so that files in those folders can only be accessed by safe applications and will be prompted if accessed by unknown applications.
×
×
  • Create New...