Jump to content

NewbyUser

Members
  • Content Count

    91
  • Joined

  • Last visited

  • Days Won

    1

Kudos

  1. Upvote
    NewbyUser received kudos from CEO888 in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Thanks, I thought of suggesting customization lol. But it would be somewhat complicated and obviously not something worth the overall effort and not worth making it a priority. And yes, it probably is designed that way for ease of use. I've read a number of reviews complaining about the "myriad of settings" available. Seems most people just want a "protect me" button lol. 
  2. Upvote
    NewbyUser gave kudos to itman in "pyrate", Behavior Blocker Bypass POC   
    Nothing.
    To begin, most Python ransomware attacks are targeted ones. So unless your a corp., your chances of being targeted are about zip. Bundled Python runtime component attacks are very "noisy" and usually leave a lot of residual artifacts on the device. As such, they aren't suitable for RaaS concerns that are selling their ransomware to the hacker masses.
    I don't have Python installed and have no intention to doing so. I am not a gamer that might be using software containing bundled Python runtime comments. Neither am I part of the scientific or research community that might be sharing Python software so bundled. What I am doing will unconditional block any python script from running legit or malicious.
  3. Upvote
    NewbyUser gave kudos to itman in "pyrate", Behavior Blocker Bypass POC   
    It's been a slow forum posting weekend and it appears this thread has run its course. We have all had the opportunity to "rant and rave" about Eset Home version protection features we all wished we had and in reality, probably never will have. So it is time to expose this Python POC for what it is - fake ransonware. Err ..... what, you say? The POC encrypted files. Well so does a lot of legit encryption and other apps including user created ones. So lets get into this.
    A few years back, the NextGen security software vendors were trying "to get traction" against the established AV vendors with their supposed superior behavior detection methods. Corresponding to this was the appearance a proliferation of ransomware "simulators" where one was encouraged to test their existing AV solution with. The most infamous of these was RanSim produced by KnowBe4: https://www.knowbe4.com/ransomware-simulator . I wrote a thread about the methodology used by this product and similar ones here: https://forum.eset.com/topic/10792-ransomware-simulators-a-detailed-analysis/ . Eset subsequently commented upon Ransim tactics in their own publish article on Eset ransomware protection:
    https://cdn1.esetstatic.com/ESET/INT/Docs/Others/eset-vs-crypto-ransomware.PDF
    So let's get into some details on the POC. First, note this from the POC's author posting about it at malwaretips.com:
    Next is why no vendor on Virus Total detected the POC initially and I believe presently. That one is pretty straightforward. The ransomware portion of the POC never ran. The POC pauses program execution waiting for user input to continue. VT's automated sandbox analysis timed out waiting for input it does not respond to.
    In summary, I am not 100% ruling out that techniques used in the POC could bypass existing Eset ransomware detection methods. However, a POC must be developed deploying real world ransomware deployment and execution methods with the most important being the program runs uninterrupted and encryption activities performed against all existing files in C:\Users\xxxx\Documents\*, etc. directories.
     
  4. Upvote
    NewbyUser received kudos from peteyt in blocking government level spyware   
    A philosophical issue way beyond the scope of this forum here, but governments are made up of people, and are neither good or evil. It is the nature of the people that brings the problem. Typically greed or fear are the greatest driving forces of what a government or it's society becomes when they turn negative.
  5. Upvote
    NewbyUser gave kudos to SeriousHoax in "pyrate", Behavior Blocker Bypass POC   
    All the ASR are available for Windows Defender too.
  6. Upvote
    NewbyUser gave kudos to itman in HIPS Alert for Host process   
    At this point, you will have to tract down what service is causing this and find out if its legit.
  7. Upvote
    NewbyUser gave kudos to Posolsvetla in Certificate Issues for Firefox 74.0 64bit   
    The issue is fixed in the Internet protection module version 1396; currently it is available on pre-release update servers.
×
×
  • Create New...