AZ Tech

Ignoring is the denial of the effectiveness of Web access protection, and what I have said does not say that, I consider eset the best option currently available in this particular point.
What I'm saying is that eset uses a multi-layered Protection approach, and as an eset user, when I highlight weaknesses in one of these layers, I'm not saying that eset is completely ineffective. I'm not saying that at all.
What I am saying is that one of these layers, specifically the Behavioral Detection, needs to be better, as is the case with certain competitors, so what is the problem with my words !!

Even I already know that eset has a Deep Behavioral Inspection but In fact there are competitors who already have an Advanced Behavioral Detection System though it is not bulletproof but it is very powerful and very effective compared to what eset have , so why is the blame on me ? 
I hope that eset will listen to me and take it seriously in terms of rebuilding the Advanced Behavioral Detection System as powerful and effective as the other competitors.
There will be no evolution unless we face the weaknesses.
There will be no evolution if we are all hypocrites and deny reality. 
Competitors who have done great work in this field, If they took the approach of denying weaknesses and said that we already have good behavior detection systems and deny reality, they would not have reached what they have reached.
In the end, I am just a user looking for the best for the product I use, I won't lose much if one of the vendors is unable to keep pace with the technology of its competitors. If this happens, I can simply move to an option that has technologies that matches the requirements, as for vendors, they are without listening to us as customers, they are the party the aggrieved
I hope that you will appreciate my efforts in trying to help as much as I can by reporting problems and weaknesses that I find, I have no goal in doing so other than to help improve the product, so I hope eset will take that into account and reconsider what was presented today ,Thanks

I know very well that when talking about URL blocking, eset is one of the strongest, if not the best, options available, and I have already mentioned this a lot here in the forum.
I hope you do not think that I am comparing Kaspersky and ESET, both of them have strengths and weaknesses, this topic is not to compare Kaspersky and ESET,
Both provide a very strong level of protection, if Kaspersky is not as strong as eset in terms of URL blocking it has other layers of protection that compensate for that and the same is true with eset.
And for the record, I am speaking based on my personal experience with both and I am sure that both are strong and sufficient to provide protection for the user, which of them is better?, There is no answer, each user chooses what is suitable for him.

Note: In normal use conditions the user will not try to open all the malicious urls that are used in the tests and will not be exposed to all the malicious samples that are used in the tests, but under normal conditions of use what the user wants is fewer problems, less conflict with other programs,
And also that he finds good technical support and his treatment does not change with time, no matter how many reports you have.

As for me, as I mentioned before, I have already received my Kaspersky license two days ago and I have not noticed any conflict between it and AdGuard, not only that, I have used Kaspersky and AdGuard together for years without any conflicting issues, of course there are other users here or there that AdGuard WFP network driver may cause them conflict issues, but this does not happen to all Kaspersky users who use AdGuard, as it is currently the case with all eset users who use AdGuard.
Of course, the current conflict problem that occurs between eset and AdGuard will not have a significant impact on users in the event that this conflict affects only Firefox users and also occurs only when trying to enter one of the sites blacklisted by eset.

Of course, I did not switch from eset to Kaspersky because of this problem, because as I mentioned it is not a big problem,... What really prompted me to switch from eset to Kaspersky was the sudden change that occurred in all my dealings with eset, which negatively affected my work, and by the way, I love eset very much as a product,
And my words are not mean comparison between eset and any other security product.

I agree with this and I also tried it and there were no problems

It also should be noted that WFP has been abused by ATP level based attacks:
https://www.securityweek.com/diplomatic-entities-targeted-new-moriya-windows-rootkit
As such, one should fully trust any software using WFP for network traffic monitoring activities.

I don't think a home user would be upset if KTS is not compatible with one of those programs mentioned in the list, most of them are programs that even if they are compatible with KTS, not many people will want to use them, unlike the number of people who use AdGuard .

Knowing that eset has also been working fine with AdGuard for a long time,
I also think that the problem is not complicated, or even if this problem is not resolved, users will not be affected much.
But could things get worse in the future?

For me the problem is that even if AdGuard and all its services are closed, the problem does not disappear, even when the AdGuard WFP network driver is also disabled, the problem remains.

Speaking of other security products and the conflict between AdGuard WFP network driver with them, I have now tried Kaspersky with Firefox and AdGuard and did not encounter the same problem, which makes me wonder if eset can find a solution to this problem? .. Especially since it is a recent problem, I have used eset with Firefox and AdGuard all year past without problems.

Regarding the AdGuard WFP network driver, it didn't cause any problems for the duration of my use of eset, the only problem I had was a conflict between AdGuard Browsing Security and ESET Web Access protection and disabling AdGuard Browsing Security was enough to solve the problem.
Knowing that not all of the devices I mentioned above use AdGuard and this makes me rule out that the problem is due to the AdGuard WFP network driver.

Sorry for the delay, I just sent it to you .
 
I verified the problem on 25 devices before I sent you a personal message (Windows 7 - 8.1 - 10) (EIS - ESSP) and the problem was confirmed on all of those devices, unfortunately, I can't collect logs from those devices or even continue joint cooperation with Owners of those devices or with eset .

I told these customers that in case they have a complaint or a problem, they should follow the only official method that you told me, which is to open a support ticket. From now on, I am not an eset customer and I cannot provide assistance.
I am cooperating with you now in appreciation of the period in which the cooperation was good between us, but after submitting the logs that I collected today, unfortunately, I do not have anything I can do to help.
I am proud to have used eset products over the past year, I am also proud of the help I have provided to improve your products even if my help is not a big thing, 
and finally I am proud that many people have bought and used eset products based on my advice.

Thank you very much, it was a great experience.

Unfortunately, I am not one of the users who have a problem every long time, or they may not face problems at all due to the nature of their work or use, as for me, I can send dozens of reports daily, also the nature of my work is different from any traditional home user.
And of course opening a support ticket for each problem is not effective at all, even sending reports related to suspicious and malicious samples/urls etc. Via samples[at]eset.com, it didn't work due to the very slow response, and this basically prompted me to deal directly with Marcos .

@Nightowl I appreciate your opinion and your words a lot but I am looking for the most effective way either for my own benefit or for the benefit of everyone here, of course I know that eset will not be affected by my stopping using their products or even stopping helping with my reports, but I tried to do my best to help, and I find my efforts unwelcome anymore, why should I stay and go on with it ?

eset is not the only option for protection, without which I will not be able to protect my device !, as for the protection of my personal device, today I received my Kaspersky license. As for eset, I actually wished to continue with them, but it will not work that way, unfortunately.
As for @Marcos, I hope that you will accept my apology, believe me, I did not mean any inconvenience through direct communication with you, I was just looking for the fastest and most effective way, I apologize .

Unfortunately, I am not one of the users who have a problem every long time, or they may not face problems at all due to the nature of their work or use, as for me, I can send dozens of reports daily, also the nature of my work is different from any traditional home user.
And of course opening a support ticket for each problem is not effective at all, even sending reports related to suspicious and malicious samples/urls etc. Via samples[at]eset.com, it didn't work due to the very slow response, and this basically prompted me to deal directly with Marcos .

@Nightowl I appreciate your opinion and your words a lot but I am looking for the most effective way either for my own benefit or for the benefit of everyone here, of course I know that eset will not be affected by my stopping using their products or even stopping helping with my reports, but I tried to do my best to help, and I find my efforts unwelcome anymore, why should I stay and go on with it ?

eset is not the only option for protection, without which I will not be able to protect my device !, as for the protection of my personal device, today I received my Kaspersky license. As for eset, I actually wished to continue with them, but it will not work that way, unfortunately.
As for @Marcos, I hope that you will accept my apology, believe me, I did not mean any inconvenience through direct communication with you, I was just looking for the fastest and most effective way, I apologize .

Try to open this site from Google search results, please  "left click on search result"

For me, when I click on the site in the search results, this does not happen ! The browser does not respond to mouse clicks at all ! And of course, I tried it on more than one device, including a clean install on a virtual machine !
This is what happens here too :
Therefore, I do not think that it is a problem specific to my device only, even if not all users face, but it is a problem faced by more than one user .

I agree, that's exactly what I'm talking about.

How funny it is to be asked to open a support ticket when I report a general issue, so clear to me that Marcos is intentionally ignoring me and not helping !
I have no problem with that in case I am not a welcome person by eset, there are other vendors !! ...this is not the end of the world .

Again I know that if you go directly to one of the links that are blacklisted by eset everything will work fine and the site will be blocked with the warning, I know this very well.
The problem is that if you try to enter one of those sites from Google search results only then the problem I am talking about will occur.
Knowing that I've tried it on more than one device and I'm sure it's a general problem, however Marcos deliberately ignores me, I think my problem with @Marcos actually started since I reported ChromeSetup.exe
In any case, due to the ill-treatment and deliberate lack of assistance and my feeling that I am an unwelcome person by eset, and due to the lack of appreciation for my efforts and the hundreds of malicious links and samples that I have reported in the past months, for me this is completely unacceptable and accordingly after a few days my license will expire, and I will going to move to Kaspersky because they have never treated me this badly in 5 years of using their products.
With all thanks and appreciation.

Same here, when you search for "ocean of games" for example then left click on search results on Firefox, nothing happen, and no message from ESET

On Chrome it open the site on new tab with ESET alert

Unfortunately, if detection of Potentially unwanted applications is disabled, the user will end up with all their files encrypted, as happened here in the attached screenshots.

So I demand eset to develop an advanced behavior detection system, and I hope they look into it seriously, to give the user a product that does not consume a lot of device resources is really good, but if you can't keep up with the technology of your competitors, sooner or later you will fall.
Therefore, eset's acquisition of the Advanced Behavioral Detection System with Ransomware Remediation and rolls back the changes made by malicious applications is no longer a luxury requirement, but rather an urgent necessity.

Rather than edit my prior posting, I will make another one. This illustrates another possible scenerio in regards to ChromeSetup.exe. This scenario also "wraps up" malware concepts I have previously posted in this thread. We'll assume that all Eset detection mechanisms were deployed and this .exe is sandbox aware.
At Eset "first sight" of  ChromeSetup.exe, Eset local hueristics did detect the injection activity to WMIADEP.exe. This detection in turn resulted in a block and upload by LiveGuard to the cloud sandbox. The .exe detected that it was being scanned in the sandbox and set a "switch" in memory to this effect. Upon connection to the remote C&C servers, they first queried if the sandbox switch was set. If set, the download was done minus the malware payload. 
Eset LiveGrid scanning of the .exe completed and the following "suspicious" indicators were evaluated:
1. Process injection - very suspicious.
2. Download of a non-native Windows download utility not frequently used - suspicious.
3. Execution of the above downloaded utility to download additional software - highly suspicious.
Since LiveGuard won't return a suspicious verdict, it rendered a "safe" one. Eset local based processing received the safe verdict, whitelisted the process -OMG!, and unblocked the .exe.
Thereafter whenever an Eset installation encountered ChromeSetup.exe, it ran unimpeded. This only stopped when Eset in an unrelated detection incident, flagged the C&C servers used by .exe and blacklisted them.
Given the above two scenarios, I would prefer to believe that ChromeSetup.exe was not detected by Eset local heuristic scanning ........................

No, what I mean is that your question was :
I will quote from your words these two questions:
"lets say 2 months ago, would it have been submitted to LiveGuard?
If submitted to LiveGuard would it have found this instance malicious?"

my question is :
Did Marcos provide an answer to these two questions that I could not understand ?
Marcos' response was :
 
 

Excuse me, can someone explain this answer to me !!
I don't know if this is because English is not my native language or if @Marcos answer did not provide a sufficient answer to @itman question !
 
I agree with this knowing that so far this has not been confirmed by eset.
Unfortunately, all the answers that Marcos provides to these direct questions are inconclusive, as he has so far neither denied nor confirmed anything !!
and please if the answers he gave represent a definitive answer that is understandable for one of you, please explain to me the answer .

I think you are the one who should have an explanation for that !!

Normally I use IDM mainly for downloads but the ps1 files are downloaded by the browser which was here Chrome, knowing that the zip file mentioned in the same example was downloaded by IDM. 

for me I think I did my part to give you feedback about a LiveGuard issue , you are free to investigate, or just say, "I have no clue", You could at least repeat what I did here then you'll have a clue !!
I've done enough so far. I gave a working example of two files, one downloaded from the Internet as a ps1 file and the other as a password-protected zip file, and explained what happened with both.

We wouldn't have had this discussion until now if it was so important to eset, an investigation would have started by the developers a few days ago.

It is a pity that eset offers the LiveGuard feature at such a cost and that they do not have enough time to try and verify the problem, you do not care about the matter in the first place, see you reply to me days after I posted the problem and just say “I have no clue”.

I confirm it, as shown in the attached screenshot.
 
But at the same time I strongly object to this, in my view you shouldn't say triviality of the batch is the reason or justification, I come to eset from the background of using Kaspersky for more than 5 years and I have never met a single case detection was not generated no matter what kind of threat, it is worth mentioning "As shown in the second screenshot" Kaspersky from day one created automatic detection for this file which Marcos justified that eset did not create automatic detection for it because of the triviality of the batch !! .
I apologize, but I am not convinced by such justifications. A threat is a threat, no matter how simple or trivial the threat is !.
This is just a quick reply, without deviating from the main topic.

I have a theory and a working example of why ChromeSetup.exe is not sent to LiveGuard and may also apply to your test.exe, Here is what I did :

1- I created a simple powershell script inside a virtual machine completely isolated from eset.

2- I first uploaded the file as ".ps1" to a file sharing service, then I deleted several lines from the script to get a new hash, then I uploaded the new file to the file sharing service as password protected zip file .
3- When I downloaded the first file, which was in ".ps1" format, it was not sent to LiveGuard .
4- When I downloaded the second file, which was in “.zip” format, it was sent to LiveGuard as soon as it was extracted from the zip file “as shown in the screenshot”.

Based on what has been explained, I conclude the following :
When downloading exe - ps1, etc. files, It is scanned by eset during the download process and possibly marked as safe as happened with ChromeSetup.exe which was not detected during the download process, so this file from LiveGuard's point of view is already scanned and marked as safe .

and as @itman said :
 
Even if the "Eset borked non-detection" happened on your device !! "during the download"

as for files that are downloaded inside a password-protected zip file, they are not scanned during download, and therefore when extracted, they are sent directly to LiveGuard .

@Marcos I hope to investigate the matter and present it to the developers, because if what I suppose is correct, this is a problem that can be abused very badly.

At first glance, it seems logical, but when I think a little, I find that the vast majority of old files are not treated with the same logic, It's a little confusing to me.

Well, in this case I have a question :
Why is a file automatically sent to LiveGuard when it is already known by eset two years ago "as shown in the attached screenshots" and of course has already been scanned locally "somewhere", and at the same time not sent a completely new file?

Even if we say that this file has already been scanned locally "somewhere" and if we assume that it happened, it happened a very few hours or minutes ago, so which of them do you think has priority to send to LiveGuard ?