Jump to content

yongsua

Members
  • Content Count

    122
  • Joined

  • Last visited

  • Days Won

    2

yongsua last won the day on March 13 2015

yongsua had the most liked content!

Profile Information

  • Location
    Malaysia
  1. Maybe ESS can be implemented with some sort of PID mapping or positioning system? Is it possible? Or at least the current PID is displayed on the interactive mode alert. Although PIDs vary each time a process starts but at least knowing the current PID can be helpful to identify which svchost and the thread that is attempting to connect to the Internet, which gives a chance to the user to initially jot down the threads or handles or DLLs involved by using basic dynamic analysis tool such as Process Explorer so that the user can just refer to the services or handles or DLLs involved from what the user has jotted down without referring to PID anymore and regardless how the PID varies.
  2. I would like to suggest that if the upcoming ESS could include PID for each process in the Rule and Zone editor as it would be much helpful for me to determine which svchost and the thread inside it is attempting to connect to Internet. Thank You. As you can see from the above pic, I really have no idea which svchost is attempting to connect to the Internet.
  3. Well, I would prefer Active heuristic and I believe ESET has implemented it. "Active heuristics are referred to by a variety of names by different vendors. Some call the technique “sandboxing”, others call it “virtualization” or “emulation.” In all cases the idea is to create a safe virtual environment, run the code to be inspected and watch the behaviors in order to assess risk." (Source:hxxp://static2.esetstatic.com/us/resources/white-papers/Understanding_Heuristics.pdf) If any unknown infection is found, ESET will move or have a copy of that infected files after deletion into the quarantine. Based on what I know, ESET will rescan those infected files after every virus definition update by default. I, as a user, have my responsibility to ensure that the infected files in the quarantine are indeed infected and are not false positive detected files. If it is false positive, I could then safely restore back the file and let it execute freely, otherwise I would just delete it. Besides, I would also prefer ESET to detect the unknown infection before the infection could do any irreversible damage to my system, rather than journaling it and letting it execute freely.
  4. More features, more memory consumption. IMO, HIPS is enough to replace the behavior detection. So, I will stick to HIPS.
×
×
  • Create New...