itman

Most Valued Members
  • Content count

    2,382
  • Joined

  • Last visited

  • Days Won

    92

Kudos

  1. Azure Phoenix liked a post in a topic by itman in Eset causing Number Keys on keyboard to type wrong numbers   
    It might also be helpful if people start posting the type of keyboard they are using:
    1. Manufacturer
    2. Type of connection; PS/2 or USB
    3. Type of driver being used. Windows default keyboard driver or manufacturer provided driver.
    -EDIT-
    4. Are you using any other security software that has anti-keylogger capability, e.g. Trusteer Rapport, or keystroke scambling capability, e.g. KeyScrambler?
    This might help Eset narrow down the source of the problem. I suspect this problem might be related to a specific subset of keyboard devices.
  2. neelampari liked a post in a topic by itman in Not able to install Esset   
    I fixed the link reference.
  3. Azure Phoenix liked a post in a topic by itman in Eset "Aced" This One!   
    https://www.wilderssecurity.com/threads/avlab-three-tests-against-bashware-ransomware-and-cryptominer-threats.404915/
    Of note in this AV Lab test was that Eset was only one of two products for ransomware and one of three products for cryptominers to stop all threats in the early detection stage.
    -EDIT- Eset missed one cryptominer. Still a very good performance overall.
  4. Azure Phoenix liked a post in a topic by itman in Eset "Aced" This One!   
    https://www.wilderssecurity.com/threads/avlab-three-tests-against-bashware-ransomware-and-cryptominer-threats.404915/
    Of note in this AV Lab test was that Eset was only one of two products for ransomware and one of three products for cryptominers to stop all threats in the early detection stage.
    -EDIT- Eset missed one cryptominer. Still a very good performance overall.
  5. Azure Phoenix liked a post in a topic by itman in Eset "Aced" This One!   
    As far as the "bashware" POC vulnerability in Win 10 that was disclosed a while back, I created an Eset HIPS rule at that time to ask/block the loading and creation of the following driver files:
    C:\Windows\System32\Drivers\lxcore.sys C:\Windows\System32\Drivers\lxss.sys  
  6. galaxy liked a post in a topic by itman in Problem with Internet Security 11.1.54   
    That's interesting. There have been reported issues with Win 10 x(86) 1803  and Eset ver. 11.1.54; mostly on NOD32. I haven't heard of any with Win 7 however. 
  7. Azure Phoenix liked a post in a topic by itman in Question about sandboxing   
    To dispel any "allusions" that Windows Defender is ready for enterprise level protection is the AV- Comparatives enterprise solutions comparative test for Mar. - Apr., 2019 here: https://www.av-comparatives.org/tests/business-security-test-march-april-2018-factsheet/
    For this testing, WD's file-level blocking was set to "high" which would correspond to its default Win 10 Enterprise setting. Out of 620 malware samples, WD detected them all but 31 of them required user interaction to block/allow with also 4 false positive detections recorded. This level of use interaction would clearly be unacceptable in most corporate environments.
    Eset on the other hand scored 99.4% in this test with zero user interactions and false positives. Eset was also tested at default settings.
  8. Azure Phoenix liked a post in a topic by itman in Question about sandboxing   
    To dispel any "allusions" that Windows Defender is ready for enterprise level protection is the AV- Comparatives enterprise solutions comparative test for Mar. - Apr., 2019 here: https://www.av-comparatives.org/tests/business-security-test-march-april-2018-factsheet/
    For this testing, WD's file-level blocking was set to "high" which would correspond to its default Win 10 Enterprise setting. Out of 620 malware samples, WD detected them all but 31 of them required user interaction to block/allow with also 4 false positive detections recorded. This level of use interaction would clearly be unacceptable in most corporate environments.
    Eset on the other hand scored 99.4% in this test with zero user interactions and false positives. Eset was also tested at default settings.
  9. Azure Phoenix liked a post in a topic by itman in Banking and Payment Protection Issue   
    Trusteer Rapport is not compatible with most if not all AV products with a Banking and Payment Protection feature. You either use TR or the AV product's BPP feature exclusively.
  10. Azure Phoenix liked a post in a topic by itman in Question about sandboxing   
    WD e-mail scanning:
    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus
    The detection quoted paragraph would lead one to believe that e-mail malware remediation is not automatic.
    -EDIT- Forgot to mention the main difference between Eset and WD e-mail scanning. WD does not have a web filter as Eset does. As such, e-mail cannot be scanned by WD until it actually "hits the disk."
     
  11. Azure Phoenix liked a post in a topic by itman in Question about sandboxing   
    Employing "sleeper" malware has always been an effective sandbox bypass method. Such malware doesn't activate for minutes, hours, days, months, and in a few isolated cases, years. Backdoors are a great example of this. I believe in the WannaCry incident, the backdoor was activated a few weeks after it was initially downloaded.
    Current malware is increasingly becoming sandbox "aware" in that if it detects same, it will either not download the primary payload or if previously done so, delete it prior to execution. In this regard, sandboxing "did its job" in that it indirectly prevented the malware from executing. Likewise, a persistent sandbox issue has been many software, legit or malicious, will not execute properly in a sandboxed environment.  
    Local based sandboxing can best be described as a containment mechanism. Its purpose is to prevent the malware from doing anything malicious to anything existing outside of the sandbox. It doesn't not prevent malicious activities within the sandbox itself; a fact many times overlooked by folks with sandboxed browsers who believe the browser itself is protected.
    Cloud based sandboxes and their local based virtual equivalent ones such as the Cuckoo sandbox are used primarily for malware determination status. Whereas process execution in this environment if properly constructed is more likely to succeed , sophisticated malware will most likely be able to detect it is executing outside of its targeted device and alter its behavior accordingly. Most cloud based sandboxing including those employed by AV vendors do not run a process for an extended period of time that I am aware of. Logistically, it is just not economically feasible to do so. 
    Finally, properly evaluating process execution behavior for malicious characteristics within a sandbox frankly requires advanced security training; something not as a rule exists in most corp. IT environments.
  12. camelia liked a post in a topic by itman in No more notifications about updates?   
     Make sure "Disable notification about successful update" is unchecked as shown in the below screenshot:

  13. Azure Phoenix liked a post in a topic by itman in Very dissatisfied with Eset   
    Also applicable to this discussion is a posting by @0xDEADBEEF made in another thread that I am copying below:
     
     
  14. itman liked a post in a topic by 0xDEADBEEF in Very dissatisfied with Eset   
    As additional info, today I got another such document sample which is not detected by ESET scan using latest virus db
    First look at VT result: Note the first submission of this sample to VT is 12:12 UTC, and I am testing at around 14:00 UTC, around 2 hrs difference in time.

    Seems to be a tragic result for ESET right?

    Open it.. Well it is a very typical mal-doc, and ask one to enable macros.

    Enable, then OK, first internal URL blacklist blocked some

    Then realtime filesystem monitoring kicked in

    And finally the botnet protection blocked trojan downloader behavior. And the system is clean with these stuffs successfully blocked.
    This is a common case in nearly all document samples I've tested
    As you can see ESET has layered approach against such threat, not just through scanning.
  15. 0xDEADBEEF liked a post in a topic by itman in Very dissatisfied with Eset   
    As a follow up to @0xDEADBEEF VirusTotal comments, I am posting the following from their FAQ section. One can interpret such activity as "gaming the results." In any case, it illustrates that VT results should not be taken as "absolutes" when it comes to determining a given product's actual malware detection capability:
     
    https://support.virustotal.com/hc/en-us/articles/115002122285-AV-product-on-VirusTotal-detects-a-file-and-its-equivalent-commercial-version-does-not
  16. itman liked a post in a topic by 0xDEADBEEF in Very dissatisfied with Eset   
    My experience is ESET tends to block malware-carrying documents at later stage instead of at scanning stage. VirusTotal only shows scan results.
    I partially agree that there are more cases that ESET didn't detect the document or other archives that are commonly seen in malware-spreading spams at early exposure stage through scanning (i.e. other scanners in VT already detect it but ESET doesn't). But after opening/executing these files I usually found the actual payload were blocked either by internal URL blacklists or AMS or later defense layers. These experiences include "realworld" ones that the samples at the time I got were not even exposed in VT. So solely judging through VirusTotal doesn't fully reflect a product's detection ability.
    Many documents of this type for example, are merely downloaders and don't contain the actual malicious code. Blocking the actual payload at later stage should also be counted as successful. Also, blocking some types of threats at later stage is, from my perspective, a way do decrease false positives, especially if you have the experience that some vendors in VT have aggressive detection against downloaders and occasionally also misclassify legitimate files as such family
  17. persian-boy liked a post in a topic by itman in HIPS V1320-20180516 - all of a sudden content of field 'operation' always 'unknown operation'!   
    In your instance, you used the HIPS in Interactive mode I believe when the issue manifested.
    I have always used Smart mode with a dozen or so user rules created. And, have never seen this HIPS behavior until recently.
  18. Azure Phoenix liked a post in a topic by itman in ESET was automaticaly uninstalled?   
    I had a similar incident a while back.
    I was installing a different ver. of Eset Internet Security over an existing version. The installation terminated midway through with an error. The installer rather than rolling back to the previous version, left the new ver. partially installed but non-functional. In other words, no operational version of Eset Internet Security was installed as far as the OS was concerned. This should never happen.
  19. Azure Phoenix liked a post in a topic by itman in What Does Eset Do With Suspicious Files?   
    It was submitted automatically upon detection. Hence, I cannot provide its hash:

    Again, all I am stating is that there is no record of this detection other than the above event log entry. I assume this is so because the file was never physically present on my PC. Eset captured the file in the download stage via web filtering. Since it was a password protected file, it appears Eset's analysis servers couldn't do much with it other than discard it. I state this since there is no record of the file being eventually placed in Eset's quarantine file on my PC.
    My question was and remains is what if this was a valid password protected file that was indeed not malicious? I believe how this should work is the file is placed into quarantine. Then when Eset's analysis servers determine the file is safe, it is auto removed from quarantine and restored to its original download location. Also by being placed into quarantine originally, the user would have the ability to remove it if it was a false positive detection by Eset. 
  20. itman liked a post in a topic by Marcos in What Does Eset Do With Suspicious Files?   
    I'm sorry but the archive is password protected. Without knowing the password, neither humans nor AV scanners can scan inside password protected archives. If we were to brute force the password, it could take more than a day for a 6-char. password provided that 500,000 passwords were tried per second.
  21. itman liked a post in a topic by Marcos in HIPS V1320-20180516 - all of a sudden content of field 'operation' always 'unknown operation'!   
    I've filed a bug ticket for developers since the issue is easily reproducible.
  22. Peter Randziak liked a post in a topic by itman in Antivirus Lab Test Results Calculator   
    I have always recommended in my forum postings that AV Lab tests should be averaged over time to get a "clear picture" as to a given product's capability. I found such a web site that automates this here: https://fatsecurity.com/tools/test-results-calculator?companyId=16&compareCompanyId=10
    The feature I found most interesting is the trend analysis graph. Comparing Eset to Windows Defender over the last two years with all ranking categories: Protection, Performance, and False Alerts rated equally, I observed the following:
    1. Eset has a significant overall higher ranking.
    2. Both products show a significant increase in test scores during Q1 - 2018 testing.
    3. Eset's overall test scoring during the two year period was consistent and uniform. Windows Defender test scoring during this period showed multiple "peaks and valleys" in test scores indicating overall inconsistent capability.
  23. persian-boy liked a post in a topic by itman in HIPS V1320-20180516 - all of a sudden content of field 'operation' always 'unknown operation'!   
    I can confirm this behavior.
    It started on my Eset installation, 11.1.54, on 5/29. In my case, I have a HIPS rule that allows svchost.exe to startup cmd.exe that I log. Prior to 5/29, the log always showed for operation - startup application. The log now shows unknown operation.
    The main question is if existing user HIPS rules are functioning properly?
    -EDIT- The only Eset module updated on 5/29 was the router vulnerability scanner.
  24. Erwin - IT support groep liked a post in a topic by itman in Virus keep coming back?   
    This usually indicates the malware has established persistence on the device. It reloads itself at system startup time. You might want to read my comments about like detection methods for this here: https://forum.eset.com/topic/15595-coin-miner/
  25. Peter Randziak liked a post in a topic by itman in Antivirus Lab Test Results Calculator   
    I have always recommended in my forum postings that AV Lab tests should be averaged over time to get a "clear picture" as to a given product's capability. I found such a web site that automates this here: https://fatsecurity.com/tools/test-results-calculator?companyId=16&compareCompanyId=10
    The feature I found most interesting is the trend analysis graph. Comparing Eset to Windows Defender over the last two years with all ranking categories: Protection, Performance, and False Alerts rated equally, I observed the following:
    1. Eset has a significant overall higher ranking.
    2. Both products show a significant increase in test scores during Q1 - 2018 testing.
    3. Eset's overall test scoring during the two year period was consistent and uniform. Windows Defender test scoring during this period showed multiple "peaks and valleys" in test scores indicating overall inconsistent capability.