AnthonyQ
-
Posts
133 -
Joined
-
Last visited
-
Days Won
3
Posts posted by AnthonyQ
-
-
In ECS V7.0, when a threat sample has multiple detections, the detailed detection names cannot be displayed and the Detection field in the log will be empty.
-
Quote
Avast (FileRepMalware [Ransom]), Combo Cleaner (Gen:Variant.Ransom.Loki.7379), ESET-NOD32 (A Variant Of Win32/GenKryptik.GQPJ), Kaspersky (UDS:Trojan.Win32.Chapak.gen), Microsoft (Trojan:Win32/Smokeloader.CCEG!MTB), https://www.pcrisk.com/removal-guides/28444-jawr-ransomware
The answer is in the link you provided. No need to post it here.
-
On 11/8/2023 at 9:36 PM, Robertos said:
LiveGuard is planned.
What do you think by ESSP? Do you think features like firewall? Firewall is planned. It should be released at the end of Q2/2024.
Other Pro features not included in AV version are not planned in next half-next year.
In my opinion, as macOS already has its built-in firewall, to differentiate from it, I suggest ECS's firewall integrated with LiveGrid reputation information and allowing for specifying policies based on this information.
When it comes to AV for macOS, the focus should be on detection. I am excited to see ML and LiveGuard being implemented in ESET for Mac. By the way, can ML (Augur) and LiveGuard process macOS samples such as .app and .pkg files?
-
-
On 10/31/2023 at 5:57 AM, Robertos said:
- Pico update is not planned for ESET Cyber Security for macOS.
- Machine learning is planned.
Another feature I would like to ask for is ESET LiveGuard, exclusively for ESSP or Mac equivalent. Is it on the development roadmap?
-
55 minutes ago, Robertos said:
It was not removed, it only was not implemented yet. Unfortunately, we do not plan to implement it in the next yer, it has very low priority.
What action from context menu is missing for you?When I need to perform a thorough scan of a file, the most convenient method is to scan it using the options available in the context menu. However, currently, I have to manually drag and drop the file onto the main GUI in order to initiate a scan. Additionally, it seems that the real-time scanner is unable to perform a deep scan.
Is your team planning to implement Pico update and/or advanced machine learning in ESET Cyber Security? This can further help achieve feature parity between the Windows version and Mac version of ESET.
-
23 hours ago, Robertos said:
Version 7.4 contains some fixes in web and email protection. Please, upgrade you 7.3 by released 7.4. it could fix your problem.
If problem still persists in 7.4 please fill support ticket for that.
Seems to have been fixed, will continue to monitor.
Btw, has the context menu scanning feature been permanently removed in ESET Cyber Security V7? I think it is a useful and necessary feature...
-
4 hours ago, itman said:
Appears "the message is not getting across."
Again. LiveGrid Reputation status has nothing to do with Eset whitelist status of the process. With a few exceptions I will get to later, LiveGrid reputation is based on number of Eset users of the process.
I will use an HP monitor driver installer as an example. Most people never install a driver for their monitor; using the Win default driver instead. Also, this installer is specific to one HP monitor model. I have used this installer previously and its been sitting in my Downloads folder for a few years. Finally, this installer is validity code signed by HP. Let's see what LiveGrid's Reputation ranking is for this installer;
Now for those LiveGrid process Reputation usage exceptions. One is anything Microsoft code signed has high reputation status. Also as this malware example shows, anything code signed with an EV cert. is given high reputation status. This assignment parallels that done by Win SmartScreen processing.
As far as what Eset uses process whitelisting for is given below;
https://help.eset.com/glossary/en-US/technology_livegrid.html
Files with Green Reputation is considered as Clean, which can be regarded as whitelisted.
QuoteLiveGrid reputation is based on number of Eset users of the process.
It's wrong. No. of user is merely one factor, or even not a factor when calculating the reputation score. The primary factor, as stated on ESET website, is heur rules in the cloud.
-
8 hours ago, itman said:
Again, LiveGrid does not perform any cloud malware scanning other than for blacklist status.
User numbers may influence reputation, but the primary factor is heuristic malware scanning conducted by LiveGrid.
As Peter noted, items with Green bar in the Reputation field are whitelisted. I've previously submitted false positives to ESET, which now show a green reputation.
Reputation—In most cases, ESET Internet Security and ESET LiveGrid® technology assign risk levels to objects (files, processes, registry keys, etc.) by using a series of heuristic rules that examine the characteristics of each object and then weigh their potential for malicious activity. Based on these heuristics, objects are assigned a risk level from 1 – Fine (green) to 9 – Risky (red). -
6 minutes ago, itman said:
All that LiveGrid Reputation status display indicates is how many Eset installations the .exe has been installed on. Reputation status has nothing to do with whether the process has been white/blacklisted or the like.
As such, I have always viewed LiveGrid Reputation display status as a useless feature.
It is not true.
There are two columns on the LiveGrid reputation page - one column is for "Reputation," and the other is for "Number of Users." I believe you are referring to the second column.
-
6 hours ago, Peter Randziak said:
Hello @IvanL_5306,
not sure what you mean by
On 10/17/2023 at 8:10 PM, IvanL_5306 said:
This sample is whitelisted by LiveGrid.
Look at the first pic the OP shared. Before the detection was created, this malware sample had been whitelisted (indicated by the green color) in the LiveGrid.
-
From my own experience, ESET is less stable on Mac compared to PC...
-
On 9/14/2023 at 3:22 PM, Tommy V said:
@AnthonyQ If this issue can be temporary solved by going to the system setting - network - filters and disable/enable the ESET Web&Email transparent proxy filter, you might be hitting the same buffer full (overflow?) issue as me. I see this issue even if the machine has not gone to sleep.
Hopefully fixed in upcoming release that should be coming any day now due to missing support for MacOS 14 (Sonoma) in 7.3.3700.
The issue was also present in 7.3.2100.0, but then support told me to downgrade to 6.11.xx or wait for the next version of 7.3.xx
From ESET Support:
"They (developers, my clarification) have reproduced the issue and confirmed that it has been classified as a bug.
The communication that goes through our network system extension causes the extension to fill the buffer and cause the issue.
Unfortunately there is currently no time frame for a fix, but keep an eye on updates as it will be fixed in a future update."Sadly, I can confirm that this issue was not fixed in recently released ESET Cyber Security Ver 7.4.1200.
-
Tbh, I haven't seen and tested this feature in action because Intel TDT was rarely triggered by the ransomware samples I tested.
@adulwahab , would you be so kind as to share the hash of the sample that was detected by Intel TDT?
-
11 hours ago, itman said:
Below is Eset's historical performance scores on the AV-Comparatives real-time test series. It can be observed that Eset's scores on this test are fairly consistent over the years. One miss factor I am aware of is PUA's since Eset runs with default installation settings on this test and that protection is not enabled by default upon installation;
IMO, as a professional and well-known testing organization, AV-Comparative won’t take PUA as Malware.
-
Update:
I later found that this issue can be temporarily solved by terminating com.eset.network process.
However, after a few hours, the update problem will resurface again, which can also be solved by the above method.
-
I noticed an update issue with the ESET Cyber Security version 7.3.3700.0 on my Mac. After putting the MacBook to sleep (by closing the lid) for a while, I've noticed that the software fails to update. This is intriguing because when I ping update.eset.com, I get a response, which means there's no issue with my internet connection.
I've tried updating it multiple times without success. However, a simple restart of my MacBook allows ESET to update as usual. This seems to be a recurring problem and I hope ESET team can take a look into this.
-
9 hours ago, itman said:
Actually, only half of them are being detected as Cobalt Strike with the rest detecting its delivery malware;
https://www.virustotal.com/gui/file/491d734b97fa86463e610820720d797e1515c6967bda1aded9ac04f2ef33833b - Win64/Agent.CTD
https://www.virustotal.com/gui/file/3e804a884b14b64a09be6bcf1c9640df766f6b51f45ce12714bea49f97e344b4 - A Variant Of Win64/GenKryptik.GMTF
https://www.virustotal.com/gui/file/1c758859895cd24dccb9f17f8f82aedb4a4745d3fb57cad878d06ac62b843b93 - A Variant Of Generik.EEDJWGG
https://www.virustotal.com/gui/file/981cc9cf25eaef28d3d612ab1fabb88b815c6fb384b335b89863196ee9ff2563 - A Variant Of Win64/TrojanDownloader.Age
https://www.virustotal.com/gui/file/332e78f15424da53065cde5ea787466257ddf33e323012a99b3f00a5e7b4869c - Win64/TrojanDownloader.Agent.AGT
https://www.virustotal.com/gui/file/514994cca3303c06443d6cceeac914d3c93b74ab3925753536fd5c0665c7e889 - A Variant Of Generik.EPVCRER
illustrating the difficultly in identifying the beacon code.
What I have observed is in many of these .exe samples the beacon code is encrypted. Decryption of this code might be occurring via named pipe convention as previously posted. In any case, Eset needs to improve is memory scanning capability in this regard.
Of note is Kaspersky appears to be the only mainstream AV to detect these Cobalt Strike beacons at first sight. What I have observed is its initial detection name is prefixed with "VHO" which is later removed from the detection at VT. I suspect this is Kaspersky's "on-the-fly" signature creation at work which @SeriousHoax commented on in other forum threads. Perhaps its time Eset colaborate with Kaspersky in regards to how its able to detect these beacons.
VHO might stand for Vishash Offline, which is a unique detection technique employed by Kaspersky. I believe there’s an official channel for ESET and Kaspersky to exchange IOCs, but sharing detection technology might be impossible.
-
9 hours ago, itman said:
If I recollect correctly, Eset at VT does not employ LiveGrid blacklisting.
The only way to know if Eset is currently blocking your posted samples via LiveGrid blacklist is to run them in a VM.
Currently, most of my posted threats are detected as WinGo/CobaltStrike.Beacon.xx or Win32/CobaltStrike.Beacon.xx.
But there are still many undetected CS backdoor trojans in the wild, e.g., https://www.virustotal.com/gui/file/e67a68056eb4299602cdeb9e52be77b6862d0f7a7ad21a651d520189963caab6; https://www.virustotal.com/gui/file/54fb06778a2ae9c92a2ee6cc2d0a36ed51d8ff85efbdfb05ba5e2dcc5d2c8c51; https://www.virustotal.com/gui/file/9254bb2f7b9ee19e6ca1110fd715dc3e8a9fb38e7a2ea43d43b0c5c1b9ff5f38; https://www.virustotal.com/gui/file/baee8be767db634c6d2d4de7de4739dce5b948dcd4dbfc5bd73dd3c9bf335467; https://www.virustotal.com/gui/file/ed34aa09630f7d4cf033e821322c6ccf9243757115c2587eb000e369d0e87d33. They are not particularly fresh but sadly both local scanner and LiveGrid cannot detect them.
-
3 hours ago, itman said:
Why Cobalt Strike beacon attacks are so difficult to detect:
https://blog.morphisec.com/how-to-stop-ransomware-breach-prevention-vs-cobalt-strike-backdoor
As noted, don't rely on a Cobalt Strike beacon signature for stopping future attacks using a modified version of the beacon. This also might explain why it takes so long for Eset to develop a "smart" signature for Cobalt Strike beacon.
Creating a smart detection for these backdoor threats (mainly Trojan downloader) might be hard but blocking them in the LiveGrid is not so difficult.
-
-
8 hours ago, itman said:
I just reanalyzed a handful of the samples at VT and still no Eset detection. Pretty bad when Grindinsoft can detect these now but not Eset.
Still no detection... 🫠
-
Hi,
I've noticed that many CobaltStrike backdoor samples seem to bypass ESET's detection. Below are VT links for some of the undetected samples:
- https://www.virustotal.com/gui/file/b3adf38a949bfa704da093f0a23aa8b50c59533c4a0166992264c1bc1c40a78c
- https://www.virustotal.com/gui/file/491d734b97fa86463e610820720d797e1515c6967bda1aded9ac04f2ef33833b
- https://www.virustotal.com/gui/file/db140710092bd084f35c5a0231d8a2a11132ff9ae110d44a61667e3c9120cdc5
- https://www.virustotal.com/gui/file/654a9d346319642bfdcde85e7e5ddd64096f7b8fcd6c1a3c301aafdf9c9a8006
- https://www.virustotal.com/gui/file/3e804a884b14b64a09be6bcf1c9640df766f6b51f45ce12714bea49f97e344b4
- https://www.virustotal.com/gui/file/1c758859895cd24dccb9f17f8f82aedb4a4745d3fb57cad878d06ac62b843b93
- https://www.virustotal.com/gui/file/981cc9cf25eaef28d3d612ab1fabb88b815c6fb384b335b89863196ee9ff2563
- https://www.virustotal.com/gui/file/332e78f15424da53065cde5ea787466257ddf33e323012a99b3f00a5e7b4869c
- https://www.virustotal.com/gui/file/514994cca3303c06443d6cceeac914d3c93b74ab3925753536fd5c0665c7e889
Given the frequency of these misses, it's alarming. I hope ESET can consider enhancing signatures to address such threats more effectively.
I intended to report these via your email channel, but my recent submissions on 8/8/2023, 8/9/2023, and 8/10/2023 received no feedback. Additionally, most samples remain undetected. The tracking numbers for those reports are [TRACK#64D227BD0366], [TRACK#64D23E4702BF], [TRACK#64D3804602F5], [TRACK#64D3815403C1], [TRACK#64D3937F00B7], [TRACK#64D4261401BA], [TRACK#64D4BE8C01E0], [TRACK#64D4C1B6036B] and [TRACK#64D4C46301B9].
Due to the lack of response, I felt it necessary to highlight these samples here. I hope they are addressed swiftly.
Thank you.
-
The overall quality of MB samples is not so high. There are many clean samples on it. Occasionally there are some interesting and noteworthy samples on MB shared by some famous threat hunters and I hope ESET analysts can monitor those samples.
ESET Behavior blocker
in ESET Internet Security & ESET Smart Security Premium
Posted
According to Marcos, it seems that ESET is going to update its behavior detection this year...