Jump to content

AnthonyQ

Members
 View Profile  See their activity

  • Posts

    133

  • Joined

  • Last visited

  • Days Won

    3

 Content Type 

Posts posted by AnthonyQ

    Update Issue with ESET Cyber Security 7.3.3700.0 on Mac After Extended Sleep

    in ESET Cyber Security (for Mac)

    Posted · Edited by AnthonyQ

    On 11/8/2023 at 9:36 PM, Robertos said:

    LiveGuard is planned.

    What do you think by ESSP? Do you think features like firewall? Firewall is planned. It should be released at the end of Q2/2024.
     

    Other Pro features not included in AV version are not planned in next half-next year.

    In my opinion, as macOS already has its built-in firewall, to differentiate from it, I suggest ECS's firewall integrated with LiveGrid reputation information and allowing for specifying policies based on this information.

    When it comes to AV for macOS, the focus should be on detection. I am excited to see ML and LiveGuard being implemented in ESET for Mac. By the way, can ML (Augur) and LiveGuard process macOS samples such as .app and .pkg files?

    Update Issue with ESET Cyber Security 7.3.3700.0 on Mac After Extended Sleep

    in ESET Cyber Security (for Mac)

    Posted · Edited by AnthonyQ

    55 minutes ago, Robertos said:

    It was not removed, it only was not implemented yet. Unfortunately, we do not plan to implement it in the next yer, it has very low  priority. 

    What action from context menu is missing for you?

    When I need to perform a thorough scan of a file, the most convenient method is to scan it using the options available in the context menu. However, currently, I have to manually drag and drop the file onto the main GUI in order to initiate a scan. Additionally, it seems that the real-time scanner is unable to perform a deep scan.

    Is your team planning to implement Pico update and/or advanced machine learning in ESET Cyber Security? This can further help achieve feature parity between the Windows version and Mac version of ESET. :)

    Update Issue with ESET Cyber Security 7.3.3700.0 on Mac After Extended Sleep

    in ESET Cyber Security (for Mac)

    Posted

    23 hours ago, Robertos said:

    Version 7.4 contains some  fixes in web and email protection. Please, upgrade you 7.3 by released 7.4. it could fix your problem.

     

    If problem still persists in 7.4 please fill support ticket for that.

    Seems to have been fixed, will continue to monitor.

    Btw, has the context menu scanning feature been permanently removed in ESET Cyber Security V7? I think it is a useful and necessary feature...

    Whitelisted Malware

    in Malware Finding and Cleaning

    Posted · Edited by AnthonyQ

    4 hours ago, itman said:

    Appears "the message is not getting across."

    Again. LiveGrid Reputation status has nothing to do with Eset whitelist status of the process. With a few exceptions I will get to later, LiveGrid reputation is based on number of Eset users of the process.

    I will use an HP monitor driver installer as an example. Most people never install a driver for their monitor; using the Win default driver instead. Also, this installer is specific to one HP monitor model. I have used this installer previously and its been sitting in my Downloads folder for a few years. Finally, this installer is validity code signed by HP. Let's see what LiveGrid's Reputation ranking is for this installer;

    Eset_Rep.thumb.png.97944b4c75872d91bdf9c01ef1113ba5.png

    Now for those LiveGrid process Reputation usage exceptions.  One is anything Microsoft code signed has high reputation status. Also as this malware example shows, anything code signed with an EV cert. is given high reputation status. This assignment parallels that done by Win SmartScreen processing.

    As far as what Eset uses process whitelisting for is given below;

    https://help.eset.com/glossary/en-US/technology_livegrid.html

    Files with Green Reputation is considered as Clean, which can be regarded as whitelisted. 

    Quote

    LiveGrid reputation is based on number of Eset users of the process.

    It's wrong. No. of user is merely one factor, or even not a factor when calculating the reputation score. The primary factor, as stated on ESET website, is heur rules in the cloud.

    Whitelisted Malware

    in Malware Finding and Cleaning

    Posted

    8 hours ago, itman said:

    Again, LiveGrid does not perform any cloud malware scanning other than for blacklist status.

    User numbers may influence reputation, but the primary factor is heuristic malware scanning conducted by LiveGrid.

    As Peter noted, items with Green bar in the Reputation field are whitelisted. I've previously submitted false positives to ESET, which now show a green reputation.


    Reputation—In most cases, ESET Internet Security and ESET LiveGrid® technology assign risk levels to objects (files, processes, registry keys, etc.) by using a series of heuristic rules that examine the characteristics of each object and then weigh their potential for malicious activity. Based on these heuristics, objects are assigned a risk level from 1 – Fine (green) to 9 – Risky (red).

    (https://help.eset.com/eis/16.2/en-US/idh_page_cloud.html)

    Whitelisted Malware

    in Malware Finding and Cleaning

    Posted

    6 minutes ago, itman said:

    All that LiveGrid Reputation status display indicates is how many Eset installations the .exe has been installed on. Reputation status has nothing to do with whether the process has been white/blacklisted or the like.

    As such, I have always viewed LiveGrid Reputation display status as a useless feature.

    It is not true.

    There are two columns on the LiveGrid reputation page - one column is for "Reputation," and the other is for "Number of Users." I believe you are referring to the second column.

    (https://help.eset.com/eis/16.2/en-US/idh_page_cloud.html)

    Update Issue with ESET Cyber Security 7.3.3700.0 on Mac After Extended Sleep

    in ESET Cyber Security (for Mac)

    Posted

    On 9/14/2023 at 3:22 PM, Tommy V said:

    @AnthonyQ If this issue can be temporary solved by going to the system setting - network - filters and disable/enable the ESET Web&Email transparent proxy filter, you might be hitting the same buffer full (overflow?) issue as me. I see this issue even if the machine has not gone to sleep.

    Hopefully fixed in upcoming release that should be coming any day now due to missing support for MacOS 14 (Sonoma) in 7.3.3700.
    The issue was also present in 7.3.2100.0, but then support told me to downgrade to 6.11.xx or wait for the next version of 7.3.xx

    From ESET Support:
    "They (developers, my clarification) have reproduced the issue and confirmed that it has been classified as a bug.
    The communication that goes through our network system extension causes the extension to fill the buffer and cause the issue.

    Unfortunately there is currently no time frame for a fix, but keep an eye on updates as it will be fixed in a future update."

     

    Sadly, I can confirm that this issue was not fixed in recently released ESET Cyber Security Ver 7.4.1200.

    AV - Test

    in Malware Finding and Cleaning

    Posted

    11 hours ago, itman said:

    Below is Eset's historical performance scores on the AV-Comparatives real-time test series. It can be observed that Eset's scores on this test are fairly consistent over the years. One miss factor I am aware of is PUA's since Eset runs with default installation settings on this test and that protection is not enabled by default upon installation;

    Eset_AVC.thumb.png.97c96f5fd8fe097a71f8312647911868.png

    IMO, as a professional and well-known testing organization, AV-Comparative won’t take PUA as Malware.

    Update Issue with ESET Cyber Security 7.3.3700.0 on Mac After Extended Sleep

    in ESET Cyber Security (for Mac)

    Posted

    I noticed an update issue with the ESET Cyber Security version 7.3.3700.0 on my Mac. After putting the MacBook to sleep (by closing the lid) for a while, I've noticed that the software fails to update. This is intriguing because when I ping update.eset.com, I get a response, which means there's no issue with my internet connection.

    I've tried updating it multiple times without success. However, a simple restart of my MacBook allows ESET to update as usual. This seems to be a recurring problem and I hope ESET team can take a look into this.

    截屏2023-08-22 20.52.59.png

    Concerns Over Undetected CobaltStrike Samples and Unaddressed Submissions

    in Malware Finding and Cleaning

    Posted

    9 hours ago, itman said:

    Actually, only half of them are being detected as Cobalt Strike with the rest detecting its delivery malware;

    https://www.virustotal.com/gui/file/491d734b97fa86463e610820720d797e1515c6967bda1aded9ac04f2ef33833b - Win64/Agent.CTD

    https://www.virustotal.com/gui/file/3e804a884b14b64a09be6bcf1c9640df766f6b51f45ce12714bea49f97e344b4 - A Variant Of Win64/GenKryptik.GMTF

    https://www.virustotal.com/gui/file/1c758859895cd24dccb9f17f8f82aedb4a4745d3fb57cad878d06ac62b843b93 - A Variant Of Generik.EEDJWGG

    https://www.virustotal.com/gui/file/981cc9cf25eaef28d3d612ab1fabb88b815c6fb384b335b89863196ee9ff2563 - A Variant Of Win64/TrojanDownloader.Age

    https://www.virustotal.com/gui/file/332e78f15424da53065cde5ea787466257ddf33e323012a99b3f00a5e7b4869c - Win64/TrojanDownloader.Agent.AGT

    https://www.virustotal.com/gui/file/514994cca3303c06443d6cceeac914d3c93b74ab3925753536fd5c0665c7e889 - A Variant Of Generik.EPVCRER

    illustrating the difficultly in identifying the beacon code.

    What I have observed is in many of these .exe samples the beacon code is encrypted. Decryption of this code might be occurring via named pipe convention as previously posted. In any case, Eset needs to improve is memory scanning capability in this regard.

    Of note is Kaspersky appears to be the only mainstream AV to detect these Cobalt Strike beacons at first sight. What I have observed is its initial detection name is prefixed with "VHO" which is later removed from the detection at VT. I suspect this is Kaspersky's "on-the-fly" signature creation at work which @SeriousHoax commented on in other forum threads. Perhaps its time Eset colaborate with Kaspersky in regards to how its able to detect these beacons.

    VHO might stand for Vishash Offline, which is a unique detection technique employed by Kaspersky. I believe there’s an official channel for ESET and Kaspersky to exchange IOCs, but sharing detection technology might be impossible.

    Concerns Over Undetected CobaltStrike Samples and Unaddressed Submissions

    in Malware Finding and Cleaning

    Posted

    9 hours ago, itman said:

    If I recollect correctly, Eset at VT does not employ LiveGrid blacklisting.

    The only way to know if Eset is currently blocking your posted samples via LiveGrid blacklist is to run them in a VM.

    Currently, most of my posted threats are detected as WinGo/CobaltStrike.Beacon.xx or Win32/CobaltStrike.Beacon.xx. 

    But there are still many undetected CS backdoor trojans in the wild, e.g., https://www.virustotal.com/gui/file/e67a68056eb4299602cdeb9e52be77b6862d0f7a7ad21a651d520189963caab6https://www.virustotal.com/gui/file/54fb06778a2ae9c92a2ee6cc2d0a36ed51d8ff85efbdfb05ba5e2dcc5d2c8c51https://www.virustotal.com/gui/file/9254bb2f7b9ee19e6ca1110fd715dc3e8a9fb38e7a2ea43d43b0c5c1b9ff5f38https://www.virustotal.com/gui/file/baee8be767db634c6d2d4de7de4739dce5b948dcd4dbfc5bd73dd3c9bf335467https://www.virustotal.com/gui/file/ed34aa09630f7d4cf033e821322c6ccf9243757115c2587eb000e369d0e87d33. They are not particularly fresh but sadly both local scanner and LiveGrid cannot detect them.

    Concerns Over Undetected CobaltStrike Samples and Unaddressed Submissions

    in Malware Finding and Cleaning

    Posted

    3 hours ago, itman said:

    Why Cobalt Strike beacon attacks are so difficult to detect:

    https://blog.morphisec.com/how-to-stop-ransomware-breach-prevention-vs-cobalt-strike-backdoor

    As noted, don't rely on a Cobalt Strike beacon signature for stopping future attacks using a modified version of the beacon. This also might explain why it takes so long for Eset to develop a "smart" signature for Cobalt Strike beacon.

    Creating a smart detection for these backdoor threats (mainly Trojan downloader) might be hard but blocking them in the LiveGrid is not so difficult. 

    Concerns Over Undetected CobaltStrike Samples and Unaddressed Submissions

    in Malware Finding and Cleaning

    Posted

    Hi,

    I've noticed that many CobaltStrike backdoor samples seem to bypass ESET's detection. Below are VT links for some of the undetected samples:

    1. https://www.virustotal.com/gui/file/b3adf38a949bfa704da093f0a23aa8b50c59533c4a0166992264c1bc1c40a78c
    2. https://www.virustotal.com/gui/file/491d734b97fa86463e610820720d797e1515c6967bda1aded9ac04f2ef33833b
    3. https://www.virustotal.com/gui/file/db140710092bd084f35c5a0231d8a2a11132ff9ae110d44a61667e3c9120cdc5
    4. https://www.virustotal.com/gui/file/654a9d346319642bfdcde85e7e5ddd64096f7b8fcd6c1a3c301aafdf9c9a8006
    5. https://www.virustotal.com/gui/file/3e804a884b14b64a09be6bcf1c9640df766f6b51f45ce12714bea49f97e344b4
    6. https://www.virustotal.com/gui/file/1c758859895cd24dccb9f17f8f82aedb4a4745d3fb57cad878d06ac62b843b93
    7. https://www.virustotal.com/gui/file/981cc9cf25eaef28d3d612ab1fabb88b815c6fb384b335b89863196ee9ff2563
    8. https://www.virustotal.com/gui/file/332e78f15424da53065cde5ea787466257ddf33e323012a99b3f00a5e7b4869c
    9. https://www.virustotal.com/gui/file/514994cca3303c06443d6cceeac914d3c93b74ab3925753536fd5c0665c7e889

    Given the frequency of these misses, it's alarming. I hope ESET can consider enhancing signatures to address such threats more effectively.

    I intended to report these via your email channel, but my recent submissions on 8/8/2023, 8/9/2023, and 8/10/2023 received no feedback. Additionally, most samples remain undetected. The tracking numbers for those reports are [TRACK#64D227BD0366], [TRACK#64D23E4702BF], [TRACK#64D3804602F5], [TRACK#64D3815403C1], [TRACK#64D3937F00B7], [TRACK#64D4261401BA], [TRACK#64D4BE8C01E0], [TRACK#64D4C1B6036B] and [TRACK#64D4C46301B9].

    Due to the lack of response, I felt it necessary to highlight these samples here. I hope they are addressed swiftly.

    Thank you.

×
×
  • Create New...