AnthonyQ

Totally agree. As far as I know, many free cloud-based sandboxes, like Opentip by Kaspersky, Joesandbox and Threatbook (a Chinese online sandboxing platform), can simulate user interaction (moving mouse, and automatically click buttons) to reveal malicious behavior performed by a sample. As a paid sandbox, ESET LiveGuard ought to be better than these free products.

I am not sure but I tend to believe ML/Augur detection is not cloud-based as this ML-based detection can be triggered offline. Suspicious Object detection is a cloud-based detection.

MSIL means Microsoft Intermediate Language. Detections such as “ML/Augur” and those with prefix “a variant of” may indicate it is a heuristic detection, imo.

If you are happy with ESET, just keep using it. It's a good idea to periodically scan your computer with a second opinion scanner to ensure your PC is virus-free. But in my opinion, these AV test results are not useless; instead, they serve as a reminder that there is room for improvement for ESET in terms of protection. Enhancing behavioral detection, integrating LiveGrid reputation into the firewall, and adding protected folder functionality are areas where ESET can improve.

ESET creates industry-leading signatures and is good at detecting known ransomware. But I hope ESET can improve its behavioral blocker or introduce protected folder function to better deal with unknown ransomware.

Not the first time that ESET LiveGrid incorrectly marks system files of Win 11 Dev version as suspicious objects. Simply whitelisting these files is not enough, the relevant team should find out the root cause of this false positive problem that happens again and again.

Today I found a malicious script sample on Anyrun (https://app.any.run/tasks/2455fd40-7058-46f1-8b8c-3d47245e9f38/; VT: https://www.virustotal.com/gui/file/8fb827650ba056d6917d5371db00dedc173cd68647cc9f703f63224ec9d54189) and I sent it to ESET LiveGuard, but ESET LiveGuard told me it's safe. Although this sample does not seem to be ITW, but it does perform malicious actions, such as trying to run on system startup, stopping a service using the taskkill command, and editing registry to disable system function.

I read his test results on the Chinese forum he mentioned a few weeks ago. Thanks to ESET's great signature, all samples were blocked. But in the case of the sample mentioned in this post, the ESET LiveGuard cloud sandbox failed to detect it. So I'm posting to ask ESET LiveGuard team to improve its detection capability.

That's possible. If that's the case, it's not OK for LiveGuard to declare a sample deployed evasion tactics "Safe to use".

Yeah. MD was the first vendor to detect this sample and its detection name is VirTool:Win64/CobaltStrike.A.

How about this sample (https://www.virustotal.com/gui/file/1c32e181b13679976b001bc2e5f80dfc135f190b7d536edc25b08f37c65d6ae4), which is now detected as Win64/CobaltStrike.Beacon.G by ESET? This sample was marked as Clean by ESET LiveGuard before.

I feel that ESET LiveGuard appears to be unable to detect some Cobalt Strike malware samples, such as the one found at https://www.virustotal.com/gui/file/e62baa593248fdcb22dbeddc976d246aee11c9e747ef232e78f5f4dbf692698c, which has been marked as Clean by ESET LiveGuard. Given the popularity of Cobalt Strike trojan, I would like to request that the ESET LiveGuard team consider adding specialized detection rules for Cobalt Strike to the product. Thanks.

ESET does not detect it now. But its LiveGrid reputation is still risky.

ESET recently marked a file related to ClickOnce Bootstrapper as a suspicious object (MD5: 2b526b323c3ec3770cd224831564a796, VT: https://www.virustotal.com/gui/file/8194dca14a0dce6a9811aa427d951f0ba37fbc30e74a29f202b23eede3d06a30/detection). However, this file is actually published by Microsoft and is completely safe. Unfortunately, LiveGrid mistakenly detected it as malware. I reported this issue via email to samples#eset.com several hours ago, but it has yet to be resolved. I consider this false positive problem to be critical, as it affects many developer users. Therefore, I think it should be fixed as soon as possible, even though today is Sunday.

Seems like an FP. Extract the detected file from Quarantine and zip it with the password (infected), and send the encrypted zip file to samples@eset.com for investigation.

Yeah, ESET added a signature detection hours ago after submission. I'm not sure if the sample is able to run successfully on LiveGuard, but it can run successfully on some free cloud sandboxes like Triage.

I've noticed that ESET LiveGuard seems unable to detect certain type of malware such as MBR locker. For example, this sample (VT: https://www.virustotal.com/gui/file/667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf/detection; Sandbox: https://tria.ge/221224-f6fptshf29/behavioral1) is an MBR locker and its behavior is very typical. However, ESET LiveGuard determined that it was safe to use. The algorithm of LiveGuard should be updated to solve this problem.

Delighted to learn that there will be improvements regarding ESET firewall. I hope there will be a reputation-based filtering mode, which utilizes LiveGrid reputation to automatically allow trusted applications to make outbound connections, and to notify users when unknown applications attempt to connect to the Internet. It is useful in blocking backdoor trojan. Also, I would like to see some improvements regarding Deep Behavioral Inspection funcation as I've noticed it hasn't been updated for some time.

As per the information on this page (https://support.eset.com/en/kb8336-intel-threat-detection-technology-tdt-supported-processors), it seems that some of the new models of Intel CPU, e.g., i7-13700KF, and i7-12700H, are not TDT supported. However, as advertised, Intel CPU Gen 10 and newer should support Threat Detection Technology. Why the above new models cannot utilize TDT and will they be supported in the future?

Most samples (DOS virus) are not modern threats and are thus considered low-quality.

Same here. Can't activate my ESSP product.

Two Cobalt Strike Trojan samples were submitted via email but have not been detected so far. https://www.virustotal.com/gui/file/0e580e784654cfe00a0ad3921fd75a423b34014faed18febdf9d94e9b8eda1f1 https://www.virustotal.com/gui/file/8b941812bf5902399bf45c7f1b59d471ed19e8cf1bb7dccec1779ca0e87c4e9a The analysis of this kind of "time-sensitive" backdoor Trojan should be prioritized, as delayed analysis and detection might be of no use and value (C2 server might be offline).

A stealer sample that was submitted via email almost 2 days ago is still not detected by ESET: https://www.virustotal.com/gui/file/609cccf310e725ba4ff4d74edffa0c33d4640f3c391dbbac4e1d00dd3f9c249e

Just checked, these Rootkit samples are finally detected as Win64/Rootkit.Agent.BQ.

Rogue software (https://www.virustotal.com/gui/file/929172dd61611225b11ebb6da098122ff813d7c266dd632be326d16d338e8df5) was submitted on 13/9/2022 but not added to detection database.