Dmitry228
Members-
Posts
14 -
Joined
-
Last visited
-
Dmitry228 reacted to a post in a topic: ESET's keyboard shortcut protection against screen blockers
-
Hi! Why doesn't ESET have a function to close unknown blocker programs (like WinLocker) that have not been detected by ESET as malicious, but still block the user's screen and prevent using the computer, using a special key combination? Kaspersky has such a feature, which when you press such a special key combination (its default is "CTRL + Shift + ALT + F4"), automatically finds the blocker program, terminates its process and moves the program to quarantine.
-
Dmitry228 reacted to a post in a topic: Locked task manager, registry editor and so on.
-
Dmitry228 reacted to a post in a topic: Locked task manager, registry editor and so on.
-
Dmitry228 reacted to a post in a topic: Locked task manager, registry editor and so on.
-
TheNikita reacted to a post in a topic: Locked task manager, registry editor and so on.
-
Locked task manager, registry editor and so on.
Dmitry228 replied to TheNikita's topic in General Discussion
I had the task manager disabled, but ESET did not find it and did not restore it -
Dmitry228 reacted to a post in a topic: Locked task manager, registry editor and so on.
-
Dmitry228 reacted to a post in a topic: Protection against MBR modification/destruction in ESET
-
Dmitry228 reacted to a post in a topic: Technology for rolling back malicious actions
-
Dmitry228 reacted to a post in a topic: Technology for rolling back malicious actions
-
Dmitry228 reacted to a post in a topic: ESET vs Ransomware
-
Dmitry228 reacted to a post in a topic: Protection against MBR modification/destruction in ESET
-
Hmm... Take, for example, Dr.Web Security Space antivirus. It by default prohibits low-level access to the disk, which prevents such malicious programs designed to destroy the MBR from destroying it. And with all that, the computer functions normally, everything boots up. You can even check it yourself. Or, for example, Kaspersky Standard/Plus/Premium antivirus - it has an "Intrusion Prevention" component with four groups of applications - "Trusted", "Weak Restrictions", "Strong Restrictions" and "Untrusted". So, if I prohibit low-level access to the disk and the file system for the last three groups and then reboot - nothing happens, everything works correctly (the "Trusted" group is excluded because unknown malware would fall into the "Weak Restrictions" group at most). Even if no such rule is added to HIPS, why doesn't ESET react to the fact that some unknown program changed the MBR? This is quite strange, I would like to see at least a detection of behavior analysis, as, for example, Kaspersky does when it sees an attempt to change the MBR by an unknown program. Oh, and by the way, why not make this rule only for unknown ESET programs? But for trusted applications (say, those with a trusted digital signature or those whose security has been confirmed by ESET LiveGrid) such actions would be allowed
-
If so, then it would be a good idea to detect KillMBR programs using heuristic analysis or the ESET cloud. Because when I sent a similar malware program for analysis through the Windows Explorer context menu, LiveGuard did not see it as a threat. Although in the sandbox it would have seen an attempt to destroy the MBR (I think so). When I tried to run the same MBR destroying program on a machine with Kaspersky installed, its "System Watcher" component immediately noticed the malicious behavior and would not let the MBR be destroyed.
-
There's a reason why you and other anti-virus vendors have a separate malware category called "KillMBR", isn't there? I don't know if Windows is supposed to protect MBR from destruction/rewriting, but if it is, it's not doing a very good job... I've personally tested dozens of malware on a virtual machine, and ESET was unable to prevent the boot record from being erased. In addition, some malware left writings in it before Windows started, such as: "You are infected with Trojan <...name...>". I sent all these files to the ESET lab via a special form. All of them were added to the signatures either as MSIL/BadJoke.AJE trojan or Win64/KillMBR.BZ trojan. The HIPS system failed to protect MBR destruction (removal). Why not add such protection? At least a warning that a program on the computer is trying to modify the MBR.
-
Dmitry228 joined the community