Jump to content


ESET Insiders
  • Content Count

  • Joined

  • Last visited

  • Days Won


Posts posted by toxinon12345

  1. Well, I guess Similarity digests are what extend a cloud for effective classification; in addition to reputation metadata (age/users). Of course, you should not expect blocking every executable out there with the premise of "Low reputation" only: that would create tons on FPs e.g. for developers; but an hybrid approach combining core routines with cloud classifier should readjust threshold levels for threat determination.

    The problem with a dynamic whitelisting is the performance overhead, e.g. querying the cloud for every new installed PE program [ *.exe | *.dll ], if we add script execution: PowerShell, Batch, VBscript it would mean another filegroup to look at. Some other products claimed to have resolved, at least partially, that problem with what they call "prefetch scan", "solid asynchronous packet", and other sort of weird terms. Maybe it makes sense for interactive windows : PUA's for example.

  2. Description: counting of "OFF/stopped" items

    Detail: I would like to see counting of "Permanently disabled" items at "Setup Pane".

    Also with no-color always. (Black and white)

    something similar to this, but in that case would be a '3' in Black/white


  3. ESET Live Grid, ESET's cloud technology, received a major update for the current version of the software, v6, and is updated continually as new and existing customers participate in it.

    On execution emulation for files bigger than aprox. 4 MB..etc

    + Mapping <big+upx> executables ---> on-access LiveGrid whitelisting ! file skipping ! local cache similar to PrevX º Webroot fastest lookups

    ---- speeds between those of code analysis and code emulation

  4. Does ESET SysInspector | ESETOnlineScanner have these features for better LiveGrid tracking?


     the snapshot of the running processes has to contain information extracted by the following three components:

    The file information component extracts information such as Portable Executable structure abnormalities, entropy, whether or not the file is digitally signed with a valid digital signature, imported functions, etc. are all helpful in determining whether a file is suspicious.

    The memory information component analyses the in-memory image of modules. Since the modules are already executing, it is safe to assume that, at this stage, most modules are decrypted/decompressed and we have access to their unencrypted memory image. Among information retrieved, we mention:

    • Exploits and shellcode.
    • Embedded executables (particularly device drivers!).
    • Strings used by various protocols, interesting registry keys, etc.
    • Whether the in-memory code section exactly matches the on-disk code section (of course, after we apply relocation information).

    The System information component analyses the way the module interfaces with the system, and possibly other systems, by taking in consideration the following:

    • A hidden process, or a hidden module within a process, is a warning sign.
    • A process that waits on a specific port, or is connected to a server on a specific port may be a warning sign, depending on the port, server address and other flags.
    • A process with multiple valid and visible windows may be considered less suspicious than a process with no windows, or with windows outside the viewing area of the screen.
    • PI hooking, although used in legitimate software as well, is mostly used by malware, typically by injecting unconditional branches to the new handler function.
    •  A presence in a ‘hot’ area of the file system (the Windows or System32 directories, Startup, Temporary Folder, etc.) or presence of an executable in a file’s list of streams, may represent a warning sign, depending on other factors.
    • Different ways of loading a DLL into the system are important flags in determining whether a file is suspicious.
    • The way a process is started may reveal interesting information. A process automatically started via an autorun registry key may receive a different score compared to a process manually started by the user

  5. factors such as:


    - File has a digital signature

    - The source of the file

    - How long the file has been created

    - Amount of users with the file

    - Where the file has been downloaded from


    Low prevalent and rare files with suspicious packed PE --> Query reputation data after successfully downloaded such file

    Also, I think AMS possibly could benefit speed from the whitelist

  6. Motivation  : My thought with this Site Advisor or guide is, that it could supplement the parental control, and give the young user or any user, a visual notification about a link/web sites immediate reliability, as Eset see it. 


    You are refering to Web content filtering

    Anti-Spam parsers are proven to be also very effective when combined to URL blocking

    Recently ESET won First place thanks to the Anti-Phishing module,,,you can view it here


    Currently Parental Controls trust only in reactive methods as URL blocking; without using specific proactive algorithms

    If Web parsing could be added into Parental Controls, it would be great


    Anyway the yearning of Web reputation seems to be added long time ago



    The "Blocked object" detections come from suspicious websites. V6 updates the list of such websites every few minutes via cloud while older versions update it with every attempt to update, ie. every hour by default.

    I don't want to go into details as this forum may also be read by bad guys, you know.


    P.S I hope it's OK to share this here, I figure if it weren't OK to talk about it then Marcos wouldn't have told us about this feature in the first place   :)




  • Create New...