Jump to content

Recommended Posts

Posted

Ref.: hxxp://www.amtso.org/feature-settings-check-potentially-unwanted-applications/ 

Win 10 1607 x64, IE11 w/advanced EPM enabled.

As noted in the below screen shot, Eset SS ver. 10 PUA protection failed to block the PUA download. It did alert but appears cleaning failed at which time the PUA was available for downloading. Perhaps an issue w/ThreatSense realtime scanner running in AppContainer?

 

AMTSO_12-18-2916.png

Posted (edited)

You Do get a window prior to the screen you posted asking if you want to Disconnect or Ignore. I believe that is what supposed to happen. (Win 7...ESS 10.0.369.0....IE 11 w/EPM enabled)

 

 

PUA.jpg

Edited by TomFace
Posted (edited)

No, I did not receive the Disconnect screen, that is why I posted the issue. I did create a new local admin profile and am running under that profile although that should not effect Eset operation.

Also just noticed the cloudcar.exe test file can also be downloaded although I did receive an Eset alert that the connection was terminated.

Note that in both these cases, SmartScreen detects the test malicious download but I believe Eset should be blocking the download from happening per AMTSO guidelines.

Also note that advanced EPM w/Enable 64 bit processes on X64 Win 8/10 forces IE11 to run in an AppContainer instance. Regular EPM setting for the Security Zone settings does not.

-EDIT- Just verified that Eset plug-in .dll is inserted into AppContainer instance of IE11. But, that .dll might only be used for the anti-keylogger driver?

Also one other very disturbing occurrence. When I allowed the AMTSO test PUA to download via SmartScreen, I attempted to run the file. Win 10 SmartScreen detected the PUA, Eset did not. It could be that SmartScreen intercepted the file before Eset had a chance to examine it. However, this needs to be checked out further. Noteworthy is that Eset's realtime scanner did not detect the PUA when it was written to disk i.e. file creation. This leads to the assumption that it will not detect it upon file execution. This might be by design since the test file is only to be detected and blocked during download attempt per AMTSO guidelines.

Edited by itman
Posted

I just tried the AMTSO PUA test in Edge and received the same alert. Since Edge runs by default in AppContainer, this confirms to me there is an AppContainer issue with Eset.

  • Administrators
Posted

Just to make sure, do you have standard cleaning (ie. not the strict) set in the Web access protection ThreatSense setup?

Posted (edited)

Setting to normal cleaning did the trick. Proper Disconnect alert was displayed. There was no "Standard" cleaning option.

Also as far as the cloudcar.exe download goes, download was allowed regardless of Eset alert stating connection was terminated. SmartScreen detected and blocked it. No change in that behavior with changing setting to normal cleaning.

Edited by itman
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...