Live Grid Question

[LinkinForcer 1]

Hey guys,

So today I was online and went to a website to download a few unofficial patches for a game I play.

I've been to this site many times before but today after exiting the site and loading up another site I got hit with a Encrypted Network Traffic - Untrusted Certificate message.

It listed the gaming site I had just left and I went ahead and chose to Block the connection just to be safe.

there was one thing however that I saw in the details. At the Reputation section it had a green check mark next to it followed by an icon of 3 human figures and had the words "Discovered 5 days ago" next to that.

What exactly does that mean?

My only guess is that of course like it said it was Discovered 5 days ago but as far as the check mark and human figures go, I'm guessing it means that others have reported it to be OK and not a threat as the warning claims it may be.

Id just like some clearification in that......

[itman 1,659]

The Untrusted Certificate alert is not directly related to the reputation status of the web site.

A legit web site can have a certificate that has expired and the web site admin may not be aware of it. An example of this currently is the Bank of America web site that has had for some time an expired certificate used by its chat function. Eset even posted an advisory on it.

Pertaining to reputation status, a green checkmark means the site itself is OK. The number of human figures shown indicate the confidence level of the reputation status. The more figures shown, the higher the confidence level. Finally, the discovery status just indicates how long a reputation has been in effect.

If an Untrusted Certificate alert is generated for a web site which an unknown reputation status, it would be an indicator that extreme caution be used when accessing the site or, avoid the site altogether.

[persian-boy 22]

ESET LiveGrid® is an advanced early warning system comprised of several cloud-based technologies. It helps detect emerging threats based on reputation and improves scanning performance by means of whitelisting.
Ok, let's say a lot of ppl using a crack file which is infected!!the question is will live Grid recognize the file as risky?or since it has a lot of idiot users then will recognize the file as safe?!

[Marcos 5,070]

7 minutes ago, persian-boy said:

ESET LiveGrid® is an advanced early warning system comprised of several cloud-based technologies. It helps detect emerging threats based on reputation and improves scanning performance by means of whitelisting.
Ok, let's say a lot of ppl using a crack file which is infected!!the question is will live Grid recognize the file as risky?or since it has a lot of idiot users then will recognize the file as safe?!

If it's just a benign crack that shouldn't be detected, I don't think it would be evaluated as risky.

[persian-boy 22]

Thanks for the explanation but The crack was an example.
Let's think its malware and at the same time, a lot of ppl have it! then what?how smart live grid is?

[persian-boy 22]

https://www.welivesecurity.com/2017/06/20/machine-learning-ESET-road-augur/
Does live Grid use this Ai technology?
I'm asking this because I had a sample that was not detected by Eset and I could run it! but when I right-click the file and press check for the reputation then live grid marked it as risky!
Seems smart!but it won't stop me from running the sample why is that? why not just alert the user if live grid knows a file is risky?I believe the detections can be much better if you let the live grid alert the user!

Edited November 2, 2017 by persian-boy

[persian-boy 22]

With the live grid(manually check for the reputation), the system remains safe(because the user sees the risky level )!but without the live grid(default settings and no Hips or anything)the system is infected!
Better safe than sorry:P
P.s: The good thing is the file automatically sent to Eset lab and after 2 hours ESET detected it!but pls consider I could run the file before The Eset catch it!

Edited November 2, 2017 by persian-boy

[peteyt 393]

23 minutes ago, persian-boy said:

With the live grid(manually check for the reputation), the system remains safe(because the user sees the risky level )!but without the live grid(default settings and no Hips or anything)the system is infected!
Better safe than sorry:P
P.s: The good thing is the file automatically sent to Eset lab and after 2 hours ESET detected it!but pls consider I could run the file before The Eset catch it!

I persume the reason is that the file is too new and unknown. People have pointed out even microsoft files can be classsed as unknown e.g. after an update. Problem is if it alerted the user by default and was actually clean it could cause more damage than good. 

Eset could warn the users it is risky but from what i have seen them say in the past on here they want to avoid choices by default.

[persian-boy 22]

22 minutes ago, peteyt said:

update

Ye, I saw that myself.
But we can have a digital Signatures list and tell the live gird if the file is from x,y,z and it has unknown level then let it run otherwise block it or ask the user? it works better. I know Eset will not do that I'm just saying its better XD.

22 minutes ago, peteyt said:

to avoid choices by default.

This is sad!Eset ignoring others because a novice user is also using Eset products and He/she cant handle the alerts:P
Eset sacrificing the security and others for novice users:D

Edited November 2, 2017 by persian-boy

[itman 1,659]

2 hours ago, persian-boy said:

Does live Grid use this Ai technology?

No.

2 hours ago, persian-boy said:

I'm asking this because I had a sample that was not detected by Eset and I could run it! but when I right-click the file and press check for the reputation then live grid marked it as risky!

A screen shot would help here. Per Eset help:

Quote

The ESET LiveGrid® reputation system provides cloud-based whitelisting and blacklisting.

I have never seen LiveGrid mark anything as "risky." A green checkmark indicates the file is whitelisted as safe. No checkmark indicates the file is unknown or low reputation. Any LiveGrid blacklisted item should have been blocked upon execution and should not appear in LiveGrid's display of running processes at all.

As I explained to you via PM, LiveGrid will not block unknown or low rep processes that are not blacklisted from executing.

-EDIT- Appears ver. 11 changes some LiveGrid settings. 

Quote

Risk level – In most cases, ESET Internet Security and ThreatSense technology assign risk levels to objects (files, processes, registry keys, etc.) using a series of heuristic rules that examine the characteristics of each object and then weigh their potential for malicious activity. Based on these heuristics, objects are assigned a risk level from 1 – Fine (green) to 9 – Risky (red).

Quote

NOTE

Known applications marked as Fine (green) are definitely clean (whitelisted) and will be excluded from scanning to improve performance.

Quote

NOTE

An application marked as Unknown (orange) is not necessarily malicious software. Usually it is just a newer application. If you are not sure about the file, you can submit the file for analysis to the ESET Research Lab. If the file turns out to be a malicious application, its detection will be added to an upcoming update.

 

Edited November 2, 2017 by itman

[Marcos 5,070]

If a popular application is unsigned and is updated, I don't think there would be many users who would want to confirm its execution each time it updates. Also waiting for LiveGrid to respond would cause a substantial delay when executing files which could be incorrectly attributed to bad performance of ESET's products.

[itman 1,659]

18 minutes ago, Marcos said:

If a popular application is unsigned and is updated, I don't think there would be many users who would want to confirm its execution each time it updates.

Conceding that LiveGrid will never alert on unknown or low rep process execution(don't agree with this), the question is if LiveGrid/heuristics will alert on a "risky" process prior to execution? I am assuming that if LiveGrid shows a risky process running, an Eset alert was generated and the user chose to allow the process to run?

-EDIT- Eset's realtime GUI has a setting to detect a "Suspicious" process. I have assumed this setting is what conditions the above alert status mentioned?

Edited November 2, 2017 by itman

[itman 1,659]

Continuing the LiveGrid discussion, a reputational scanner that is not interactive is useless in my opinion. The average user and tech savvy ones for that matter are not going to keep LiveGrid displayed on their desktop to monitor the execution of every process startup. Since the process has already started if it was a 0-day malicious process that evaded heuristic analysis, it is "game over" anyway. 

Bringing AMS into the discussion, its purpose is to monitor API activity related memory injection/modification. Assume that sig detection of injected code into another process is negative. If the process doing the memory injection is "unknown," is that not suspicious activity? Should not LiveGrid process status at this point be upgraded to "risky," the process suspended, an alert generated, and the user be given an option to terminate and quarantine the process? Exceptions can be programmed for validity signed "unknown" executables including Win system files although it is a well known fact that signed malware exists. 

Edited November 2, 2017 by itman

[peteyt 393]

4 hours ago, persian-boy said:

Ye, I saw that myself.
But we can have a digital Signatures list and tell the live gird if the file is from x,y,z and it has unknown level then let it run otherwise block it or ask the user? it works better. I know Eset will not do that I'm just saying its better XD.

This is sad!Eset ignoring others because a novice user is also using Eset products and He/she cant handle the alerts:P
Eset sacrificing the security and others for novice users:D

I've not really looked into livegrid and sysinspector and the likes so I don't know much about it. A way to get alerts would be handy but it would have to be disabled by default and I understand why Eset has done what they have done.

For example many people have gotten confused with the alerts for expired certificates appearing on certain websites which asks the user to make a decision e.g. ignore or block. The problem is the average user wants their security product to block the bad stuff and allow the good stuff. They see it the job of the software to distinguish between the two. Adding a choice could cause more issues e.g. something is seen as possibly suspicious but it isn't and the user decides to block/delete etc. The user would in turn blame the security program and as you can gather the program would suffer from more false positives. It's the tricky part of finding a balancing. 

[itman 1,659]

1 hour ago, peteyt said:

The problem is the average user wants their security product to block the bad stuff and allow the good stuff. They see it the job of the software to distinguish between the two.

In a perfect anti-malware world, I would agree with you 100%. The problem is malware is getting increasingly sophisticated in its attacks. Case in point is the hijacking of legit Windows system processes to execute their malware. Legit software updates are being hijacked to deliver backdoors. The list goes on and on. The AV vendors including Eset are doing their best to keep up with the onslaught. The problem is there are thousands of hackers but only a dozen of so AV vendors. Through in rouge nation states that have armies of skilled hackers. Latest stats I saw note millions of new malware are created on a daily basis. Granted many of those are variants. However, the odds are overwhelming that undetected malware is going to slip through your security solution standard deployed defenses.

Edited November 2, 2017 by itman

[persian-boy 22]

5 hours ago, itman said:

A screen shot would help here.

1

Don't have because it's for 2 days ago :-(but there is a Chinese forum that shares new samples.

5 hours ago, itman said:

As I explained to you via PM,

I know and thanks but I just wanted to ask Eset make this AV more effective.....
 

5 hours ago, itman said:

An application marked as Unknown (orange) is not necessarily malicious software.

Thanks, i also wanted to know what does that orange means!
 

4 hours ago, itman said:

will alert on a "risky" process prior to execution

Same question here!
Eset at least some alerts for risky files?! or processes?!

1 hour ago, peteyt said:

the average user wants their security product to blck the bad stuff and allow the good stuff

Mate, I'm an average user and I want to make the decisions by myself! I cant work with PowerShell, I don't know how to handle BSOD, I don't know much about registry! so im an average user.
The guy you mentioned is not an average user he is a novice user!even 5 years old kid can read the alerts and decide! I mean it's not that hard! would be easy with practice!

[peteyt 393]

49 minutes ago, itman said:

In a perfect anti-malware world, I would agree with you 100%. The problem is malware is getting increasingly sophisticated in its attacks. Case in point is the hijacking of legit Windows system processes to execute their malware. Legit software updates are being hijacked to deliver backdoors. The list goes on and on. The AV vendors including Eset are doing their best to keep up with the onslaught. The problem is there are thousands of hackers but only a dozen of so AV vendors. Through in rouge nation states that have armies of skilled hackers. Latest stats I saw note millions of new malware are created on a daily basis. Granted many of those are variants. However, the odds are overwhelming that undetected malware is going to slip through your security solution standard deployed defenses.

 

47 minutes ago, persian-boy said:

Mate, I'm an average user and I want to make the decisions by myself! I cant work with PowerShell, I don't know how to handle BSOD, I don't know much about registry! so im an average user.
The guy you mentioned is not an average user he is a novice user!even 5 years old kid can read the alerts and decide! I mean it's not that hard! would be easy with practice!

I wouldn't class yourself as an average user. As far as I know most average users for example would leave HIPS alone. I don't use it as too many popups and could allow/block the wrong thing. Hell I know a decent amount of computer stuff, selt taught etc. I never get infected these days because I know what to look out for, partly due to learning for my mistakes. 

My point is that what happens if something suspicious turned out to be actually safe but also an important file that caused issues by being removed. 

From my experience there are lots of people who don't understand security e.g. they expect their security program to work 100 percent, they click dodgy links each time because they are protected etc. These are the people who probably would be unsure what to do if something was marked as suspicious.

I do partly agree with you, there should be a way to do what you want to do, but at the same time I get why eset are doing it.