Is ESET discovering Malware ?

[Patrice 0]

Hi to all,

I use Eset smart security for years, and got several individual licences for my customers..

I was quit proud of it until last week when a customer got infected by a ransom named LUKITUS.

All files she had access to have been compromised.

I have checked if versions of software and virus list was uptodate, and it was, and run an analyse and nothing was discovered.

I then installed Malwarebytes which imediately discored LUKITUS and put it into quarantine. But to late

Now, as ransom viruses are comming out more and more, the real question is Does ESET is not enought ?

I always thought that putting on 3 condoms was useless, just need to purchase a branded expensive one.

Is my mistake ?

Thanks for your reactions.

Patrice

[Marcos 5,070]

It was Locky ransomware that encrypts files. ESET is very good at detecting it as well as other Filecoders.

First of all, there's no security solution that could protect users from 100% of threats. Especially if ransomware downloaders spread quickly and download payload from fresh urls. There are many variables and factors that may affect detection, such as old AV product, misconfigured AV, an attacker remoting in via RDP and disabling AV, etc.

If possible, get ELC logs as per the instructions in the FAQ section at the right-hand side of this forum, run it on your customer's computer and provide me with the generated zip file.

[itman 1,659]

3 hours ago, Patrice said:

I have checked if versions of software and virus list was uptodate, and it was, and run an analyse and nothing was discovered.

What version of Windows was used; Win 7, 8, or 10?

[persian-boy 22]

On 9/2/2017 at 7:42 AM, Patrice said:

Hi to all,

I use Eset smart security for years, and got several individual licences for my customers..

I was quit proud of it until last week when a customer got infected by a ransom named LUKITUS.

All files she had access to have been compromised.

I have checked if versions of software and virus list was uptodate, and it was, and run an analyse and nothing was discovered.

I then installed Malwarebytes which imediately discored LUKITUS and put it into quarantine. But to late

Now, as ransom viruses are comming out more and more, the real question is Does ESET is not enought ?

I always thought that putting on 3 condoms was useless, just need to purchase a branded expensive one.

Is my mistake ?

Thanks for your reactions.

Patrice

Hello,
NO, They don't have any malware researcher, they only drink coffee and watch tv series in work :-)
They are discovering new threats like others but there is not 100% protection rate because nothing can save the user from his/her stupidity.
In the first place, your customer needs to learn how to use the win and how to tweak it and then try to works with HIPS and firewall in the interactive mode.
I'm sure if I test that ransomware in my machine the Eset HIPS will catch it(real-time protection and signature off and only use HIPS)
You just need to take time and learn how to use it or dig into the settings and config it manually because Eset in default settings is not that strong.
memory protection, hips, exploit blocker, signature, light behavior blocker, ids in firewall and more... so it has everything the user just need to config it!
But for your concern, you can try to use vs (free) or Rehips(my config is Eset+rehips) alongside with Eset and you are good to go.
 

[itman 1,659]

In regards to Locky ransomware, there is a new variant that does the follow:

Quote

 

On-close Word macro campaign

According to Rivero, during the past week, Locky affiliate #5 has pushed a malicious spam wave spreading Word documents laced with macro scripts.

If this were it, this would have been nothing new, as this is the most prevalent malware distribution trick out there. By clever messages embedded in the Word document, users are enticed to enable macros inside the Word file to support newer features and/or to show new content.

Usually, enabling macros triggers a malicious script embedded in the document, which eventually installs malware. This week, Rivero spotted a Word document that behaved differently and didn't execute the malicious script until the user closed the file.

While this doesn't make a difference for victims, since they are in trouble from the moment they enabled macros inside Word, this small trick makes a huge difference when it comes to security scanners.

"For analysis purposes, many sandboxes lower the security settings of various applications and enable macros by default, which allows for the automated capture of the malicious payload," Rivero explains the difference. "We ascertain that in their current form, the malicious documents are likely to exhibit a harmless behavior in many sandboxes while still infecting end users that would logically close the file when they realize there is nothing to be seen."

 

Ref.: https://www.bleepingcomputer.com/news/security/boobytrapped-word-file-installs-locky-ransomware-when-you-close-the-document/

Edited September 3, 2017 by itman

[novice 20]

2 hours ago, persian-boy said:

You just need to take time and learn how to use it or dig into the settings and config it manually because Eset in default settings is not that strong.
memory protection, hips, exploit blocker, signature, light behavior blocker, ids in firewall and more... so it has everything the user just need to config it!

Why exactly an average user has to " take time and learn how to use it or dig into the settings and config it manually because Eset in default settings is not that strong."?????     Why are not the default setting strong enough????

I really believe this is a stupid approach to ask the user " just need to config it!"......

On ‎9‎/‎2‎/‎2017 at 11:37 AM, Marcos said:

First of all, there's no security solution that could protect users from 100% of threats.

It is not the first time when ESET misses a ransomware detection, in spite of having a "dedicated' antiransomware module which should detect these based on behavior rather than signature....

Each day I am more and more disappointed.....

[0xDEADBEEF 43]

22 minutes ago, John Alex said:

It is not the first time when ESET misses a ransomware detection, in spite of having a "dedicated' antiransomware module which should detect these based on behavior rather than signature....

Each day I am more and more disappointed.....

From my perspective, it is really really hard to distinguish ransomware from normal software (without proper use of a reputation system). A misused archive software can easily act much like a ransomware, imagining a user zipping a batch of photos in a document folder with password and delete original files. Ironically, some big vendors ransom protection are tuned to be sooo sensitive that even these legitimate software and actions will also be blocked and quarantined automatically.

Current I just use custom HIPS file access rules to serve as the last defense against these attacks. But it is annoying. Users hate to be asked frequently and sometimes even if antivirus ask the question, users might still give the wrong answer. The default settings are merely a balance between security and usability for normal users.

[Marcos 5,070]

3 hours ago, John Alex said:

It is not the first time when ESET misses a ransomware detection, in spite of having a "dedicated' antiransomware module which should detect these based on behavior rather than signature....

Each day I am more and more disappointed.....

First of all, you made this conclusion without knowing all facts. We don't know how ESET was configured, if the user had a recent version of the program installed, if it wasn't disabled by an attacker or malware due to being run with administrator rights, etc.

Believing that there's a security solution that detects 100% of malware is utopia. You could search for such AV until the end of life and you'd always got disappointed that every AV failed to detect some threat.

[peteyt 393]

11 hours ago, John Alex said:

Why exactly an average user has to " take time and learn how to use it or dig into the settings and config it manually because Eset in default settings is not that strong."?????     Why are not the default setting strong enough????

I really believe this is a stupid approach to ask the user " just need to config it!"......

It is not the first time when ESET misses a ransomware detection, in spite of having a "dedicated' antiransomware module which should detect these based on behavior rather than signature....

Each day I am more and more disappointed.....

You compared security to condoms having a good brand rather than multiple cheaper brands. The way I have often compared security to help people understand a bit better is it is like sex. If someone sleeps around without protection the risk of getting infected is high. Someone who uses protection with just one partner has a very low risk but protection is never 100 percent so using protection with multiple partners has more risk. It is like proability with every extra partner you add making the probability rise.

Security is like this. I obviously do not know the user who got infected but i see a lot of people who think that they can visit risky sites because they are protected and they may take bigger risks e.g. opening email attachments from unknown senders. Think of an AV like the human body. Even with treatments, drugs, injections etc. Sometimes things go wrong. 

An antivirus is important but as it will never be 100 percent users should also take security into their own hands. Avoid opening suspicious stuff for example, stick to trusted sites etc.

[novice 20]

3 minutes ago, peteyt said:

You compared security to condoms

Not me...

[Patrice 0]

5 minutes ago, peteyt said:

You compared security to condoms having a good brand rather than multiple cheaper brands. The way I have often compared security to help people understand a bit better is it is like sex. If someone sleeps around without protection the risk of getting infected is high. Someone who uses protection with just one partner has a very low risk but protection is never 100 percent so using protection with multiple partners has more risk. It is like proability with every extra partner you add making the probability rise.

Security is like this. I obviously do not know the user who got infected but i see a lot of people who think that they can visit risky sites because they are protected and they may take bigger risks e.g. opening email attachments from unknown senders. Think of an AV like the human body. Even with treatments, drugs, injections etc. Sometimes things go wrong. 

An antivirus is important but as it will never be 100 percent users should also take security into their own hands. Avoid opening suspicious stuff for example, stick to trusted sites etc.

No offence for comparaison to condoms.

Thanks to your many replys.

I mostly agrea with all of you and think we don't control user's behavior, despite any education we can give and even if they try.

At risk or not, users are victims of viruses and making them fell guilty doesn't help.

In the case of my customer, she receives a lots of emails daily and says she is never opening one she was not expecting.

I however beleive she opened one from DHL (which I already identifyed long time ago as a vehicule for virus) or from someone else, as she was expecting some data from them.

She only realized Lukitus virus inpact 2 days later, when looking for a file.

I wouldn't even qualify her at risk, but as a real victim.

I found this very interresting post on ESET forum : https://forum.eset.com/topic/1714-eset-and-malwarebytes-comparison/

 

 

and I think I will have to purchase Malwarebytes along with ESET.

Thanks again, and sorry for my poor english

Patrice

 

[itman 1,659]

10 hours ago, Patrice said:

I however beleive she opened one from DHL (which I already identifyed long time ago as a vehicule for virus) or from someone else, as she was expecting some data from them.

Besides the current Locky ransomware detail I posted previously, there are multiple massive spam Locky ransomware campaigns underway. Before I get into that, Eset's e-mail scanner is effective at detecting malware. Below Is a DHL malicious e-mail that it detected on my installation. Also and obviously, this one slipped through my ISP's e-mail scanner:

 

An example of ransomware being delivered by one of these spam campaigns is given below:

Quote

***UPDATE*** In the past 24 hours we have seen over 23 million messages sent in this attack, making it one of the largest malware campaigns that we have seen in the latter half of 2017.

Each message comes with a ZIP attachment that contains a Visual Basic Script (VBS) file that is nested inside a secondary ZIP file. Once clicked, VBS file initiates a downloader that reaches out to greatesthits[dot]mygoldmusic[dotcom] to pull down the latest Locky Ransomware. Locky goes to work encrypting all the files on the target system and appending [.]lukitus to the users now encrypted files.

Ref.: https://blog.appriver.com/2017/08/locky-ransomware-attacks-increase/

-EDITED-  to reflect the malicious script in question could have been was a .vba and .vbs script. Sorry, was rushing when I posted this.

In theory, Eset should detect the above since it will scan archives to 10 levels deep. The question is if it had a signature for the downloader used in the attack. Also the .vba script could have been packed, encrypted, and obfuscated.

Obviously if a .vba script was employed, the e-mail was a MS Word document. If the recipient opened the document in Protected View which I assume was the case, the script would not have run. If tricked into opening the document outside of PV or doing so by design, the script would not have run if the VBA option was disabled in Word's security settings, .

Bottom line - VBA scripts are a real bugger since they only are used in the MS Office environment.

If the malicious script was indeed a .vbs script and the target's installation OS was Win 10, then Eset would have employed AMSI to scan the script. However if the script was coded in such a way that it was not fully unobfuscated at time of Eset scanning or Eset didn't have a signature for it, then it could have slipped by Eset's scan of it.

That then leaves the only detection mechanism AMS which is post-execution detection.

Edited September 4, 2017 by itman

[itman 1,659]

1 hour ago, Patrice said:

I think I will have to purchase Malwarebytes along with ESET.

Don't waste your money. The report you referenced is 3 years old. MBAM has slipped considerable in protection in recent years.

See this recent test of it to see how much so: https://www.mrg-effitas.com/wp-content/uploads/2017/08/MRG-Effitas-360-Assessment_2017_Q2_wm.pdf

[Arik 5]

I don't completely get the purpose of this topic.

So malwarebytes detected something that ESET didn't detect Is that such a big deal?

It's like that you think ESET Isn't good anymore or has a worse time or something

Which Is not the case as even If other AV detected something before ESET It can be the case for ESET to detect the virus before the other AV Vendor.

It doesn't mean ESET Is bad.

[Marcos 5,070]

Just now, Arik said:

So malwarebytes detected something that ESET didn't detect Is that such a big deal?

We still don't know if the stuff detected by MBAM is really subject to detection. It could be a false positive, innocuous registry remnants or files, etc.

[Arik 5]

Just now, Marcos said:

We still don't know if the stuff detected by MBAM is really subject to detection. It could be a false positive, innocuous registry remnants or files, etc.

True, My point Is that I don't want pepole to think that MBAM Is better than ESET because It detected something that ESET Didn't detect.

But like you said It could be a false positive

and If It Is then Its a bit of a bad point for MBAM As I think everyone hates FPS.

[sky7 19]

4 hours ago, Patrice said:

I mostly agree with all of you and think we don't control user's behavior, despite any education we can give and even if they try.

At risk or not, users are victims of viruses and making them fell guilty doesn't help.

 

I agree with you and Ransomware Phishing (FedEx, UPS, DHL, Résumé, Friends or co-worker email) has become much more sophisticated especially after Yahoo service massive data breaches(1 billion Yahoo account has been hacked). I also received some Phishing email from full name of business partners, co-works and friends.

Cyber criminals use vulnerability of PDF and MS Word document. For example if you open the résumé file (pdf or ms word) your system can be infected without any knowledge. Employee who receives tons of emails daily they can make a mistake and click or open file accidentally anytime even though he or she got cybersecurity education.

But it's pointless Malwarebytes can detect that or ESET can detect this...etc at this point. If you send ELC logs to ESET staff then people who use ESET product will get benefit. I usually reported financial malware and adware which ESET missed.

ESET product shows decent detection rate result all the time about Ransomware but it does not have a strong behavior-based detection system like Symantec SONAR or Kaspersky System Watcher for unknown malware(ex: new ransomware variants) and most non-technical people make difficult and use ESET's HIPS(Host intrusion prevention system) rules.

You have to pay to use Malwarebytes Real time scan components. You can try CheckMAL AppCheck Anti-Ransomware free edition (it is free for personal use) It works with ESET product.

Just my 2 cents

Edited September 4, 2017 by sky7

[novice 20]

51 minutes ago, sky7 said:

Anti-Ransomware free edition (it is free for personal use) It works with ESET product.

I do not get it : why do I have to use a free product (Anti-Ransomware free edition) to work with a paid product (ESET) which has a dedicated antiransomware module in the last version (ver10)?

 

Edited September 4, 2017 by Marcos
Formatting adjusted

[Marcos 5,070]

22 minutes ago, John Alex said:

I do not get it : why do I have to use a free product (Anti-Ransomware free edition) to work with a paid product (ESET) which has a dedicated antiransomware module in the last version (ver10)?

You don't have to. But you can if there are no problems running the two products together.

[sky7 19]

42 minutes ago, John Alex said:

I do not get it : why do I have to use a free product (Anti-Ransomware free edition) to work with a paid product (ESET) which has a dedicated antiransomware module in the last version (ver10)?

 

Each to his own. Of course, You don't have to and also why not?
CheckMAL AppCheck Anti-Ransomware free edition shows strong automatic behavior detection and provides automatic real-time backup of original files to recover files. You can add a extra layer which ESET does not provide.
it's free and there are many quality free products. Do not think paid product is always better than free product? most case but not always.

Edited September 4, 2017 by sky7

[Arik 5]

12 hours ago, Marcos said:

First of all, you made this conclusion without knowing all facts. We don't know how ESET was configured, if the user had a recent version of the program installed, if it wasn't disabled by an attacker or malware due to being run with administrator rights, etc.

Believing that there's a security solution that detects 100% of malware is utopia. You could search for such AV until the end of life and you'd always got disappointed that every AV failed to detect some threat.

I agree with you completely.

Every av can fail sometimes Not only ESET.

[peteyt 393]

4 hours ago, John Alex said:

Not me...

Sorry my bad

[peteyt 393]

4 minutes ago, Arik said:

I agree with you completely.

Every av can fail sometimes Not only ESET.

Exactly. You could move to one AV because it finds something another misses but that A/V could miss something the other finds. No AV product is perfect.

[Arik 5]

Just now, peteyt said:

Exactly. You could move to one AV because it finds something another misses but that A/V could miss something the other finds. No AV product is perfect.

Yes, I agree.

[SCR 195]

I got one of those DHL emails. I have  my email client set to only present a "Preview" so I didn't receive any warnings at all. One look at the preview had me hitting delete immediately. 

I never open attachments unless it's something I request. That sort of makes me the final filter. Common sense is your best protection. When in doubt.. Don't. In my opinion people have become far more complacent about security on their devices. They give it less thought then they do when changing channels on a TV.  Someone said that it should not be necessary to learn about Eset's configuration.  If people would give their security software a fraction of the time they've spent learning about Facebook, tweets and any other software on their system they would be far better off.

With regard to MBAM. I removed it, it presented way to many headaches. As soon as I find someone that I dislike enough I'll give them my lifetime license.