Jump to content

How is ESET the lightest?


Super_Spartan

Recommended Posts

2 hours ago, John Alex said:

SmartScreenFilter offers adequate protection in IE11, in my opinion.

It offers moderate protection at best.

Recent research into SmartScreen protection given here: https://acmccs.github.io/papers/p1435-kimA.pdf noted the following:

1. SmartScreen gives instant OK reputational status to any download executable with EV certificate status.

2. Malware can also be signed with a "malformed" certificate i.e. a certificate copied from a legit Win executable. Whereas SmartScreen will detected the malformed certificate as long as the download is in executable status, this validation can be bypassed by simply stripping the .exe status from the download. This means the malware attack could later rename the download with the .exe suffix. Whereas Win 10's native SmartScreen processing would rescan the renamed file upon execution, this also could be bypassed by removing the "Mark of the Web" status from the renamed download.

Additionally, there is a recently published POC bypass here: https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/ that will allow an attacker to locally validity sign a download with a malformed certificate as long as admin privileges can be gained.  

Link to post
Share on other sites
59 minutes ago, peteyt said:

I persume the filename would be different so just delete the old one once you know everything works okay 

Sir,

After a successful "clean"  , I will have a cleaned file in the original location and an original one, infected, in "Quarantine"

Both of them will have the same name, there is no OLD or NEW one.

2 hours ago, Marcos said:

1, Users should not look into quarantine unless

Well, I manage several family computers and , every month I use to see how they work and if anything has been detected; this is the time to search the quarantine.

At this time I will find a file , let's say test.exe , removed from C / Program files / test.exe, but at the same time,   the file (cleaned) is still there.

That can create confusions: has the file really been removed??? the file is persistent and restored by itself? ESET restored the file after figured out is a FP???

Link to post
Share on other sites
  • Most Valued Members
1 hour ago, John Alex said:

Sir,

After a successful "clean"  , I will have a cleaned file in the original location and an original one, infected, in "Quarantine"

Both of them will have the same name, there is no OLD or NEW one.

Well, I manage several family computers and , every month I use to see how they work and if anything has been detected; this is the time to search the quarantine.

At this time I will find a file , let's say test.exe , removed from C / Program files / test.exe, but at the same time,   the file (cleaned) is still there.

That can create confusions: has the file really been removed??? the file is persistent and restored by itself? ESET restored the file after figured out is a FP???

Just delete the quarantined file if the program appears okay now. Maybe to avoid any confusion eset could simply mention a bit more information? e.g. having the fact it was cleaned, the reason why and the fact this is the original or something etc.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...