galaxy 11 Posted January 17, 2018 Posted January 17, 2018 (edited) Leider wieder mit Ransomware befallen Es scheitert oft mit Ransomware What do you say to that? Edited January 17, 2018 by Marcos A vs B comparisons are against forum rules, video removed
Most Valued Members cyberhash 201 Posted January 17, 2018 Most Valued Members Posted January 17, 2018 Hmm what can be said. It's obviously 2 different sets of malware samples , ran on 2 totally different systems. I don't see what the relationship is here
galaxy 11 Posted January 17, 2018 Author Posted January 17, 2018 ESET fails, that's the point. I can show you some videos
Most Valued Members cyberhash 201 Posted January 17, 2018 Most Valued Members Posted January 17, 2018 7 minutes ago, galaxy said: ESET fails, that's the point. I can show you some videos But it's two different sets of samples on 2 different systems, and the video you have posted showing EIS is from November 2017. It's now Jan 2018
Administrators Marcos 5,468 Posted January 17, 2018 Administrators Posted January 17, 2018 13 minutes ago, galaxy said: ESET fails, that's the point. I can show you some videos Great You have just proved that no AV can detect 100% of threats but this has been well known for ages. However, this testing scenario bypasses one important protection layer - Web access protection which can: - block addresses or domains that are known to host malware - scan files with higher sensitivity utilizing more paranoid detections - scan files completely (in case of archives / sfx archives and files packed with a runtime packer or protector). Also disabling real-time protection before copying samples bypasses more thorough scanning by real-time protection: - newly created files are scanned utilizing advanced heuristics - newly created files are scanned more deeply in cases of NSIS or other SFX archives like in this case. Having said that, it's likely that in real-world scenario the user would not have gotten infected as the malware could be stopped by web access or real-time protection when the file was being created.
galaxy 11 Posted January 17, 2018 Author Posted January 17, 2018 It's always like that with ESET... The samples are almost the same
Administrators Marcos 5,468 Posted January 17, 2018 Administrators Posted January 17, 2018 3 minutes ago, galaxy said: One of the strangest things about ESET is the exclusion of false positives. The system is too convoluted and unnecessary. Not at all intuitive. Maybe is to somewhat discurage the exclusion alltogether as someone might inadvertently exclude a real threat, but overall is a very odd and octuse way to handle exclusions. What false positives do you mean? ESET is known for extremely low number of false positives so you virtually should never make any exclusions. Even then, excluding a file or folder is pretty straightforward - Advanced setup -> Antivirus -> Exclusions (Edit). Anyways, let's not mix different things here. You started with ransomware so if you want to discuss exclusions or false positives, let's create a new topic.
galaxy 11 Posted January 17, 2018 Author Posted January 17, 2018 I like to stay with the topic. But as you can see in the video, ESET with Ransomware really has its problems. For new variants ESET has often failed
Most Valued Members cyberhash 201 Posted January 17, 2018 Most Valued Members Posted January 17, 2018 9 minutes ago, galaxy said: It's always like that with ESET... The samples are almost the same ALMOST does not equate to the same. Plus anyone with a bit of knowledge could rework a bit of code to bypass every A/V product in the market , record a video and present it as some type of unbiased result showing a failure. Some re-tweaked code on a single test machine does not actually represent what is out in the wild, or what an average user is likely to encounter.
galaxy 11 Posted January 17, 2018 Author Posted January 17, 2018 (edited) Ich kann dir mehr Video zeigen, wo es gegen Ransomware versagt, es macht einen guten Job, aber es muss noch verbessert werden they are the same samples Edited January 17, 2018 by galaxy
persian-boy 22 Posted January 17, 2018 Posted January 17, 2018 1-He didn't tweak the Antivurs which is necessary! 2-Detection of the potential unsafe program is disabled. 3- Advanced heuristics/DNA is also disabled by default 4-firewall should set in interactive mode otherwise it will allow every connection. Btw Eset has a Hips to protect your files from write, delete, copy! why don't you place your important files under the protection of Hips?It's not Eset fault if you don't know how to work with your Av!the protection is there but seems that tester is blind:D He just tested the Eset cloud! what about other security layers?!
Most Valued Members cyberhash 201 Posted January 17, 2018 Most Valued Members Posted January 17, 2018 2 minutes ago, galaxy said: I can show you more than just 1 video where it fails against ransomware, it does a good job, but it needs to be improved I don't doubt for a moment that you could show me (us all) more videos that can illustrate something bypassing ANY security suite. But you could put your findings to better use and submit the samples to ESET for them to be detected in the future and then there would be no need to show the video Makes sense
galaxy 11 Posted January 17, 2018 Author Posted January 17, 2018 I backed up all important data, backed up the hipps setting, set filters
Administrators Marcos 5,468 Posted January 17, 2018 Administrators Posted January 17, 2018 As I have already stated in one of my posts above, disabling real-time protection, copying samples and running them after re-enabling real-time protection is not a real-world scenario. In real world, the web access protection would have come into play first and might have already blocked the ransomware. Also while copying files, they are scanned more deeply, especially if it's a sfx archive like it was an NSIS archive in this case (note the NSIS/Injector detection in the video which could have normally been triggered earlier if samples were not copied with real-time protection disabled). To sum it up: 1, There's no security protection that can protect you from 100% of malware. This is also a reason why administrators of larger networks should also user EDR solutions like ESET Enterprise Inspector which is going to be introduced this year and which can alert administrators about indicators of compromise. 2, The test was not performed in real-world conditions. An important protection layer - web access protection - was skipped which might have normally blocked the threat.
galaxy 11 Posted January 18, 2018 Author Posted January 18, 2018 (edited) Well, ESET is alright, but it should get better Edited January 18, 2018 by galaxy
novice 20 Posted January 18, 2018 Posted January 18, 2018 (edited) 19 hours ago, Marcos said: 2, The test was not performed in real-world conditions. An important protection layer - web access protection - was skipped which might have normally blocked the threat. ESET has a DEDICATED ANTIRANSOMWARE MODULE and the test was intended to check the efficiency of this particular module ;web access protection has nothing to do with this. It is like saying that you got flu despite being vaccinated , because you did not wash your hands. Edited January 18, 2018 by John Alex
galaxy 11 Posted January 18, 2018 Author Posted January 18, 2018 (edited) that's just how I see it, that should not happen and is exactly what I mean Edited January 18, 2018 by galaxy
ESET Moderators Peter Randziak 1,186 Posted January 18, 2018 ESET Moderators Posted January 18, 2018 Hello guys, the Ransomware Shield is another layer of protection added. As you know we used layered approach so even if one layer does not detect the threat, there are others to do so, moreover some layers need the others to work completely. So even in case you have been vaccinated, you probably won't stop washing your hands. Regards, P.R.
Administrators Marcos 5,468 Posted January 18, 2018 Administrators Posted January 18, 2018 3 hours ago, John Alex said: ESET has a dedicated antiransomware module and the test was intended to check the efficiency of this particular module ;web access protection has nothing to do with this. As we probably all agree, there's no security software in the world with 100% malware detection despite having Antivirus and antimalware protection modules. It's similar with ransomware shields - there's not a single security product that could prevent malicious data encryption without blocking also benign applications. In this case, the tester bypassed an important protection layer - web access protection which would have likely prevented the malware even from being downloaded. Another protection that was bypassed by copying files with real-time protection disabled is scanning of newly created files by real-time protection which is done with advanced heuristics when also sfx archives are scanned internally (which was also this case - an NSIS installer). ESET provides complete protection utilizing various protection layers and modules which interact with each other. Disabling a particular protection module (e.g. real-time protection) may substantially affect other modules (e.g. HIPS/AMS/Ransomware shield, etc.). All protection modules must be enabled and working in order for a product to provide maximum protection.
itman 1,808 Posted January 18, 2018 Posted January 18, 2018 Personally, I think responding to bypasses like this is a waste of time. It is obvious that the posters don't want to take the time to understand that Eset's protections are proactive - not reactive - and are designed to keep ransomware from running on a device in the first place.
Most Valued Members peteyt 396 Posted January 18, 2018 Most Valued Members Posted January 18, 2018 On 17/01/2018 at 12:57 PM, galaxy said: Leider wieder mit Ransomware befallen Es scheitert oft mit Ransomware What do you say to that? As many have brought up there are many issues with the video. For example, the video shows it is version 11, but I couldn't see the actual version, e.g. 11.1, 11.2 etc. Also the user didn't run an update and the video is a few months old. The big problem as I have mentioned when things like this is brought up by other specific users, is that these tests can be easily rigged. No security program is perfect and I've seen people run test videos where one AV misses some viruses so they run another one to remove the leftovers and often another one and so on because no AV is perfect. I could easily make a video showing one AV to be great at protecting from ransomware by using samples I know will be detected while at the same time are not detect by another one, so that other one ends up looking bad - however I could then turn it around and find one that would now make the bad one look good and the good one look bad. As mentioned it does not help that these tests seen on youtube often do not represent real usage - for example no one should be downloading multiple malware samples and then turning off settings to make sure they don't originally get caught. As Marcos has mentioned, the fact the settings had to be disabled shows that actually the test is not showing all protection parts. Eset will always try and block users from downloading malware from the first place. Disabling protection layers will always put you at risk.
itman 1,808 Posted January 18, 2018 Posted January 18, 2018 (edited) Maybe this will "put to bed" the notion that Eset lacks behavior detection capability in regards to ransomware detection. The latest Malware Research Group AV lab 360 test which is a realtime capability test using the most recent malware samples is here: https://www.mrg-effitas.com/wp-content/uploads/2017/12/MRG_Effitas_360_Assessment_2017_Q3-1.pdf . Of the samples used, 50 were ransomware as noted below: Quote Testing was conducted as per the methodology detailed in Appendix 1. In total, 351 live ITW samples were used. The stimulus load comprised the following: 189 trojans, 30 backdoors, 80 financial malware samples, 50 ransomware samples, and 2 others. Of the 50 ransomware samples tested, 49 were detected by Eset prior to execution. However, one sample was detected by behavior means. So Eset does indeed have protection mechanisms in place to prevent ransomware like activities post-execution. However as previously noted if one decides to arbitrarily and selective disable Eset protection mechanisms; state that the product can't detect a local run malware sample; then frankly, the tester doesn't know what he is doing and any conclusions drawn as to Eset's effectiveness are erroneous. Edited January 19, 2018 by itman
galaxy 11 Posted January 19, 2018 Author Posted January 19, 2018 I have secured everything with the hips function
Recommended Posts