Jump to content

ESET vs Ransomware


galaxy
 Share

Recommended Posts

Leider wieder mit Ransomware befallen

Es scheitert oft mit Ransomware

What do you say to that?

 

Edited by Marcos
A vs B comparisons are against forum rules, video removed
Link to comment
Share on other sites

  • Most Valued Members

Hmm what can be said.

It's obviously 2 different sets of malware samples , ran on 2 totally different systems.

I don't see what the relationship is here :wacko:

Link to comment
Share on other sites

  • Most Valued Members
7 minutes ago, galaxy said:

ESET fails, that's the point. I can show you some videos

But it's two different sets of samples on 2 different systems, and the video you have posted showing EIS is from November 2017. It's now Jan 2018 ;)


 

Link to comment
Share on other sites

  • Administrators
13 minutes ago, galaxy said:

ESET fails, that's the point. I can show you some videos

Great :) You have just proved that no AV can detect 100% of threats but this has been well known for ages. However, this testing scenario bypasses one important protection layer - Web access protection which can:
- block addresses or domains that are known to host malware
- scan files with higher sensitivity utilizing more paranoid detections
- scan files completely (in case of archives / sfx archives and files packed with a runtime packer or protector).

Also disabling real-time protection before copying samples bypasses more thorough scanning by real-time protection:
- newly created files are scanned utilizing advanced heuristics
- newly created files are scanned more deeply in cases of NSIS or other SFX archives like in this case.

Having said that, it's likely that in real-world scenario the user would not have gotten infected as the malware could be stopped by web access or real-time protection when the file was being created.
 

Link to comment
Share on other sites

  • Administrators
3 minutes ago, galaxy said:

One of the strangest things about ESET is the exclusion of false positives. The system is too convoluted and unnecessary. Not at all intuitive. Maybe is to somewhat discurage the exclusion alltogether as someone might inadvertently exclude a real threat, but overall is a very odd and octuse way to handle exclusions.

What false positives do you mean? ESET is known for extremely low number of false positives so you virtually should never make any exclusions. Even then, excluding a file or folder is pretty straightforward - Advanced setup -> Antivirus -> Exclusions (Edit). Anyways, let's not mix different things here. You started with ransomware so if you want to discuss exclusions or false positives, let's create a new topic.

Link to comment
Share on other sites

I like to stay with the topic. But as you can see in the video, ESET with Ransomware really has its problems. For new variants ESET has often failed

Link to comment
Share on other sites

  • Most Valued Members
9 minutes ago, galaxy said:

It's always like that with ESET...

The samples are almost the same

ALMOST does not equate to the same. Plus anyone with a bit of knowledge could rework a bit of code to bypass every A/V product in the market , record a video and present it as some type of unbiased result showing a failure. Some re-tweaked code on a single test machine does not actually represent what is out in the wild, or what an average user is likely to encounter.

 

Link to comment
Share on other sites

Ich kann dir mehr Video zeigen, wo es gegen Ransomware versagt, es macht einen guten Job, aber es muss noch verbessert werden

they are the same samples

Edited by galaxy
Link to comment
Share on other sites

1-He didn't tweak the Antivurs which is necessary!
2-Detection of the potential unsafe program is disabled.
3- Advanced heuristics/DNA is also disabled by default
4-firewall should set in interactive mode otherwise it will allow every connection. 
Btw Eset has a Hips to protect your files from write, delete, copy! why don't you place your important files under the protection of Hips?It's not Eset fault if you don't know how to work with your Av!the protection is there but seems that tester is blind:D He just tested the Eset cloud! what about other security layers?!

Link to comment
Share on other sites

  • Most Valued Members
2 minutes ago, galaxy said:

I can show you more than just 1 video where it fails against ransomware, it does a good job, but it needs to be improved

I don't doubt for a moment that you could show me (us all) more videos that can illustrate something bypassing ANY security suite. But you could put your findings to better use and submit the samples to ESET for them to be detected in the future and then there would be no need to show the video :)

Makes sense :wub:

Link to comment
Share on other sites

  • Administrators

As I have already stated in one of my posts above, disabling real-time protection, copying samples and running them after re-enabling real-time protection is not a real-world scenario. In real world, the web access protection would have come into play first and might have already blocked the ransomware. Also while copying files, they are scanned more deeply, especially if it's a sfx archive like it was an NSIS archive in this case (note the NSIS/Injector detection in the video which could have normally been triggered earlier if samples were not copied with real-time protection disabled).

To sum it up:
1, There's no security protection that can protect you from 100% of malware. This is also a reason why administrators of larger networks should also user EDR solutions like ESET Enterprise Inspector which is going to be introduced this year and which can alert administrators about indicators of compromise.

2, The test was not performed in real-world conditions. An important protection layer - web access protection - was skipped which might have normally blocked the threat.

Link to comment
Share on other sites

19 hours ago, Marcos said:

2, The test was not performed in real-world conditions. An important protection layer - web access protection - was skipped which might have normally blocked the threat.

ESET has a DEDICATED ANTIRANSOMWARE MODULE and the test was intended to check the efficiency of this particular module ;web access protection has nothing to do with this.

It is like saying that you got flu despite being vaccinated , because you did not wash your hands.

Edited by John Alex
Link to comment
Share on other sites

  • ESET Moderators

Hello guys,

the Ransomware Shield is another layer of protection added.

As you know we used layered approach so even if one layer does not detect the threat, there are others to do so, moreover some layers need the others to work completely.

So even in case you have been vaccinated, you probably won't stop washing your hands.

Regards, P.R.

Link to comment
Share on other sites

  • Administrators
3 hours ago, John Alex said:

ESET has a dedicated antiransomware module and the test was intended to check the efficiency of this particular module ;web access protection has nothing to do with this.

As we probably all agree, there's no security software in the world with 100% malware detection despite having Antivirus and antimalware protection modules. It's similar with ransomware shields - there's not a single security product that could prevent malicious data encryption without blocking also benign applications.

In this case, the tester bypassed an important protection layer - web access protection which would have likely prevented the malware even from being downloaded. Another protection that was bypassed by copying files with real-time protection disabled is scanning of newly created files by real-time protection which is done with advanced heuristics when also sfx archives are scanned internally (which was also this case - an NSIS installer).

ESET provides complete protection utilizing various protection layers and modules which interact with each other. Disabling a particular protection module (e.g. real-time protection) may substantially affect other modules (e.g. HIPS/AMS/Ransomware shield, etc.). All protection modules must be enabled and working in order for a product to provide maximum protection.

Link to comment
Share on other sites

Personally, I think responding to bypasses like this is a waste of time. It is obvious that the posters don't want to take the time to understand that Eset's protections are proactive - not reactive - and are designed to keep ransomware from running on a device in the first place.

Link to comment
Share on other sites

  • Most Valued Members
On 17/01/2018 at 12:57 PM, galaxy said:

Leider wieder mit Ransomware befallen

Es scheitert oft mit Ransomware

What do you say to that?

 

As many have brought up there are many issues with the video. For example, the video shows it is version 11, but I couldn't see the actual version, e.g. 11.1, 11.2 etc. Also the user didn't run an update and the video is a few months old.

The big problem as I have mentioned when things like this is brought up by other specific users, is that these tests can be easily rigged. No security program is perfect and I've seen people run test videos where one AV misses some viruses so they run another one to remove the leftovers and often another one and so on because no AV is perfect. I could easily make a video showing one AV to be great at protecting from ransomware by using samples I know will be detected while at the same time are not detect by another one, so that other one ends up looking bad - however I could then turn it around and find one that would now make the bad one look good and the good one look bad. 

As mentioned it does not help that these tests seen on youtube often do not represent real usage - for example no one should be downloading multiple malware samples and then turning off settings to make sure they don't originally get caught. As Marcos has mentioned, the fact the settings had to be disabled shows that actually the test is not showing all protection parts. Eset will always try and block users from downloading malware from the first place. Disabling protection layers will always put you at risk.

Link to comment
Share on other sites

Maybe this will "put to bed" the notion that Eset lacks behavior detection capability in regards to ransomware detection.

The latest Malware Research Group AV lab 360 test which is a realtime capability test using the most recent malware samples is here: https://www.mrg-effitas.com/wp-content/uploads/2017/12/MRG_Effitas_360_Assessment_2017_Q3-1.pdf . Of the samples used, 50 were ransomware as noted below:

Quote

Testing was conducted as per the methodology detailed in Appendix 1. In total, 351 live ITW samples were used. The stimulus load comprised the following: 189 trojans, 30 backdoors, 80 financial malware samples, 50 ransomware samples, and 2 others.

Of the 50 ransomware samples tested, 49 were detected by Eset prior to execution. However, one sample was detected by behavior means. So Eset does indeed have protection mechanisms in place to prevent ransomware like activities post-execution.

However as previously noted if one decides to arbitrarily and selective disable Eset protection mechanisms; state that the product can't detect a local run malware sample; then frankly, the tester doesn't know what he is doing and any conclusions drawn as to Eset's effectiveness are erroneous.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...