Jump to content

HitmanPro.Alert Exploit Test Tool


novice
 Share

Recommended Posts

Used the above mentioned test to see ESET antiexploit capabilities; ZERO reaction from ESET.

Now I know I will get "we know that is a test, that's why!!!"

So, is there any test on the internet which can be used to test ESET capabilities (other than EICAR)????

Link to comment
Share on other sites

  • Administrators

That is probably some simulator which is a problem because:

1, Each security sw works differently in terms of behavior detection. Unlike exploit blockers which are supposed to detect suspicious behavior, eicar is about a static detection of a very specific file that all av vendors agreed on to detect.
2, Detection of a simulator doesn't tell anything about detection and protection capabilities of a particular AV. As a result, an AV that detects a simulator may fail to detect real exploits and likewise an AV that doesn't detect it may protect you from actual exploits.

Link to comment
Share on other sites

12 hours ago, novice said:

Used the above mentioned test to see ESET antiexploit capabilities; ZERO reaction from ESET.

Now I know I will get "we know that is a test, that's why!!!"

So, is there any test on the internet which can be used to test ESET capabilities (other than EICAR)????

I'm curious. Did you used a 32-bit application for the test? If so, could you say which one?

Link to comment
Share on other sites

15 hours ago, novice said:

Used the above mentioned test to see ESET antiexploit capabilities; ZERO reaction from ESET.

I have used the tool extensively in the past and if used properly, Eset will block every test; at least on the tool vers. I used.

Surfright/Sophos I believe "farmed out" development of the tool to a third party source. The tool's primary purpose is to test HMP-A functionality. Although they note in the documentation that you can used the tool to test your own security solution, they fail to mention the following.

Using IE11 as the test browser for example, Eset will fail almost every test if the browser is not running during testing. The reason is that the tests execute quickly and the browser has not been fully loaded. As such, Eset's hooks and the like into the browser also have not been fully established.

Finally, custom HIPS rules to protect the browser need to be created to pass most of the test tool's exploit tests. The primary rule that needs to be created is to prevent browser process modification since most of the tests involve setting a hook in the browser to perform the simulated exploit. Most important however is to realize Eset does not recognize the test tool as malware which it is not. As such Eset with default settings will allow the individual tests performed by the tool to run unimpeded. Such would not be the case for a known exploit.

Edited by itman
Link to comment
Share on other sites

1 hour ago, novice said:

Can you try, please, the   HitmanPro.Alert Exploit Test Tool again?

from here hxxp://dl.surfright.nl/hmpalert-test.exe

Ok. I downloaded it. It's the same ver. I used in my previous testing. So my previous comments concerning it still apply in regards to Eset's protections against it.

What I used it for primarily is to create custom HIPS rules for my browser. Again, the main rule would be prevent process modification against the browser in case some 0-day exploit was to sneak by Eset's default protections.

Link to comment
Share on other sites

1 minute ago, itman said:

What I used it for primarily is to create custom HIPS rules for my browser

Shouldn't these rule be created by default for the most common applications?? How many users can create HIPS rule to protect against 0 days????

Link to comment
Share on other sites

Also since you posted your comments in the NOD32 thread, I assume that is what you are running. I don't know if NOD32 has IDS protection yet as Internet/Smart Security have. Eset's primary protection against CVE known exploits is in the IDS.

Link to comment
Share on other sites

Here's an ad hoc test that Malware Research Group performed when EternalBlue was running around "in the wild": https://www.mrg-effitas.com/wp-content/uploads/2017/05/screencapture-mrg-effitas-eternalblue-vs-internet-security-suites-and-nextgen-protections-1495176251119.pdf . Eset was one of only three AV/NextGen products to detect it. ......,, 

Link to comment
Share on other sites

Well I tried the test , ZERO reaction from ESET. And when I say ZERO I do not exaggerate!!!!

IE11 64bit open, IE11 64bit added to the test, run all tests -----> ZERO reaction from ESET

IE11 32 bit open, IE32BIT added to the test, run all test-----------> zero reaction from ESET

I can say , wit 99% probability that there is no viable dedicated antiexploit shied in ESET.

ESET hopes to catch the exploit with the webshield, based on signature of the exploit vector, on cloud based detection and maybe with some generic HIPS  rules but no, there is no dedicated shield against antiexploit.

Edited by novice
Link to comment
Share on other sites

55 minutes ago, itman said:

Here's an ad hoc test that Malware Research Group performed when EternalBlue was running around "in the wild": https://www.mrg-effitas.com/wp-content/uploads/2017/05/screencapture-mrg-effitas-eternalblue-vs-internet-security-suites-and-nextgen-protections-1495176251119.pdf . Eset was one of only three AV/NextGen products to detect it. ......,, 

Yes, this shows one more time that ESET bases its detection on Web shield and signatures , even though has a DEDICATED antiransomware shield (most likely some  generic HIPS rules)

 

I ran WANNACRY  live on my PC with only the Antiransomware shield from MBAM and the threat was quarantined after 4 files being encrypted.

This is how a dedicated antiransomware shield is supposed to look like.

Edited by novice
Link to comment
Share on other sites

One thing I have noticed from dedicated anti-exploit products is that they inject dll into various processes most likely to monitor their behavior for possible exploitation. However if one checks with Process Explorer you hardly see any dll from ESET. At most, you can see dll in browsers like Chrome and Firefox but those are for the Banking feature.

 

So, I'm going to assume to whatever technology ESET uses for its anti-exploit capabilities are different from the standard.

 

Link to comment
Share on other sites

  • Most Valued Members

Honestly you would think after years of the same/similar threads that people would eventually understand that "Tests" don't equate to real world.

It's a very rare occurrence when ESET products actually fails to protect people in "Everyday" use, hence why the forums are nearly devoid of any complaints regarding infection.

The OP and others keep relating to tests but have never fell short of protection themself when using the products.

Unless you get infected with something or fall victim to some kind of ransomware when posting "What If's" is fruitless and misleading to other users.
 

Link to comment
Share on other sites

46 minutes ago, cyberhash said:

"Tests" don't equate to real world.

In real word everything is based on tests.

You want a driver's license? You have to pass a test!

You want to get to university? You have to pass a test!

You want to get a job? You have to pass an interview!

Why do I have to wait to get infected first and after that to ask questions???

See here for example: "rapid ransomware detection?" 

I've encountered a rapid ransomware sample around 15 hours ago. At that time, ESET's scanner couldn't detect it (while other major vendors already detected it on VT). "

46 minutes ago, cyberhash said:

The OP and others keep relating to tests but have never fell short of protection themself when using the products.

I have been using MSE alone for many years and never got infected. And what?

 

46 minutes ago, cyberhash said:

"What If's" is fruitless and misleading to other users.

"What if's" is a legitimate question, especially now  when ESET doesn't participate anymore in AV Test!!!!

Edited by novice
Link to comment
Share on other sites

If one uses a security product, it is understandable to want to know if it works and how. Safe habits plus knowing the strength and weaknesses(limitations) of a product is good.

 

3 hours ago, galaxy said:

Norton has also completely failed with the test

Do you know if Norton is injecting dll into processes to monitor them?

Link to comment
Share on other sites

Yikes! Here's the problem with malware behavior simulators. They are not malware. Also most have reputation established and many are validly signed. As such, Eset is going to allow all process activities they perform.

Some security products detect these simulators as hack tools and block outright their execution. This really is a false detection. If you want to test Eset's protection capability, use live malware samples in a lab environment. Never use your production PC for such testing.

Link to comment
Share on other sites

I can show you more than just a test in the lab environment that ESET is really struggling with Ransomware. And if I set the hips setting to auto, then I have a problem because so I'm not backed up

Link to comment
Share on other sites

5 minutes ago, galaxy said:

Do I have to worry? With me it is put on automatically

Another forum member has done in depth testing of 0-day ransomware against Eset. Hopefully he will "chime in" on this issue. His tests show that Eset's default HIPS behavior rules will detect ransomware encryption activity. However, a few files will end up encrypted prior to Eset's behavior detection. This is the norm for security solutions that employ ransomware behavioral methods.

Also I am referring to Eset retail products. I don't believe the Endpoint vers. will have like detection capability unless ver. 7 is installed.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...