Ransomware Protection Improvements

[Hands 4]

Video link: 

In this video, it shows ESET Endpoint security tested against a ransomware sample that ESET doesn’t have a signature for. ESET fails despite having the Anti-Ransomware shield activated. The reason I posted this on the Home topic, is because if Endpoint protection fails, then it doesn’t speak too highly about the Home products.

 

[itman 1,659]

The test was done using a beta version of EP 7. For this reason alone, it lacks merit.

Now if the test was performed against the released production version of EP 7, then we would have something to discuss.

[Hands 4]

I understand your point. I will now close this topic, and keep monitoring ESET’s performance against malware. If I see that some improvements still need to be made, I will create a new, yet similar topic.

[novice 20]

2 hours ago, itman said:

The test was done using a beta version of EP 7.

Yet, MSE (free) detected the malware as Trojan: Win32/Tiggre!plock

There is a certain limit of decency up to which you can blindly defend ESET.

ESET doesn't have a dedicated  antiransomware shield based on behavior. Has just a HIPS set of rules  which the marketing department named them "antiransomware shield"

Edited September 17, 2018 by novice

[Hands 4]

3 minutes ago, novice said:

Yet, MSE (free) detected the malware as Trojan: Win32/Tiggre!plock

There is a certain limit of decency up to which you can blindly defend ESET. 

He’s right. Looks like my point still has something to back it up.

[TomFace 539]

novice is just a troll. Keep that in mind. Knowing that, value it's input accordingly. 

Edited September 17, 2018 by TomFace

[Hands 4]

2 minutes ago, TomFace said:

novice is just a troll. Keep that in mind.

Hmmmm

[TomFace 539]

Just now, Hands said:

Hmmmm

Hmmm is right.

[Hands 4]

1 minute ago, TomFace said:

Hmmm is right.

My point still stand though. I can source other videos where ESET fails to protect against ransomware. Beta or not, there are some improvements to be made. I’m not trying to bash ESET either, just trying to make a great AV product better.

[TomFace 539]

Have you considered contacting the ESET folks directly via their official channels? see https://www.eset.com/us/about/contact/

And if I were ESET, I am not sure how I would rate the creditability of other videos that you "obtained from other sources". All one has to do is go to the Youtube website to question the validity of ANY videos. 

That being said, I am sure if you have useful suggestions for ESET contact them directly or go to https://forum.eset.com/topic/51-future-changes-to-eset-internet-security-and-eset-smart-security-premium/

and post your suggestions.

In the meanwhile, please don't feed the trolls.

It's just a suggestion.

 

Edited September 17, 2018 by TomFace

[Hands 4]

Thanks for the suggestions. I’ve been trying to work with multiple AV vendors such as Kaspersky, ESET, Emsisoft, and ZoneAlarm by Checkpoint, by going to their forums and posting these suggestions. I’m just trying to suggest improvements to make these products better. That being said, I will follow your advice.

[TomFace 539]

26 minutes ago, Hands said:

Thanks for the suggestions. I’ve been trying to work with multiple AV vendors such as Kaspersky, ESET, Emsisoft, and ZoneAlarm by Checkpoint, by going to their forums and posting these suggestions. I’m just trying to suggest improvements to make these products better. That being said, I will follow your advice.

That's great....Folks, like you, need to chase the ideal of making things better for all. If you have the knowledge, please share it!

Best regards Hands and take care!

Tom

P.S...By the way, I have referred this entire thread to the ESET Mods as it may be a violation of the Forum rules, specifically #15 https://forum.eset.com/topic/76-rules-of-the-eset-security-forum/

It's their call....not mine. I'm just a User.

 

Edited September 17, 2018 by TomFace

[novice 20]

6 hours ago, TomFace said:

it may be a violation of the Forum rules, specifically #15 https://forum.eset.com/topic/76-rules-of-the-eset-security-forum/

This was not about A being better than B, was just an observation from the video attached ; I know it hurts to see MSE performing better than ESET, but this is the reality (and not only here, check the latest AV Comparatives)

But, of course we can pretend that never happened and that novice is just a troll. Is the most convenient conclusion, which will make everybody happy.

 

[novice 20]

8 hours ago, TomFace said:

novice is just a troll. Keep that in mind. Knowing that, value it's input accordingly. 

The "troll" just notice another ransomware fail, FYI:

https://forum.eset.com/topic/16839-gamma-malware-help/

 

[Marcos 5,072]

1 minute ago, novice said:

The "troll" just notice another ransomware fail, FYI:

Have you carried out a forensic analysis of the case that you have come up with a conclusion that it was ESET's fail? Are you positive the ransomware was not run from an unprotected device and didn't encrypt files in remote shares due to incorrect privileges set on the server? I'm sure you didn't so please refrain from making any conclusions and trolling.

Just moments ago I received a case from our partner : "We have a government customer using K and got infected with krab  ransomware. We installed EFWS on the server and the Filecoder was able to  detect with our product we have an opportunity with this customer for 1.8K  units." I, for one, do not blame that AV for letting the ransomware infect the machine. Obviously there was a bruteforce RDP attack performed and if the AV didn't have settings protected, the attacker could have disabled it.

[TomasP 316]

Hello novice,

I could not help but notice what is being said here. We don't embrace censorship and you are allowed to express your opinion, but assuming overall quality of a long-standing product based on just a few observations is quite bold, to say the least. Also, there are numerous statistics and performance results out there and you just chose those that suit your narrative.

Anyway, anyone is free to choose what AV product they will use. If you don't like ours, nobody is forcing you to stick with it - and that's why I don't really understand your constant complaints and posts here on the forum. What is your endgame? What are you trying to achieve? Because what you have achieved so far is just that you created unrest among the community, submitted posts with content that many label as trolling, and didn't contribute to the discussion with anything of real added value.

We are not going to ban you, but be prepared that you need to bear the resentment of the community that you sparked.

Regards,
T.

[novice 20]

3 hours ago, TomasP said:

Because what you have achieved so far is just that you created unrest among the community

Dear Sir,

It was not my intention to create unrest among the community, I apologize for that!

3 hours ago, TomasP said:

What is your endgame? What are you trying to achieve?

I have 3 ESET licenses 1PC/3Years   (2years and something now) for which I paid more than 300CAD  and I do have certain expectations from this software.

 

3 hours ago, TomasP said:

Also, there are numerous statistics and performance results

I am not aware about these statistics, all I can see now is that ESET performs worse than some free antiviruses on AV Comparatives (for tha last 18 months) and that ESET doesn't participate in AVTest anymore, following a string of bad results (again in the 18 months)

Also on my own tests ESET did not pass any ransomware simulators, the answer being : in real life is different.

Well here you can see people complaining about "real life situations" 

 

Are you familiar with the story "The Emperor's New Clothes"???

https://en.wikipedia.org/wiki/The_Emperor's_New_Clothes

Even though the emperor was naked nobody wanted to say anything , not to be labeled as "stupid" (in the story)  or troll in our situation.

Maybe I am the "child"  who suddenly realized that ESET is not what is claiming to be....

Thanks,

[itman 1,659]

5 hours ago, novice said:

The "troll" just notice another ransomware fail, FYI:

https://forum.eset.com/topic/16839-gamma-malware-help/

 

Supposedly, .gamma extension encrypted files are associated with Crysis ransomware. What is the primary method used by Crysis and many other corp. ransomware attacks?

Quote

5. INITIAL INFECTION VECTOR

Thanks to the shared intelligence systems of Panda Security, it has been determined that the initial infection vector for distributing this type of malware is usually the RPD (Remote Desktop Protocol). In such cases, the attackers, using specially prepared tools, violate the device’s Internet-facing credentials to access systems and execute code (in this case, ransomware). The attacks, therefore, are carried out manually, and the computer/network is considered to have been “hacked”.

https://www.pandasecurity.com/mediacenter/src/uploads/2017/11/Ransomware_Crysis-Dharma-en.pdf

Edited September 17, 2018 by itman

[Hands 4]

This question is to anyone: How does the ransomware shield work? Is it a behavior monitoring component? I’m asking this because while this was implemented a while back, ESET still misses some ransomware samples.

[0xDEADBEEF 43]

5 minutes ago, Hands said:

How does the ransomware shield work? Is it a behavior monitoring component?

yes it is a behavior monitoring component (potentially combined with cloud reputation and other methods).

8 minutes ago, Hands said:

while this was implemented a while back, ESET still misses some ransomware samples.

The thing to keep in mind is that it is hard to distinguish malicious file modification behaviors versus legitimate ones. So to balance the detection rate and false positives, there will be weaknesses of such protection layer. And that's why multi-layer protection is important. 

[novice 20]

22 minutes ago, Hands said:

Is it a behavior monitoring component?

Is based on HIPS , no behavior or honey pots.

See here, from Marcos "we do not perform behavior blocking..."

 

Edited September 17, 2018 by novice

[Hands 4]

7 minutes ago, 0xDEADBEEF said:

yes it is a behavior monitoring component (potentially combined with cloud reputation and other methods).

The thing to keep in mind is that it is hard to distinguish malicious file modification behaviors versus legitimate ones. So to balance the detection rate and false positives, there will be weaknesses of such protection layer. And that's why multi-layer protection is important. 

Hmmm, now I wonder how Kaspersky’s System Watcher performs so well.

[0xDEADBEEF 43]

4 minutes ago, Hands said:

Kaspersky’s System Watcher performs so well.

Kaspersky indeed has some decent behavioral defense mechanisms, but it is not without its issues. I tend not to compare products in this forum so I will stop here ? Generally there are always trade offs

[novice 20]

18 minutes ago, 0xDEADBEEF said:

Kaspersky indeed has some decent behavioral defense mechanisms, but it is not without its issues. I tend not to compare products in this forum so I will stop here ? Generally there are always trade offs

There is no behavior monitoring in ESET!!! See Marco's answer above.

Edited September 17, 2018 by novice

[Hands 4]

22 minutes ago, 0xDEADBEEF said:

Kaspersky indeed has some decent behavioral defense mechanisms, but it is not without its issues. I tend not to compare products in this forum so I will stop here ? Generally there are always trade offs

My apologies, I’ll try not to compare products next time.