Ransomware Protection Improvements

[0xDEADBEEF 43]

37 minutes ago, novice said:

There is no behavior monitoring in ESET!!! See Marco's answer above.

I think Marcos was referring solely to the HIPS module (by default the auto mode indeed doesn't block most behaviors, but it is serving as a foundation for other protection layers like memory scanner and ransomware shield).

Ransomware shield is different. It is a behavior-based defense layer. It is more complicated than writing custom rules in the HIPS rule table because so far there is no simple rule in the world that can block ransomware with the guarantee of low FPs. I can say this for sure because I've tested the ransomware shield using my own code.

Edited September 17, 2018 by 0xDEADBEEF

[0xDEADBEEF 43]

20 minutes ago, Hands said:

My apologies, I’ll try not to compare products next time.

In most cases it should be ok. But as the forum rules said: https://forum.eset.com/topic/76-rules-of-the-eset-security-forum/  I just don't want to touch any topics that fall inside the grey zone 

 

[novice 20]

28 minutes ago, 0xDEADBEEF said:

I think Marcos was referring solely to the HIPS module (by default the auto mode indeed doesn't block most behaviors, but it is serving as a foundation for other protection layers like memory scanner and ransomware shield).

Ransomware shield is different. It is a behavior-based defense layer. It is more complicated than writing custom rules in the HIPS rule table because so far there is no simple rule in the world that can block ransomware with the guarantee of low FPs. I can say this for sure because I've tested the ransomware shield using my own code.

See here: " HIPS is as crucial protection module as real-time protection and should always remain enabled. Disabling HIPS also disables self-defense,Advanced Memory Scanner, Exploit Blocker and Ransomware Shield."

So, disabling HIPS disables Ransomware Shield.

 

[0xDEADBEEF 43]

4 minutes ago, novice said:

So, disabling HIPS disables Ransomware Shield.

Yes, as I said, HIPS is the foundation of Ransomware Shield.

In general, you can view the ransomware shield as HIPS + a complex rule set made by ESET that is not visible to end users. And that's why it is a behavioral-based defense layer.

[itman 1,659]

Eset's API monitoring in ver. 12; part of which appears to be already implemented in 11.2.63, will put it on par with Kaspersky's System Watcher feature. I have see enough detections by Eset's advanced memory scanner(AMS) to state it is better than anything Kaspersky has.

Also as previously commented upon, System Watcher is known for problematic behavior.

[Hands 4]

5 minutes ago, itman said:

Eset's API monitoring in ver. 12; part of which appears to be already implemented in 11.2.63, will put it on par with Kaspersky's System Watcher feature. I have see enough detections by Eset's advanced memory scanner(AMS) to state it is better than anything Kaspersky has.

Also as previously commented upon, System Watcher is known for problematic behavior.

Interesting. I’m excited to see how HIPS V12 will perform once released.

[itman 1,659]

2 hours ago, novice said:

So, disabling HIPS disables Ransomware Shield.

Eset uses what can best be described as questionable behavioral rules in the HIPS. If one of those rules are triggered, Eset will then perform additional analysis on the process to determine is malicious status. Eset's goal has always been to remove user interaction from the malicious determination process. Hence, it will be a vary rare instance where a user would have to respond to an alert in this context. 

[novice 20]

2 hours ago, itman said:

Eset's advanced memory scanner(AMS) to state it is better than anything Kaspersky has

You may be in violation of the Forum rules, specifically #15 https://forum.eset.com/topic/76-rules-of-the-eset-security-forum/

TomFace will alert soon a moderator...

Oh, I forgot, this applies only to trolls 

Edited September 17, 2018 by novice

[itman 1,659]

2 hours ago, novice said:

You may be in violation of the Forum rules, specifically #15 https://forum.eset.com/topic/76-rules-of-the-eset-security-forum/

Don't think so. I didn't state that Eset was better than Kaspersky per se. I stated I personally believed an Eset feature was better than the equivalent in Kaspersky. After all, what you are complaining about is your perceived notion that Eset's ransomware protection is deficient with a provided assortment of other AV solutions that can detect whatever ransomware of the day you chose. 

[novice 20]

4 hours ago, itman said:

Eset uses what can best be described as questionable behavioral rules in the HIPS

In fact I couldn't agree more with your statement...

[itman 1,659]

12 hours ago, novice said:

In fact I couldn't agree more with your statement...

Actually, I didn't state that properly to avoid ambiguity. What I should have stated is "Eset uses YARA like behavior rule signatures which perform questioning like analysis on the process."

An example of a YARA rule is here:

Quote

However, if someone renamed it and used as a backdoor, it's recommended to scan HDD with the
following Yara rule (download free yara tool here http://plusvic.github.io/yara/):

rule ComputraceAgent
{
meta:
description = "Absolute Computrace Agent Executable"
thread_level = 3
in_the_wild = true
strings:
$a = {D1 E0 F5 8B 4D 0C 83 D1 00 8B EC FF 33 83 C3 04}
$mz = {4d 5a}
$b1 = {72 70 63 6E 65 74 70 2E 65 78 65 00 72 70 63 6E 65 74 70 00}
$b2 = {54 61 67 49 64 00}
condition:
($mz at 0 ) and ($a or ($b1 and $b2))

}

 

Edited September 18, 2018 by itman

[novice 20]

4 hours ago, itman said:

An example of a YARA rule is here

Aha!

I got it!

[galaxy 11]

Your posts are boring and make no sense

Edited September 18, 2018 by galaxy

[Hands 4]

3 minutes ago, galaxy said:

Your posts are boring and make no sense

Who’s?

[MartinPe 10]

Well, I trust Eset so far with the Ransomware protection. Compare to other vendors aka Kaspersky or Bitdefender, you have to manually approve some applications in the User\Documents folders. As a gamer (Steam) and part-time dev. (Delphi), Eset doesn't annoy me.

 

But I guess that's a trade-off Eset had to do because I visit each months www.av-comparatives.org and look at the latest Real World Protection Test  , we can see that compared to Bitdefender and Kaspersky, Eset get compromise more. I just hope that with new signature and HIPS updates that these exploits gets blocked. Even Windows Defender can block more without getting compromised. But has more false positive and it's slower than Eset.  

As far I can see lately, many users of Bitdefender complains that the latest version of their security solution is taking a lot more memory and impact the system more.  

Hope with v12, Eset can improve without impacting system resources and gives the best protection and no longer seeing compromises exploits on av-comparatives

[TomFace 539]

On ‎9‎/‎17‎/‎2018 at 10:24 AM, novice said:

It was not my intention to create unrest among the community, I apologize for that!

*******************************

Well here you can see people complaining about "real life situations" 

*************************

Even though the emperor was naked nobody wanted to say anything , not to be labeled as "stupid" (in the story)  or troll in our situation.

*********************************

Maybe I am the "child"  who suddenly realized that ESET is not what is claiming to be....

**************************

 

Why am I hesitant to accept your "apology" when all one has to do is look at your post history?

************************

I see 1 person consistently complaining...others may be asking but they are also new...they haven't been around since 2013.

If it's that bad, why are you still here? Since 2013 a 3 year license would have expired once by now.

But you are still here.

************************

Labeled as a troll? Everyone can just look it up. https://en.wikipedia.org/wiki/Internet_troll

***********************

A child? None of us are that stupid.

********************************

novice, unlike you, I take no pleasure in having these exchanges. As a matter of fact, they cause me quite a bit of pain.

There is no joy in TomFaceville in writing this. As TomasP posted, you (for the moment) are not being censored. Knowing that, I will not partake in the Forum as I once did.

My rubber boots are only so high.

So unless someone else reins you in, I guess you have free range.

TTFN

Tom

P.S... Happy ITLAPD to everyone!

https://en.wikipedia.org/wiki/International_Talk_Like_a_Pirate_Day

 

 

Edited September 19, 2018 by TomFace

[novice 20]

10 minutes ago, TomFace said:

Why am I hesitant to accept your "apology"

I apologized to TomasP,  not to you , so there is nothing for you to accept (or not!)

[itman 1,659]

15 hours ago, MartinPe said:

But I guess that's a trade-off Eset had to do because I visit each months www.av-comparatives.org and look at the latest Real World Protection Test  , we can see that compared to Bitdefender and Kaspersky, Eset get compromise more.

If you review Eset's historical test results there, they are fairly consistent. As such, I assume Eset is satisfied with those results. Rather than allocating additional resources "to game" the next test by the lab to ensure they score 100%, they are allocating those resources to overall product improvement. The bottom line is AV Lab tests are just that; tests. How well the test simulates current malware status very much depends on the individual lab's methodogy and procedures employed. The reality of the situation is none of these tests at any given point in time are 100% representation of the current malware status.

Edited September 19, 2018 by itman

[TomFace 539]

12 minutes ago, novice said:

I apologized to TomasP,  not to you , so there is nothing for you to accept (or not!)

"When we see men of worth, we should think of equaling them; when we see men of a contrary character, we should turn inwards and examine ourselves."... Confucius

Needless to say, I am reflecting inwards.

Best regards,

Tom

 

Edited September 19, 2018 by TomFace

[itman 1,659]

Every time a ransomware issue appears in the Malware section of the forum, one of these postings shows up. I do believe it is time they stopped.

It has been sometime since I saw an Eset retail product user post an issue with ransomware. Any non-corp. user posting I have seen are from individuals who are not using Eset looking for ransomware assistance which is not the purpose of this forum.

The reality of the current ransomware status is the attacks are almost exclusively directed against corp./gov. entities. The primary attack vectors are e-mail, RDP based, with a sprinkling of exploiting; e.g. SMBv1 recent incidents. Corp. users need to be employing addition security measures to prevent these attacks than relying exclusively on their AV solution.

The bottom line is ransomware has migrated to the criminal enterprise scope with the objective to maximize their return in investment in ransomware development and execution. Further current research also shows a migration from ransomware to coin mining. It goes without saying Eset provides excellent protection against coin mining activity.

Edited September 19, 2018 by itman