Jump to content

HIPS and FIREWALL in default installation


Recommended Posts

  • Administrators
10 minutes ago, BALTAGY said:

I can give you many viruses that the product your talking about don't detect, so please understand that there's no 100%

I second that. It's easy to cherry pick malware that a chosen AV product won't detect and the machine will get infected.

Link to comment
Share on other sites

15 minutes ago, Marcos said:

It's easy to cherry pick malware that a chosen AV product won't detect and the machine will get infected.

AV Comparatives did not "cherry picked" malwares purposely for ESET not to be detected...  The testing procedure is clearly outlined  and the field is leveled for all players. 

All tested anti-viruses were exposed to exactly the same set of malwares in exactly the same manner  , so do not blame the tester for ESET consistent so-so results on a 6 months interval.

 

Edited by novice
Link to comment
Share on other sites

  • ESET Insiders
1 hour ago, Marcos said:

I second that. It's easy to cherry pick malware that a chosen AV product won't detect and the machine will get infected.

That's what i'm saying, i saw yesterday 2 viruses that the product he's talking about don't detect and ESET did detect them first

That's why i keep telling him there's no 100% protection

Link to comment
Share on other sites

3 hours ago, novice said:

To you... rest of the people think differently.

 

True, but do you prefer 98.4% detection rate (August) and less FP or 100% detection rate (August) and more FP   ????

A FP can be investigated and "excepted" while a non detection is fatal.

An FP can be fatal, system files for one and when AVs decide to detect themselves which can happen (and is quite funny). In a real-world situation you will not get hundreds or thousands of files randomly on your desktop and then execute them, you get them from websites, email, removable media, etc. and an AV could stop the file even downloading or being copied onto your machine.

Link to comment
Share on other sites

As far as AV lab malware sample selection goes, I believe it is logical to assume some qualification of samples is used. Besides the obvious selection by malware category; e.g. Trojan, ransomware, etc., it can be assumed that prevalence is also a factor. If a lab always used the most prevalent samples, the tests would show almost always show 100% detection by most of the major AV vendors. Obviously, a widely used malware is one that needs immediate detection and mitigation. Additionally if lab test reports showed always 100% detection by all test participants, no one would pay attention to the tests since they already know the outcome. AV vendors would no longer pay to have their products tested and the labs would go out of business.

So if is fair to assume that the labs will include a few malware samples that are not widely in use or are isolated geographically. The odds of one being infected by one of these malwares is statistically very low. Assumed is Eset is concentrating on malware with the greatest risk to its customers versus trying to "bag" a lab test with a 100% score. Finally do note that AV labs do not disclose such sample selection criteria as above which really needs to be done.  

Edited by itman
Link to comment
Share on other sites

3 hours ago, itman said:

Assumed is Eset is concentrating on malware with the greatest risk to its customers

Is amazing to see how far you would go to look for excuses....

"Assumed is Eset is concentrating on malware with the greatest risk to its customers" sounds like ESET had the undetected samples in hand, but , what the heck , they were not prevalent, so ESET dumped them, focusing on other "prevalent" malware.

But on AV Comparatives ,  surprise-surprise, the dumped samples were on the test, that's why ESET scored only 98.5%

On the other hand , MSE decided not to focus on prevalent malware only,  and scored 100%

I hope you realize how absurd is this scenario....

Link to comment
Share on other sites

  • ESET Insiders
9 minutes ago, novice said:

Is amazing to see how far you would go to look for excuses....

"Assumed is Eset is concentrating on malware with the greatest risk to its customers" sounds like ESET had the undetected samples in hand, but , what the heck , they were not prevalent, so ESET dumped them, focusing on other "prevalent" malware.

But on AV Comparatives ,  surprise-surprise, the dumped samples were on the test, that's why ESET scored only 98.5%

On the other hand , MSE decided not to focus on prevalent malware only,  and scored 100%

I hope you realize how absurd is this scenario....

You keep insist that there's 100% detection while on all your topics everyone try to tell you there's no such a thing is 100%!

How many people tried to explain that? and you still insist!

Every Antivirus in the world non of them can detect 100% in real world, if any product will reach 100% with many false positive, i'm one don't want to use it!

I don't want to use an Antivirus that keep flagging many clean files as viruses!

I think it's time this topic be closed like the other and i know you will go back to same scenario soon with 100% thing!

Link to comment
Share on other sites

  • ESET Insiders

Before this topic get closed look at this Ransomware
https://www.virustotal.com/#/file/f84bf09ea9f44a46d4c4c8b25cdd1a57e1634e3618b279d950b06697ee039e3b/detection

The 100% detection can't detect it but ESET Can!
Snap1.png

 

Edited by BALTAGY
Link to comment
Share on other sites

  • Administrators

Just out of curiosity, I've installed KIS 19 on Windows 10, fully updated it and then disconnected the VM from network for security reasons. Then I copied recent (3-4 hours old) Filecoder.Crysis and Emotet trojans detected by ESET and ran them. None of them was detected / blocked and both were executed. I didn't cherry pick them, just took random infamous recent malware.

Of course, it's just 2 samples but very common these days. Neither was it a real-world test since the machine was disconnected from network, however, the AV was fully updated. For instance, ESET is not dependent on the Internet connection as I've recently shown that it was able to detect new prevalent malware with 3 weeks old modules and without Internet connection.

Link to comment
Share on other sites

50 minutes ago, Marcos said:

Just out of curiosity, I've installed KIS 19 on Windows 10, fully updated it and then disconnected the VM from network for security reasons. Then I copied recent (3-4 hours old) Filecoder.Crysis and Emotet trojans detected by ESET and ran them. None of them was detected / blocked and both were executed. I didn't cherry pick them, just took random infamous recent malware.

To satisfy "our friend" uninstall KIS 19 so that only WD is running. Make sure its signatures are updated. Leave Controlled Folders and other settings at default. Rerun the same samples and see if anything is encrypted or if Emotet was detected.

Link to comment
Share on other sites

3 hours ago, Marcos said:

Neither was it a real-world test since the machine was disconnected from network

So, what's the point of such a test??? Is this the methodology followed by AV Comparatives???  Was ESET disconnected from LiveGrid during AV Comparatives test?

So, again this proves nothing...

I got it , after many years ESET has a behavior blocker which is working , even offline ; but so does Emsisoft (5 years) , Malwarebytes (dedicated Antiransomware module which worked each and every time I tested)

 

Link to comment
Share on other sites

2 hours ago, novice said:

So, what's the point of such a test??? Is this the methodology followed by AV Comparatives???  Was ESET disconnected from LiveGrid during AV Comparatives test?

So, again this proves nothing...

In theory, KIS 2019 should have performed better than EIS 12.0.31 in this test because it already has behavioral monitoring; i.e. System Watcher, in place. Note that EIS/NOD32 doesn't have behavioral monitoring until ver. 12.1.

As far as no Internet connection, it would have no effect on detection in this test since neither product goes to the Cloud to perform to decision making activities to block or allow the malware process from running.

Link to comment
Share on other sites

9 hours ago, novice said:
 

Is amazing to see how far you would go to look for excuses....

"Assumed is Eset is concentrating on malware with the greatest risk to its customers" sounds like ESET had the undetected samples in hand, but , what the heck , they were not prevalent, so ESET dumped them, focusing on other "prevalent" malware.

But on AV Comparatives ,  surprise-surprise, the dumped samples were on the test, that's why ESET scored only 98.5%

On the other hand , MSE decided not to focus on prevalent malware only,  and scored 100%

I hope you realize how absurd is this scenario...

If i may. I have asked similar questions before but i'd like to point out a few things. Before pointing them out i'd like to say that i used KIS for over 10 years, maybe 15 year before having to remove it.

a) When the others claim that there is no 100% detection they are not saying that other suites did not catch 100% of the threats "in a given snapshot of reality and time". They are saying that the threats used for the test do not represent the totality of the threats available and the thousands of daily variants coming out on the market daily. This means that different tests in different times will advantage a product on another.

b) Point A is empirically testable through AV-Comparatives. If you go check on CHARTS in AV-comparatives you'll have a chance to see detection rates by month. So, if you change the month from July-November to "November", you will get a 99,6% (See attached picture). Now, i invite you to go check the results for both Kaspersky and BitDefender and compare the detection rates for November 2018. You will notice that they both went down a bit and ESET went up a bit. Why do you keep mentioning August if we are in December? AV-Comparatives issues new data monthly, so do many others.

c) In November-July ESET gets 2 stars based on weighed data on its past performances (for the purpose of these tests on AV not always shiny to be honest, for the reasons that others have already highlighted). But it does not mean that it is performing poorly in absolute terms. In November, it performs very well for this specific indicator.

d) If you go check other AV labs, you will notice that ESET gets different scores, but it's rarely outside the best ones, despite its strange habit of going up and down the rankings.

e) I believe MARCOS' statements on what ESET is going to do in the future is exactly what users are expecting to see in the suite in the future. So, if your worry is about detection in the future the answer is, i believe, the below:

" In v12.1 beta we've enabled HIPS-based Behavior Monitor and Augur is going to be added over the course of 2019. Besides that, we'll continue improving protection and cleaning both through existing modules and will release product updates with new features, bug fixes and improvements as well."

From what i am seeing ESET does not have a real security problem. It has a "quality consistency" problem that translates in "spikes" of highs and lows that other competitors don't have or have only on very narrow deadbands and this makes the product look a bit shaky". Again i believe the solution lies in what MARCOS has anticipated, if it is well implemented.

That said, I hope MARCOS' projections on future improvements become reality as soon as possible because from a corporate perspective might not seem such a big thing but for users who want to see that little gap "consistenly filled and coherent performances" (see the graphs on AV-comparatives to see how ESET keeps going up and down the hill) is a very welcome news.



 

ESET.png

Edited by PassingBy
Link to comment
Share on other sites

12 hours ago, novice said:

"Assumed is Eset is concentrating on malware with the greatest risk to its customers" sounds like ESET had the undetected samples in hand, but , what the heck , they were not prevalent, so ESET dumped them, focusing on other "prevalent" malware.

But on AV Comparatives ,  surprise-surprise, the dumped samples were on the test, that's why ESET scored only 98.5%

On the other hand , MSE decided not to focus on prevalent malware only,  and scored 100%

My personal view on these discussions is that the two products are not comparable with such drastic difference in false positive rate.

It is much easier to achieve a "100%" rate in such test if you are willing to sacrifice the detection accuracy (i.e. mark benign files as malicious) by tuning your detection knob of the model to be a bit more aggressive. ESET can definitely do this, but ESET chose not to do such thing for a good reason (there are more reasons but those are beyond the scope of this post) : in reality users are more likely to be bugged by FPs instead of real threats if the detection threshold is too aggressive. When users are getting used to dealing with FPs of a security product, they are more likely to blame and turn off the AV to use unknown riskwares next time. This generally makes a security product useless. Therefore, controlling the FP is of great great significance.

And honestly speaking, even some products have very nice looking FP scores in this test, in reality they do noticeably worse than ESET. For many products which perform flawlessly in AVC's FP test (like those 0 FP ones), I can easily find FP PE files distributed by large IT companies with valid digital signature every month or two (yes, they still make such mistakes even with the help of very mature reputation cloud), but it is really hard to find such FP cases in ESET products. FP is much harder to be measured by a standardized test like AVC because there are grey zones. Plus the realworld situation of white files are far more complex than the training set in the lab. Only extensive real-life use experiences of these products will tell.

Edited by 0xDEADBEEF
Link to comment
Share on other sites

The original discussion was about "HIPS and Firewall in default installation"

Even in "interactive mode"  the firewall is extremely primitive , if I can say so:

1. the rules are based on IP and not on FQDN ; that means:

  • you have to spend time to figure out  what is behind each and every IP , in order to make an informed decision
  • for applications using dynamic addressing, you will get multiple alerts for the same application over and over again, with no end in sight

2. rules for the same application are scattered all over and you manually have to group them

3. rules for uninstalled applications or for temp. application are still present in the firewall and you manually have to figure out which one is still valid or not

4. the firewall is practically useless when a "parent application"  will connect to the internet through a "child application"   . If the "child application"  (let's say  "child.exe  TCP 443" )was allowed in the firewall, another application , let's say "parent.exe" can start "child.exe" and can connect to the internet without ant warning from ESET firewall, which is a major flaw

 

Link to comment
Share on other sites

  • Administrators

I would rather disagree that the majority of firewalls support creation of firewall rules based on the parent application. You can post a  list of the firewalls which support this but I assume that a list of firewalls with something that you consider a "major flaw" would be substantially larger.

Link to comment
Share on other sites

3 minutes ago, Marcos said:

I would rather disagree that the majority of firewalls support creation of firewall rules based on the parent application. You can post a  list of the firewalls which support this but I assume that a list of firewalls with something that you consider a "major flaw" would be substantially larger.

I never said that " the majority of firewalls support creation of firewall rules based on the parent application "

Based on ESET complexity and excess customization  I would expect that this is not overlooked, because creates a false sense of security (from a firewall point of view) .

Just 2 firewalls which ,somehow, addressed several flaws:

1. Windows Firewall Control  (from Binisoft) : at least the uninstalled applications are marked in the firewall

2. PC Tools firewall Plus : has rules based on FQDN, will automatically group rules per applications; will mark rules for uninstalled applications; and most importantly , will alert you if a "parent application" tries to use a "child application" to connect to the internet , and you can create a rule

 

10 minutes ago, Marcos said:

list of firewalls with something that you consider a "major flaw" would be substantially larger

You are right in your assumption, the list of poorly performing firewalls is large  ; if this creates comfort , by all means , you can add ESET to this list

 

Link to comment
Share on other sites

  • Administrators
2 hours ago, novice said:

You are right in your assumption, the list of poorly performing firewalls is large  ; if this creates comfort , by all means , you can add ESET to this list 

FQDN-based rules do not work if no DNS request has been made recently since the firewall needs to get and cache IP addresses from previous DNS responses. Currently this kind of rules is not supported by many popular makers of security solutions. So far I was able to find only 2 that mention FQDN rules. If another firewall suits you better, you can disable it in ESET and use it instead.

As for rules for already uninstalled applications, it's possible that in the future you will also get information about the last time a rule was applied so that you will be able to delete unused rules easily.

Since everything has been said, we'll draw this topic to a close.

Link to comment
Share on other sites

  • Marcos locked this topic
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...