ESET Dynamic Threat Defense really necessary?

[cmit 2]

We already using the EndPoint Antivirus (for workstations) and the File Security (for servers).
Currently trying the ESET Dynamic Threat Defense (trial) and read as much info about EDTD as possible.
https://www.eset.com/ca/business/dynamic-threat-defense/
https://support.eset.com/kb6569/#oper_1

My understanding is the EDTD has (not limited to) these additional layer of protection features
- Behavior-based detection
- Machine learning
- Zero-day threats detection
- Cloud sandbox

We all understand that nothing can always 100% prevent any latest threats right away but my question is why or why not we really need to add the EDTD.

i.e.
If there are new not-yet recognized threats (not yet in the Detection Engine and other ESET update database modules),
without the ESET Dynamic Threat Defense, does this mean the EndPoint AntiVirus or the File Security simply won't always detect this new threat right away until the next release of modules update (usually 1 or 2+ hours later)?
But with the ESET Dynamic Threat Defense installed, at least the EDTD will treat these threats as suspicious and move them to the cloud-sandbox scanning asap?

Another related question is for the Microsoft Outlook integration (not ESET Mail Security, not using MS Exchange Server).
Without the EDTD (only with EndPoint AntiVirus), does it really increase significant risks of Outlook not detecting threat emails asap?

[itman 1,659]

This .pdf has a few more details. Of note:

Quote

AUTOMATIC PROTECTION

Once everything is set up, there is no action needed by the admin or the user. The endpoint or server product automatically decides whether a sample is good, bad or unknown. If the sample is unknown, it is sent to ESET Dynamic Threat Defense for analyzing. Once analysis is finished, the result is shared and the endpoint products respond accordingly.

https://cdn1.esetstatic.com/ESET/US/docs/business/ESET-Solution-Overview-Dynamic-Threat-Defense.pdf

My understanding is the executable is in a suspended sandbox state until EDTD responds back with a verdict; usually within 5 mins. or less.

Without EDTD unknown processes are examined using local heuristics with sandboxing and if nothing malicious is found, the process is allowed to execute. The process will be submitted via LiveGrid for further server analysis.

So if this is indeed 0-day malware, it stands a higher chance of being detected via EDTD.

Edited April 20, 2019 by itman

[Marcos 5,070]

EDTD shortens the response time to new threats to the bare minimum, typically 2-3 minutes. Even with LiveGrid the response may be slower, typically several minutes in case you encountered a brand new threat among the first.

EDTD does not block processes while files are being analyzed by EDTD. However, mail security products may delay the delivery of email for a short time until results of analysis are received.

[MichalJ 434]

With regards to what Marcos said, let me add that we are currently discussing an option to block new files before the result from EDTD is obtained.

Main advantage of EDTD is the additional sensitivity threshold and the quicker speed. Via LG we block 100% confirmed malware, via EDTD you can block also highly suspicious / suspicious files, based on the sandbox result automatically without waiting for the LG / detection engine update. 

Edited April 21, 2019 by MichalJ

[bbahes 29]

59 minutes ago, MichalJ said:

With regards to what Marcos said, let me add that we are currently discussing an option to block new files before the result from EDTD is obtained.

I was about to post question when do you plan to change this behavior...

[Marcos 5,070]

54 minutes ago, bbahes said:

I was about to post question when do you plan to change this behavior... 

I'm not sure if that would have adverse effect on system stability. Imagine that application or system updates would be blocked by ESET for several minutes; something that applications or the OS would not likely count with and which might result even in severe issues. I'm sure that it won't be enabled unless we are 100% sure such issues won't happen.

[itman 1,659]

3 hours ago, MichalJ said:

EDTD you can block also highly suspicious / suspicious files, based on the sandbox result automatically without waiting for the LG / detection engine update. 

Which gets into the "which is first, the chicken or the egg" analysis.

Are indeed "unknown" files per se being sent to EDTD, or in fact only those deemed in the suspicious category by local heuristic scanning?

 

 

 

[Marcos 5,070]

Any unknown files are submitted to EDTD. There are several categories of files that can be submitted and where the submission and retention can be controlled per category.

[itman 1,659]

54 minutes ago, Marcos said:

There are several categories of files that can be submitted and where the submission and retention can be controlled per category.

Suspected as much. Thanks for the clarification.

Any plans on Eset developing a version of EDTD for its Home version products?

[Marcos 5,070]

3 hours ago, itman said:

Any plans on Eset developing a version of EDTD for its Home version products?

No, it's a business product and currently it's offered only for bigger customers.

[bbahes 29]

13 hours ago, Marcos said:

I'm not sure if that would have adverse effect on system stability. Imagine that application or system updates would be blocked by ESET for several minutes; something that applications or the OS would not likely count with and which might result even in severe issues. I'm sure that it won't be enabled unless we are 100% sure such issues won't happen.

Looks to me that you could use EEI technology here. Maybe merge two products?

[Marcos 5,070]

3 hours ago, bbahes said:

Looks to me that you could use EEI technology here. Maybe merge two products?

EEI and EDTD are completely different products for different purposes so merging them just doesn't make sense. EDTD can be used by users who don't have EEI and vice-versa.

[itman 1,659]

The ideal solution for Eset Home product users would be for Eset to interface with Windows Defender in regards to its block-at-first-sight and cloud scanning technology. When I researched it a while back, it appears to be a separate interface in Windows Defender. Doubt this will ever happen. Which means Eset needs to incorporate like technology for Home product versions.

Edited April 22, 2019 by itman

[bbahes 29]

31 minutes ago, Marcos said:

EEI and EDTD are completely different products for different purposes so merging them just doesn't make sense. EDTD can be used by users who don't have EEI and vice-versa.

I was thinking more of using EEI feature: "Easily suppress false alarms by adjusting the sensitivity of detection rules for different
computer groups or users. Combine criteria such as file name / path / hash / command line / signer to fine-tune the trigger
conditions. ".

So critical system files/ updates that have correct signature and hash would be excluded from checking.

 

[Marcos 5,070]

2 minutes ago, bbahes said:

So critical system files/ updates that have correct signature and hash would be excluded from checking.

There are many system and other important files that don't have a digital signature. We've had Microsoft signatures whitelisted for a long time to prevent false positives and to improve scanning speed.

[cmit 2]

So, with EndPoint AntiVirus (not Mail Security for Exchange) installed and the ESET Dynamic Threat Defense enabled, even EDTD does not have the capability to prevent the this type of spam emails (screenshot examples) arrive into the Microsoft Outlook Inbox.
I guess ESET cannot do anything in this case cause this is purely related to the sender who pretends to be someone legit and as long as there's no attachment in the spam/suspicious email, ESET product(s) won't be useful in this situation?

 

 

[Marcos 5,070]

EDTD is not intended to recognize / block spam but malicious files in attachment or on a disk when speaking about ESET Mail Security products.

[cmit 2]

Does the Scan function (In-Depth) scan more areas when EDTD is enabled vs no EDTD?

I have also noticed that after the EDTD is enabled for our workstations, it takes 1.5 or double of time to complete the scheduled periodic in-depth scan.

i.e.
- usually takes 4-4.5 hrs without EDTD
- with EDTD enabled, takes at least 6 hrs (or even 9 hrs) to complete the scan.

This is another question related to the justification of if the EDTD really necessary (more $$$ times # of computers) or are those computers without EDTD (only EndPoint AntiVirus or EndPoint Security or File Security) basically have much higher chances of getting hit by threats?

i.e.
For the EDTD licenses cost, we would have to buy the bucket of 250 licenses even though we only around 190 devices needed. No option to allow customers to manually choose exactly how many licenses only required to purchase.

Edited May 2, 2019 by cmit
added more info

[Marcos 5,070]

13 hours ago, cmit said:

Does the Scan function (In-Depth) scan more areas when EDTD is enabled vs no EDTD?

EDTD is not meant to scan more areas. With EDTD, suspicious files are actually run in a sandbox environment and the similarity with malware is also evaluated by Augur, the machine learning system. That said, EDTD improves detection capabilities in case when new malware would not be normally detected on clients.

Quote

I have also noticed that after the EDTD is enabled for our workstations, it takes 1.5 or double of time to complete the scheduled periodic in-depth scan.

EDTD has no effect on scan speed. EDTD analysis is performed independently of scans and the scanner doesn't wait for EDTD to respond either. I would say there's something else than EDTD that is causing the difference which would need to be investigated further.