Jump to content

Archived

This topic is now archived and is closed to further replies.

0xDEADBEEF

Question about Web Protection

Recommended Posts

16 minutes ago, zamar27 said:

Also, what is the purpose to inspect regular archives? They can be inspected at extract time to save resources. How would Eset differ an encrypted archive from not?

Agree with the VPN part. the only reason I am asking is because of the more sensitive download heuristic ESET has in the web protection. For differentiating encrypted archive, common file format should be handled (ESET scan log will show such detail) 

 

Share this post


Link to post
Share on other sites

A quote from https://en.wikipedia.org/wiki/Firefox_Send:

All files are encrypted before being uploaded and decrypted on the client after downloading. The encryption key is never sent to the server.

That means ESET scans only encrypted files, ie. it's impossible to detect anything there.

 

From the technical documentation (https://github.com/mozilla/send/blob/master/docs/encryption.md :

The secret key is appended to the share url as a #fragment and presented to the UI

That means the key only leaves the machine when the user transmits it manually, so there's no reliable way for us to get to it.

Share this post


Link to post
Share on other sites

The real question is are you vulnerable in regards to FireFox Send encrypted archives using Eset? The answer is no unless I am missing something.

Once the archive is decrypted on the disk, it is still an archive. As previously noted, Eset's realtime protection covers you on any self-executing archives; e.g. .sfx, etc.. When the archive is extracted, a new folder is created with the files within. Eset's realtime protection scans all new files upon creation so those new files will be scanned. Additionally, if one or more of those new files are an executable, it will be scanned again upon execution. Bottom line, I really don't see a problem here.

Share this post


Link to post
Share on other sites
2 hours ago, itman said:

Bottom line, I really don't see a problem here.

The only reason I was mentioning this is because web protection has more sensitive heuristics than on-demand scan or realtime scan, as Marcos has stated in this thread.

This means though the realtime scan or AMS will anyway catch the malware if the file is extracted to disk or memory, it might missed the more sensitive heuristic in the web protection layer, if my understanding is correct. As for how much more sensitive the web protection is compared to normal scanner, I've no idea

Share this post


Link to post
Share on other sites
2 hours ago, 0xDEADBEEF said:

The only reason I was mentioning this is because web protection has more sensitive heuristics than on-demand scan or realtime scan, as Marcos has stated in this thread.

Let's analyze this in detail.

First screen shot is ThreatSense settings for Web Access protection. The important setting to note is "Advanced heuristics/DNA signatures":

Eset_WebAccess.thumb.png.54517ef8a0411c4e3862a02376a5d50e.png

 

The next two screen shots are for Realtime protection. The important thing to note is the omission of the "Advanced heuristics/DNA signatures" protection on base ThreatSense settings:

Eset_Realtime_1.thumb.png.304fe9ee5fb86e9bb7fdc8bbf40b2201.png

And for file creation and execution,  advanced heuristics are performed for both. Of note is the absence of any reference to "DNA signatures":

Eset_Realtime_2.thumb.png.54110a1eb24a002d207cf4f20ddf6bc7.png

 

From the above, we can conclude that "DNA signature" usage is only used by default by Web Access protection. And that is indeed an issue. The solution to me appears to enable "Advanced heuristics/DNA signatures" scanning option for Realtime time protection. I assume that is disabled by default for system performance reasons.

Also this issue doesn't just apply to FireFox Send delivered files. What about anything not Internet downloaded such as files on USB media?

Share this post


Link to post
Share on other sites

Didn't notice this inconsistency until now. Advanced heuristics always also means DNA detections.

Share this post


Link to post
Share on other sites
Just now, Marcos said:

Didn't notice this inconsistency until now. Advanced heuristics always also means DNA detections.

Thanks the for clarification!

Share this post


Link to post
Share on other sites

What's the difference btw OBJECTS and FILES in Real-time File System Protection? Why FILES are separated to Additional Threatsense Parameters? 😉

Share this post


Link to post
Share on other sites
3 hours ago, zamar27 said:

What's the difference btw OBJECTS and FILES in Real-time File System Protection? Why FILES are separated to Additional Threatsense Parameters? 😉

When referring to objects, we mean basically files, but we prefer using this general term since objects may also mean archives, processes, WMI, UEFI, streams, etc., ie. anything that can be scanned. As for the settings referring to newly created or modified files, it really concerns files only. We could use the general term "objects" as well but "files" sounds more natural to users.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...