0xDEADBEEF 43 Posted May 13, 2019 Author Posted May 13, 2019 16 minutes ago, zamar27 said: Also, what is the purpose to inspect regular archives? They can be inspected at extract time to save resources. How would Eset differ an encrypted archive from not? Agree with the VPN part. the only reason I am asking is because of the more sensitive download heuristic ESET has in the web protection. For differentiating encrypted archive, common file format should be handled (ESET scan log will show such detail)
Administrators Marcos 5,462 Posted May 13, 2019 Administrators Posted May 13, 2019 A quote from https://en.wikipedia.org/wiki/Firefox_Send: All files are encrypted before being uploaded and decrypted on the client after downloading. The encryption key is never sent to the server. That means ESET scans only encrypted files, ie. it's impossible to detect anything there. From the technical documentation (https://github.com/mozilla/send/blob/master/docs/encryption.md : The secret key is appended to the share url as a #fragment and presented to the UI That means the key only leaves the machine when the user transmits it manually, so there's no reliable way for us to get to it. 0xDEADBEEF 1
itman 1,807 Posted May 13, 2019 Posted May 13, 2019 (edited) The real question is are you vulnerable in regards to FireFox Send encrypted archives using Eset? The answer is no unless I am missing something. Once the archive is decrypted on the disk, it is still an archive. As previously noted, Eset's realtime protection covers you on any self-executing archives; e.g. .sfx, etc.. When the archive is extracted, a new folder is created with the files within. Eset's realtime protection scans all new files upon creation so those new files will be scanned. Additionally, if one or more of those new files are an executable, it will be scanned again upon execution. Bottom line, I really don't see a problem here. Edited May 13, 2019 by itman
0xDEADBEEF 43 Posted May 13, 2019 Author Posted May 13, 2019 2 hours ago, itman said: Bottom line, I really don't see a problem here. The only reason I was mentioning this is because web protection has more sensitive heuristics than on-demand scan or realtime scan, as Marcos has stated in this thread. This means though the realtime scan or AMS will anyway catch the malware if the file is extracted to disk or memory, it might missed the more sensitive heuristic in the web protection layer, if my understanding is correct. As for how much more sensitive the web protection is compared to normal scanner, I've no idea Peter Randziak 1
itman 1,807 Posted May 13, 2019 Posted May 13, 2019 2 hours ago, 0xDEADBEEF said: The only reason I was mentioning this is because web protection has more sensitive heuristics than on-demand scan or realtime scan, as Marcos has stated in this thread. Let's analyze this in detail. First screen shot is ThreatSense settings for Web Access protection. The important setting to note is "Advanced heuristics/DNA signatures": The next two screen shots are for Realtime protection. The important thing to note is the omission of the "Advanced heuristics/DNA signatures" protection on base ThreatSense settings: And for file creation and execution, advanced heuristics are performed for both. Of note is the absence of any reference to "DNA signatures": From the above, we can conclude that "DNA signature" usage is only used by default by Web Access protection. And that is indeed an issue. The solution to me appears to enable "Advanced heuristics/DNA signatures" scanning option for Realtime time protection. I assume that is disabled by default for system performance reasons. Also this issue doesn't just apply to FireFox Send delivered files. What about anything not Internet downloaded such as files on USB media? Peter Randziak 1
Administrators Marcos 5,462 Posted May 13, 2019 Administrators Posted May 13, 2019 Didn't notice this inconsistency until now. Advanced heuristics always also means DNA detections. Peter Randziak 1
itman 1,807 Posted May 13, 2019 Posted May 13, 2019 Just now, Marcos said: Didn't notice this inconsistency until now. Advanced heuristics always also means DNA detections. Thanks the for clarification!
zamar27 5 Posted May 14, 2019 Posted May 14, 2019 (edited) What's the difference btw OBJECTS and FILES in Real-time File System Protection? Why FILES are separated to Additional Threatsense Parameters? 😉 Edited May 14, 2019 by zamar27
Administrators Marcos 5,462 Posted May 14, 2019 Administrators Posted May 14, 2019 3 hours ago, zamar27 said: What's the difference btw OBJECTS and FILES in Real-time File System Protection? Why FILES are separated to Additional Threatsense Parameters? 😉 When referring to objects, we mean basically files, but we prefer using this general term since objects may also mean archives, processes, WMI, UEFI, streams, etc., ie. anything that can be scanned. As for the settings referring to newly created or modified files, it really concerns files only. We could use the general term "objects" as well but "files" sounds more natural to users. Peter Randziak 1
Recommended Posts