Jump to content
Mauricio Osorio

Cymulate detect vulnerabilities in ESET Endpoint Products

Recommended Posts

Hi everyone,

A few days ago one of the most important customers we have shows us an executive report about a test made by a program named cymulate, in that report (it is attached by the way) show how the ESET Endpoint solution could not detect some types attacks.

Im not really sure about this report but i need to justify our solutions because this report has put in doubt the antivirus and he told us that if we do not configure the antivirus so that these attacks do not happen it will not renew the subscription and it is a client of 1200 machines, a very important client for us.

They run the test in one machine, i took the logs and a sysinspector if that can useful to examine the case. The module used in CYMULATE was the one called web gateway.

There is a few questions:

  1. Can we detect those attacks and how i must configure the endpoint policy?
  2. Cymulate make a real vulnerability test?
  3. How ESET as a brand can respond in this case?

I hope you can help me in this one!.

report_executive_web_gateway__2019_06_20__15_43_50.pdfRegards.

OneDrive_1_20-6-2019.zip

 

Share this post


Link to post
Share on other sites
Posted (edited)

If you post the Cymulate report on a file sharing site, all on the forum could review it. Obviously, any device sensitive info should be removed/masked in the report.

Note that only Eset moderators can view any forum attachments.

Edited by itman

Share this post


Link to post
Share on other sites

1, You  are most vulnerable to Exploits
Download of working PoCs for  known CVEs  that exploit buffer overflows and other vulnerabilities in various applications which could lead to code execution.

For some CVE's we have file detections that can be recognized and blocked

a) by scanners, e.g.: C:\test\poc.exe - a variant of Win32/Exploit.CVE-2019-1064.A trojan

b) by firewall :

Threat Type: Firewall : Security vulnerability exploitation
Cause: CVE-2017-5638.Struts2
Process Name: C:\Program Files\Java\jdk1.5.0_09\bin\java.exe

c:) by Exploit Blocker (detects actual exploits in processes that it monitors, ie. no PoCs, simulators, etc. are unlikely to be detected)

Unfortunately, without knowing details about the test it's impossible to comment on it. If they used just PoCs and not actual exploits, that could be the reason for not detecting them.

 

2, You  are least vulnerable to Files
Crafted payloads that mimic the behavior of worms, trojans, spywares downloaded on HTTPS.

We detect actual malware, not simulators, PoCs etc. If something just mimics malware, it's not malware and not subject to detection. We could specifically detect simulators but why we should do it since they don't pose a risk. Detection of simulators tells nothing about how a particular solution protects you from actual malware.

 

3, Inbound
38  out of 48 simulated malicious files  were downloaded from external sources.

The same as point 2. Since simulators are not subject to detection (only actual malware is), this test is completely irrelevant and tells nothing about how effectively the AV blocks malicious urls.

 

They also recommend blocking download of:
.com, .bat, .cmd, .exe, .js, .vbs files. A nice idea but that would not work in real world since people need to download many of these files for legitimate purposes. Even blocking files with these extensions on a mail server would produce a lot false positives. Of course, some companies may have a policy that prohibits sending and receiving such files but they can't be blocked globally for everyone.

 

 

 

image.png

Share this post


Link to post
Share on other sites
Posted (edited)

I agree with what @Marcos has posted.

The report is a 6 page executive summary devoid of any specific details. Assuming the vendor used the Mitre matrix for exploit reference, they most likely used known POC exploits against known vulnerabilities. The best way to protect against vulnerabilities is applying in a timely fashion, vendor provided OS and app software patches/updates. Then there is the known and documented fact that many vulnerabilities are never exploited; only a small percentage are. I have strong suspicions that the exploits used in this test fall into the catagory of POC developed but never actually employed "in-the-wild."

It is fairly obvious that Cymulate is recommending an "anti-exec" solution as far as the monitoring inbound external network traffic. This is only doable on a gateway device if the concern is willing to dedicate the system knowledgeable resources to monitor such activity. Based on postings on this forum, this certainly is not case frm the corp. sourced postings I have seen. BTW - this approach is certainly possible using custom Eset Firewall and HIPS rules. I for one, employ them.

Edited by itman

Share this post


Link to post
Share on other sites

If security in your organization matters, you could consider purchasing ESET Enterprise Inspector, an EDR (Endpoint Detection and Response) solution for enterprise users developed by ESET that we've been running as an early access program so far and should start selling it in the near future. EEI monitors operations at various layers (file system, network, registry, etc.) on computers in network that run an ESET security product. It provides you an insight into what's going on the machines in your network and gives options to respond (e.g. by terminating suspicious processes and blocking suspicious files by a hash). It comes with about 230 rules pre-defined by ESET that are triggered if a suspicious operation was performed and you can also create your own rules.

We will also offer additional professional services like ESET Threat Monitoring and ESET Threat Hunting services for organizations that don't have professional staff for monitoring or performing forensic analysis in the event of a security incident.

Feel free to ask if you were interested in this or would like to take advantage of ESET Dynamic Threat Defense that provides an instant analysis of suspicious files found in an organization in ESET's cloud sandbox, leveraging machine learning and other mechanisms for evaluating files. This way you can block malicious files (e.g. documents with malicious macros spread by email) in your entire organization long before the detection is added via a regular module update.

image.png

Share this post


Link to post
Share on other sites
Posted (edited)

I will also add that there currently exists much confusion about penetration testing and AV lab testing.

Penetration testing entails the testing of vulnerabilities that exist:

1. At the external network perimeter.

2. Within the internal network.

3. For the operating system and application software installed on devices within the internal network.

Point 1). is the area most overlooked by SMBs. Most enterprise environments employ dedicated network devices; i.e. appliances to monitor the perimeter of the external network for breeches. These appliances are quite expensive and do require dedicated personnel to monitor them. The point to emphasize is this is the level most effective in preventing unwanted network intrusions.

AV labs test AV security software solutions against known malware internal network breeches. It should be noted that even the best behavioral methods available today are ineffective against never before seen malware behavior exploiting an unknown OS or app vulnerability. This is because the behavior detection methods are conditioned upon previously known malware behavior.

I am reminded of the analogy that that absolute security of any type is possible, but at the cost of making the object protected unusable for its intended purpose. Or stated another way, maximum security is the point where desired usability is not adversely affected.

Edited by itman

Share this post


Link to post
Share on other sites

Hi guys,

Thanks for that answers, it is really important for us defend the brand in front of our clients and your contributions help us a lot!. Really appreciate your comments.

We are now presenting a report with this information, but i have an extra question to make you: 

based on the logs of the product, this had its modules disabled?

I ask because when i saw the logs file it show me this:  Captura.PNG.fc51eeec0cacd2ebd54fbd316cf97882.PNG

Regards.

Share this post


Link to post
Share on other sites

Check the settings in gui. Or import the configuration to the same product on your end and check the settings if you suspect that some may be disabled.

Share this post


Link to post
Share on other sites
21 hours ago, Mauricio Osorio said:

based on the logs of the product, this had its modules disabled?

Which product are you referring to; Eset or Cymulate?

Share this post


Link to post
Share on other sites

This explanation help us a lot. Thanks you all because we are more close to keep this client with ESET's Solutions. Today we are testing EEI and EDTD.

Regards.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...