Jump to content

Ransomware


Recommended Posts

I have been using ESET IS for the last 5 years and have an active subscription till 2021. It's the lightest AV out there with stellar detection, excellent firewall and web filter along with a really light footprint. However ESET does miss out on certain features that other competitive AV's like BitDefender, Kaspersky, Trend Micro, Norton, Mcafee provide. ESET has zero dynamic protection since the HIPS in automatic mode is useless. Imo I think it would be a lot better if ESET can provide a good Behaviour Monitor instead of the HIPS(the BB ESET has now is in hibernation mode, it rarely works). Another very important feature could be the Protected Folders option where the user can decide which folders to protect against ransomware.

Link to comment
Share on other sites

  • Administrators
2 hours ago, wraith said:

I have been using ESET IS for the last 5 years and have an active subscription till 2021. It's the lightest AV out there with stellar detection, excellent firewall and web filter along with a really light footprint. However ESET does miss out on certain features that other competitive AV's like BitDefender, Kaspersky, Trend Micro, Norton, Mcafee provide. ESET has zero dynamic protection since the HIPS in automatic mode is useless. Imo I think it would be a lot better if ESET can provide a good Behaviour Monitor instead of the HIPS(the BB ESET has now is in hibernation mode, it rarely works). Another very important feature could be the Protected Folders option where the user can decide which folders to protect against ransomware.

Please check https://www.eset.com/int/about/technology and see how many of ESET's features are missing in competitive AVs :)

HIPS itself is the basement for:
- Self-defense
- Ransomware Shield
- Advanced Memory Scanner
- Exploit Blocker
- Deep Behavioral Inspection
image.png

Plus non-HIPS feature Advanced Machine Learning (v13 beta):

image.png

Link to comment
Share on other sites

I know all these are there but I've never seen the Behaviour Blocker and Anti-Ransomware shield in action. If there is a new ransomware that is not in the signatures, there is literally no warning from ESET and the ransomware easily manages to encrypt all the files. The advanced machine learning seems to be a welcome addition.😀

Link to comment
Share on other sites

  • Administrators
10 minutes ago, wraith said:

If there is a new ransomware that is not in the signatures, there is literally no warning from ESET and the ransomware easily manages to encrypt all the files.

I strongly disagree with this. If you have experienced an undetected ransomware that was not detected by ESET whatsoever even upon execution, you can drop me a personal message with more details. If you want to discuss it, create a new topic since this topic is not intended for discussion but for reporting withes by users.

Regarding machine learning, you might be interested in reading this brochure:

https://cdn1.esetstatic.com/ESET/INT/Docs/Others/Technology/ESET-Technology-2017.pdf

ESET has been experimenting with machine-learning algorithms to detect and block threats since 1990s, with neural networks making their way into our products already in 1998. Since then we have implemented this promising technology all across our multi-layered technology.

Link to comment
Share on other sites

Thanks for the link Marcos. I'll get back to you positively the next time I encounter a ransomware for which ESET doesn't have a signature (very rare to be true). While testing ESET in the malwaretips hub, I once encountered a cryptor for which ESET didn't have a signature and it managed to encrypt all the files in the test PC without a notification from ESET.

Link to comment
Share on other sites

19 hours ago, Marcos said:

I strongly disagree with this. If you have experienced an undetected ransomware that was not detected by ESET whatsoever even upon execution, you can drop me a personal message with more details. If you want to discuss it, create a new topic since this topic is not intended for discussion but for reporting withes by users.

 

I've messaged you the sample along with one of the encrypted documents. ESET was up to date and all the shields were on, but still the ransomware managed to bypass the BB and Anti-Ransomware module, which didn't give any single alert.

Link to comment
Share on other sites

24 minutes ago, wraith said:

I've messaged you the sample along with one of the encrypted documents. ESET was up to date and all the shields were on, but still the ransomware managed to bypass the BB and Anti-Ransomware module, which didn't give any single alert.

Do this as an additional test. Upload your ransomware sample to a file sharing web site. Now download it, execute it, and see if it still bypasses Eset's protections.

Edited by itman
Link to comment
Share on other sites

6 minutes ago, itman said:

Do this as an additional test. Upload your ransomware sample to to a file sharing web site. Now download it and execute it and see if it still bypasses Eset's protections.

I downloaded it from upload.ee and ESET Web shield didn't warn me. I'm not trying to bash ESET my friend. In fact ESET is my favourite AV. I'm just saying that ESET BB and Anti-Ransomware module does not work as it should. Their main purpose is to identify malicious behaviour and alert the user or to stop the malicious action but they don't seem to be doing that.

Edited by wraith
Link to comment
Share on other sites

8 minutes ago, wraith said:

downloaded it from upload.ee and ESET Web shield didn't warn me.

And at execution time, you received no alerts, detections, etc. from Eset and the ransomware encrypted all your files? Note that it's possible a few files do get encrypted prior to Eset's ransomware protection kicking in.

Edited by itman
Link to comment
Share on other sites

Just now, itman said:

And at execution time, you received no alerts, detections, etc. from Eset and the ransomware encrypted all your files. Note that it possible a few files do get encrypted prior to Eset's ransomware kicking in.

Precisely sir. The ransomware ran for more than 5 minutes in the background consuming around 25% of the CPU. I even checked in the ESET tools of running processes and livegrid was showing it in orange. But not a single alert from ESET. It encrypted all the doc, PDF, MP3, mp4, jpg, png files but didn't touch any applications or shortcuts.

Link to comment
Share on other sites

  • Administrators
Quote

I'm just saying that ESET BB and Anti-Ransomware module does not work as it should.

This is equal to saying that AVs don't work as expected because they don't protect from 100% of malware.

The sample was sent for further investigation.

Do you have v12 installed with default settings, ie HIPS, AMS, Ransomware Shield, etc. enabled? Please post logs collected with ESET Log Collector, just in case.

Link to comment
Share on other sites

2 minutes ago, Marcos said:

This is equal to saying that AVs don't work as expected because they don't protect from 100% of malware.

The sample was sent for further investigation.

Do you have v12 installed with default settings, ie HIPS, AMS, Ransomware Shield, etc. enabled? Please post logs collected with ESET Log Collector, just in case.

I have ESET IS 12 installed with all the shields enabled(except AMSI) since I'm on windows 7. I did make changes to some settings such as enabling advancedDNA is real-time and strict cleaning. 

Can you help me to export the log files? How do I do that?

Link to comment
Share on other sites

Sorry if I'm mistaken but shouldn't the Anti-Ransomware module kick in when it's detecting that something is encrypting a large number of files? Or does it wait until LiveGrid returns a verdict that the file is indeed malicious? I just want to know the way the Anti-Ransomware module works.

Link to comment
Share on other sites

3 minutes ago, wraith said:

I have ESET IS 12 installed with all the shields enabled(except AMSI) since I'm on windows 7.

This would explain part of it. Without AMSI, Eset can't examine packed, obfuscated, or encrypted scripts prior to execution.

Link to comment
Share on other sites

3 minutes ago, itman said:

This would explain part of it. Without AMSI, Eset can't examine packed, obfuscated, or encrypted scripts prior to execution.

That's true mate but it is an exe file.

Link to comment
Share on other sites

6 minutes ago, Marcos said:

Was the machine connected to the Internet so that ESET could retrieve LiveGrid information about the file?

Yes it was connected and I even opened LiveGrid to find out.

Link to comment
Share on other sites

8 minutes ago, itman said:

It would be also beneficial to know how the ransomware was executed. You can submit it to Hybrid-Analysis which will provide a detailed analysis of it: https://www.hybrid-analysis.com/ . My gut is telling me a Windows "living off the land" .exe was deployed.

It spawned an independent process. Here's a screenshot of the LiveGrid.

 

Capture.JPG

Link to comment
Share on other sites

27 minutes ago, itman said:

It would be also beneficial to know how the ransomware was executed. You can submit it to Hybrid-Analysis which will provide a detailed analysis of it: https://www.hybrid-analysis.com/ . My gut is telling me a Windows "living off the land" .exe was deployed.

 

Screenshot_20190901-210756~2.png

Link to comment
Share on other sites

One nasty ransomware. It's disguised to appear to be a .pdf file using the xxxxx.pdf.exe naming convention.

Appears to be one of these dreaded compile on the fly .Net .dll malware buggers and then inject that .dll into legit process. Hook a thread to the .dll and we're off and running encryption wise.

I would say the major complaint Eset-wise is why it didn't have a sig. for this when 37 other VT vendors did.

Notice how it targeted WD and Malwarbytes via legit Net process use?

Will say that this sample is a perfect example of why Eset needs "block-at-first-sight" capability; not just for Enterprise subscribers of EED.

Link to comment
Share on other sites

3 minutes ago, itman said:

One nasty ransomware. It's disguised to appear to be a .pdf file using the xxxxx.pdf.exe naming convention.

Appears to be one of these dreaded compile on the fly .Net .dll malware buggers and then inject that .dll into legit process. Hook a thread to the .dll and we're off and running encryption wise.

I would say the major complaint Eset-wise is why it didn't have a sig. for this when 37 other VT vendors did.

Notice how it targeted WD and Malwarbytes via legit Net process use?

Will say that this sample is a perfect example of why Eset needs "block-at-first-sight" capability; not just for Enterprise subscribers of EED.

With the never ending growth of malwares, it's foolish just to rely on signatures alone for protection. Even if ESET didn't have a signature for it, shouldn't the proactive Anti-Ransomware module kick-in when it detects that a large number of files are getting encrypted at once? Once again it's back to the original post in which I stated that ESET Anti-Ransomware is not working as it's supposed to work. An anti-ransomware module should block a process when it detects that the process is encrypting  files or at least ask the user with an alert if the process should be allowed to continue.

Link to comment
Share on other sites

2 minutes ago, Marcos said:

Not sure what you mean by "block-at-first-sight" capability.

I think he meant like Windows Defender Block at first sight/ Kaspersky Trusted Application Mode/ Avast Hardened Mode where only safe and whitelisted files will be allowed to run. Basically it's like a hybrid default-deny.

Edited by wraith
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...