wraith 25 Posted August 31, 2019 Posted August 31, 2019 I have been using ESET IS for the last 5 years and have an active subscription till 2021. It's the lightest AV out there with stellar detection, excellent firewall and web filter along with a really light footprint. However ESET does miss out on certain features that other competitive AV's like BitDefender, Kaspersky, Trend Micro, Norton, Mcafee provide. ESET has zero dynamic protection since the HIPS in automatic mode is useless. Imo I think it would be a lot better if ESET can provide a good Behaviour Monitor instead of the HIPS(the BB ESET has now is in hibernation mode, it rarely works). Another very important feature could be the Protected Folders option where the user can decide which folders to protect against ransomware. fabioquadros_ 1
Administrators Marcos 5,441 Posted August 31, 2019 Administrators Posted August 31, 2019 2 hours ago, wraith said: I have been using ESET IS for the last 5 years and have an active subscription till 2021. It's the lightest AV out there with stellar detection, excellent firewall and web filter along with a really light footprint. However ESET does miss out on certain features that other competitive AV's like BitDefender, Kaspersky, Trend Micro, Norton, Mcafee provide. ESET has zero dynamic protection since the HIPS in automatic mode is useless. Imo I think it would be a lot better if ESET can provide a good Behaviour Monitor instead of the HIPS(the BB ESET has now is in hibernation mode, it rarely works). Another very important feature could be the Protected Folders option where the user can decide which folders to protect against ransomware. Please check https://www.eset.com/int/about/technology and see how many of ESET's features are missing in competitive AVs HIPS itself is the basement for: - Self-defense - Ransomware Shield - Advanced Memory Scanner - Exploit Blocker - Deep Behavioral Inspection Plus non-HIPS feature Advanced Machine Learning (v13 beta):
wraith 25 Posted August 31, 2019 Author Posted August 31, 2019 I know all these are there but I've never seen the Behaviour Blocker and Anti-Ransomware shield in action. If there is a new ransomware that is not in the signatures, there is literally no warning from ESET and the ransomware easily manages to encrypt all the files. The advanced machine learning seems to be a welcome addition.😀 L0ckJaw and fabioquadros_ 2
Administrators Marcos 5,441 Posted August 31, 2019 Administrators Posted August 31, 2019 10 minutes ago, wraith said: If there is a new ransomware that is not in the signatures, there is literally no warning from ESET and the ransomware easily manages to encrypt all the files. I strongly disagree with this. If you have experienced an undetected ransomware that was not detected by ESET whatsoever even upon execution, you can drop me a personal message with more details. If you want to discuss it, create a new topic since this topic is not intended for discussion but for reporting withes by users. Regarding machine learning, you might be interested in reading this brochure: https://cdn1.esetstatic.com/ESET/INT/Docs/Others/Technology/ESET-Technology-2017.pdf ESET has been experimenting with machine-learning algorithms to detect and block threats since 1990s, with neural networks making their way into our products already in 1998. Since then we have implemented this promising technology all across our multi-layered technology.
wraith 25 Posted August 31, 2019 Author Posted August 31, 2019 Thanks for the link Marcos. I'll get back to you positively the next time I encounter a ransomware for which ESET doesn't have a signature (very rare to be true). While testing ESET in the malwaretips hub, I once encountered a cryptor for which ESET didn't have a signature and it managed to encrypt all the files in the test PC without a notification from ESET.
wraith 25 Posted September 1, 2019 Author Posted September 1, 2019 19 hours ago, Marcos said: I strongly disagree with this. If you have experienced an undetected ransomware that was not detected by ESET whatsoever even upon execution, you can drop me a personal message with more details. If you want to discuss it, create a new topic since this topic is not intended for discussion but for reporting withes by users. I've messaged you the sample along with one of the encrypted documents. ESET was up to date and all the shields were on, but still the ransomware managed to bypass the BB and Anti-Ransomware module, which didn't give any single alert.
itman 1,799 Posted September 1, 2019 Posted September 1, 2019 (edited) 24 minutes ago, wraith said: I've messaged you the sample along with one of the encrypted documents. ESET was up to date and all the shields were on, but still the ransomware managed to bypass the BB and Anti-Ransomware module, which didn't give any single alert. Do this as an additional test. Upload your ransomware sample to a file sharing web site. Now download it, execute it, and see if it still bypasses Eset's protections. Edited September 1, 2019 by itman
wraith 25 Posted September 1, 2019 Author Posted September 1, 2019 (edited) 6 minutes ago, itman said: Do this as an additional test. Upload your ransomware sample to to a file sharing web site. Now download it and execute it and see if it still bypasses Eset's protections. I downloaded it from upload.ee and ESET Web shield didn't warn me. I'm not trying to bash ESET my friend. In fact ESET is my favourite AV. I'm just saying that ESET BB and Anti-Ransomware module does not work as it should. Their main purpose is to identify malicious behaviour and alert the user or to stop the malicious action but they don't seem to be doing that. Edited September 1, 2019 by wraith
itman 1,799 Posted September 1, 2019 Posted September 1, 2019 (edited) 8 minutes ago, wraith said: downloaded it from upload.ee and ESET Web shield didn't warn me. And at execution time, you received no alerts, detections, etc. from Eset and the ransomware encrypted all your files? Note that it's possible a few files do get encrypted prior to Eset's ransomware protection kicking in. Edited September 1, 2019 by itman
wraith 25 Posted September 1, 2019 Author Posted September 1, 2019 Just now, itman said: And at execution time, you received no alerts, detections, etc. from Eset and the ransomware encrypted all your files. Note that it possible a few files do get encrypted prior to Eset's ransomware kicking in. Precisely sir. The ransomware ran for more than 5 minutes in the background consuming around 25% of the CPU. I even checked in the ESET tools of running processes and livegrid was showing it in orange. But not a single alert from ESET. It encrypted all the doc, PDF, MP3, mp4, jpg, png files but didn't touch any applications or shortcuts.
Administrators Marcos 5,441 Posted September 1, 2019 Administrators Posted September 1, 2019 Quote I'm just saying that ESET BB and Anti-Ransomware module does not work as it should. This is equal to saying that AVs don't work as expected because they don't protect from 100% of malware. The sample was sent for further investigation. Do you have v12 installed with default settings, ie HIPS, AMS, Ransomware Shield, etc. enabled? Please post logs collected with ESET Log Collector, just in case.
wraith 25 Posted September 1, 2019 Author Posted September 1, 2019 2 minutes ago, Marcos said: This is equal to saying that AVs don't work as expected because they don't protect from 100% of malware. The sample was sent for further investigation. Do you have v12 installed with default settings, ie HIPS, AMS, Ransomware Shield, etc. enabled? Please post logs collected with ESET Log Collector, just in case. I have ESET IS 12 installed with all the shields enabled(except AMSI) since I'm on windows 7. I did make changes to some settings such as enabling advancedDNA is real-time and strict cleaning. Can you help me to export the log files? How do I do that?
wraith 25 Posted September 1, 2019 Author Posted September 1, 2019 Sorry if I'm mistaken but shouldn't the Anti-Ransomware module kick in when it's detecting that something is encrypting a large number of files? Or does it wait until LiveGrid returns a verdict that the file is indeed malicious? I just want to know the way the Anti-Ransomware module works.
itman 1,799 Posted September 1, 2019 Posted September 1, 2019 It would be also beneficial to know how the ransomware was executed. You can submit it to Hybrid-Analysis which will provide a detailed analysis of it: https://www.hybrid-analysis.com/ . My gut is telling me a Windows "living off the land" .exe was deployed.
Administrators Marcos 5,441 Posted September 1, 2019 Administrators Posted September 1, 2019 Was the machine connected to the Internet so that ESET could retrieve LiveGrid information about the file?
itman 1,799 Posted September 1, 2019 Posted September 1, 2019 3 minutes ago, wraith said: I have ESET IS 12 installed with all the shields enabled(except AMSI) since I'm on windows 7. This would explain part of it. Without AMSI, Eset can't examine packed, obfuscated, or encrypted scripts prior to execution.
wraith 25 Posted September 1, 2019 Author Posted September 1, 2019 3 minutes ago, itman said: This would explain part of it. Without AMSI, Eset can't examine packed, obfuscated, or encrypted scripts prior to execution. That's true mate but it is an exe file.
Administrators Marcos 5,441 Posted September 1, 2019 Administrators Posted September 1, 2019 I don't think that AMSI would play a role in this case since the malware is an executable and not a script. We'll see what findings researchers will come up with. wraith 1
wraith 25 Posted September 1, 2019 Author Posted September 1, 2019 6 minutes ago, Marcos said: Was the machine connected to the Internet so that ESET could retrieve LiveGrid information about the file? Yes it was connected and I even opened LiveGrid to find out.
wraith 25 Posted September 1, 2019 Author Posted September 1, 2019 8 minutes ago, itman said: It would be also beneficial to know how the ransomware was executed. You can submit it to Hybrid-Analysis which will provide a detailed analysis of it: https://www.hybrid-analysis.com/ . My gut is telling me a Windows "living off the land" .exe was deployed. It spawned an independent process. Here's a screenshot of the LiveGrid.
wraith 25 Posted September 1, 2019 Author Posted September 1, 2019 27 minutes ago, itman said: It would be also beneficial to know how the ransomware was executed. You can submit it to Hybrid-Analysis which will provide a detailed analysis of it: https://www.hybrid-analysis.com/ . My gut is telling me a Windows "living off the land" .exe was deployed.
itman 1,799 Posted September 1, 2019 Posted September 1, 2019 One nasty ransomware. It's disguised to appear to be a .pdf file using the xxxxx.pdf.exe naming convention. Appears to be one of these dreaded compile on the fly .Net .dll malware buggers and then inject that .dll into legit process. Hook a thread to the .dll and we're off and running encryption wise. I would say the major complaint Eset-wise is why it didn't have a sig. for this when 37 other VT vendors did. Notice how it targeted WD and Malwarbytes via legit Net process use? Will say that this sample is a perfect example of why Eset needs "block-at-first-sight" capability; not just for Enterprise subscribers of EED. wraith 1
Administrators Marcos 5,441 Posted September 1, 2019 Administrators Posted September 1, 2019 Not sure what you mean by "block-at-first-sight" capability.
wraith 25 Posted September 1, 2019 Author Posted September 1, 2019 3 minutes ago, itman said: One nasty ransomware. It's disguised to appear to be a .pdf file using the xxxxx.pdf.exe naming convention. Appears to be one of these dreaded compile on the fly .Net .dll malware buggers and then inject that .dll into legit process. Hook a thread to the .dll and we're off and running encryption wise. I would say the major complaint Eset-wise is why it didn't have a sig. for this when 37 other VT vendors did. Notice how it targeted WD and Malwarbytes via legit Net process use? Will say that this sample is a perfect example of why Eset needs "block-at-first-sight" capability; not just for Enterprise subscribers of EED. With the never ending growth of malwares, it's foolish just to rely on signatures alone for protection. Even if ESET didn't have a signature for it, shouldn't the proactive Anti-Ransomware module kick-in when it detects that a large number of files are getting encrypted at once? Once again it's back to the original post in which I stated that ESET Anti-Ransomware is not working as it's supposed to work. An anti-ransomware module should block a process when it detects that the process is encrypting files or at least ask the user with an alert if the process should be allowed to continue.
wraith 25 Posted September 1, 2019 Author Posted September 1, 2019 (edited) 2 minutes ago, Marcos said: Not sure what you mean by "block-at-first-sight" capability. I think he meant like Windows Defender Block at first sight/ Kaspersky Trusted Application Mode/ Avast Hardened Mode where only safe and whitelisted files will be allowed to run. Basically it's like a hybrid default-deny. Edited September 1, 2019 by wraith
Recommended Posts