Ransomware

[Marcos 5,074]

2 minutes ago, wraith said:

With the never ending growth of malwares, it's foolish just to rely on signatures alone for protection. Even if ESET didn't have a signature for it, shouldn't the proactive Anti-Ransomware module kick-in when it detects that a large number of files are getting encrypted at once? Once again it's back to the original post in which I stated that ESET Anti-Ransomware is not working as it's supposed to work. An anti-ransomware module should block a process when it detects that the process is encrypting  files or at least ask the user with an alert if the process should be allowed to continue.

As I wrote already, the sample was passed to researchers. We'll see what findings they will come up with.
It's possible that it somehow fooled the ransomware shield. Without analysis, it's impossible to comment on it any further at this moment.

Like there is nothing like 100% malware detection and protection, one can't expect ransomware shield to detect 100% of ransomware.

[Marcos 5,074]

4 minutes ago, wraith said:

I think he meant like Windows Defender Block at first sight/ Kaspersky Trusted Application Mode/ Avast Hardened Mode where only safe and whitelisted files will be allowed to run. Basically it's like a hybrid default-deny.

There are dozens of thousands of applications and new binaries being created on a daily basis which are untrusted and not whitelisted. It would cause a lot of issues, believe me. Maybe not for you but for thousands of other users. That's not the way we want to go and create issues for many of our users.

[wraith 25]

Just now, Marcos said:

There are dozens of thousands of applications and new binaries being created on a daily basis which are untrusted and not whitelisted. It would cause a lot of issues, believe me. Maybe not for you but for dozens of thousands of other users.

Yeah that's why I don't like these features. I just gave them as examples since you asked about what block at first sight is. Moreover these make the AV heavy to use and I don't want ESET to become heavy like the other AV's. But I really want ESET to have a dedicated PROACTIVE Ransomware Module, not a REACTIVE one since all the complaints I receive regarding ESET only relates to ransomwares, nothing else.

[Marcos 5,074]

7 minutes ago, wraith said:

Yeah that's why I don't like these features. I just gave them as examples since you asked about what block at first sight is. Moreover these make the AV heavy to use and I don't want ESET to become heavy like the other AV's. But I really want ESET to have a dedicated PROACTIVE Ransomware Module, not a REACTIVE one since all the complaints I receive regarding ESET only relates to ransomwares, nothing else.

All technologies employed by ESET are proactive. There are some that work upon execution (EB, Ransomware shield, Deep Behavior Inspection) that monitor the behavior of running processes and may not stop a process immediately after it's started.

As for the complaints you receive about ransomware, feel free to contact me privately. 99,99% of ransomware cases that we deal with are caused by unsecured RDP when an attacker manages to log in with administrator rights, pause AV protection and then run ransomware undetected. It often turns our that the detection for the ransomware used in attacks was added years ago.

[itman 1,659]

1 minute ago, Marcos said:

There are dozens of thousands of applications and new binaries being created on a daily basis which are untrusted and not whitelisted. It would cause a lot of issues, believe me. Maybe not for you but for thousands of other users. That's not the way we want to go and create issues for many of our users.

Yes. This is the standard Eset response. The problem is that it's an option to the previous AV's mentioned. As such, its available if one chooses to deploy it.

As far as WD goes, it submits the process to the MS cloud Azure AI servers for a scan that can be extended up to one min. in duration. As far as WD ATP goes, the scan duration can be extended further. Additionally, probability threshold can be modified; i.e. 80% (default) to 90% to increase detection likelihood. Of course, increased sensitivity means higher likelihood for a false positive detection.

Again, Eset has this capability in EED.

[wraith 25]

5 minutes ago, Marcos said:

All technologies employed by ESET are proactive. There are some that work upon execution (EB, Ransomware shield, Deep Behavior Inspection) that monitor the behavior of running processes and may not stop a process immediately after it's started.

As for the complaints you receive about ransomware, feel free to contact me privately. 99,99% of ransomware cases that we deal with are caused by unsecured RDP when an attacker manages to log in with administrator rights, pause AV protection and then run ransomware undetected. It often turns our that the detection for the ransomware used in attacks was added years ago.

I agree about the RDP part. That's why the first thing I disable is remote access and smb 1. But then again I have a simple question. If ESET is so proactive why doesn't the ransomware shield kick in when it detects that files are getting encrypted? 

[Marcos 5,074]

3 minutes ago, wraith said:

I agree about the RDP part. That's why the first thing I disable is remote access and smb 1. But then again I have a simple question. If ESET is so proactive why doesn't the ransomware shield kick in when it detects that files are getting encrypted? 

Do you mean why Ransomware shield doesn't detect the operation when the protection is paused by an attacker after connecting via RDP?

[wraith 25]

6 minutes ago, Marcos said:

Do you mean why Ransomware shield doesn't detect the operation when the protection is paused by an attacker after connecting via RDP?

Absolutely not. I'm taking about this ransomware scenario which we're discussing. This is an exe file. ESET doesn't have a signature and so it's not detected by the real time scanner. When I executed the file it spawned a process that began encrypting files. My point is that when the process started encrypting the files why didn't the anti ransomware module kick in and alert me that if I want to continue the operation or block it. This is the simple question for which I'm trying to get a reliable response nothing more.

Edited September 1, 2019 by wraith

[Marcos 5,074]

I've already written above that the sample was passed to analysts for investigation.

[wraith 25]

1 minute ago, Marcos said:

I've already written above that the sample was passed to analysts for investigation.

Please let me know what the analysts came up with and also if possible why the anti ransomware didn't kick in for this particular sample. Thanks. 😀

[L0ckJaw 3]

If Eset had a similar system like Nortons Sonar, the sample would have been detected.

[Marcos 5,074]

9 minutes ago, L0ckJaw said:

If Eset had a similar system like Nortons Sonar, the sample would have been detected.

I've checked a description of the said technology but didn't find anything that ESET wouldn't already employ (https://www.eset.com/int/about/technology/) :

SONAR is a real-time protection that detects potentially malicious applications when they run on your computers. SONAR provides "zero-day" protection because it detects threats before traditional virus and spyware detection definitions have been created to address the threats.

SONAR uses heuristics as well as reputation data to detect emerging and unknown threats. SONAR provides an additional level of protection on your client computers and complements your existing Virus and Spyware Protection, intrusion prevention, Memory Exploit Mitigation, and firewall protection

SONAR uses a heuristics system that leverages online intelligence network with proactive local monitoring on your client computers to detect emerging threats. SONAR also detects changes or behavior on your client computers that you should monitor.

[wraith 25]

5 minutes ago, Marcos said:

I've checked a description of the said technology but didn't find anything that ESET wouldn't already employ (https://www.eset.com/int/about/technology/) :

SONAR is a real-time protection that detects potentially malicious applications when they run on your computers. SONAR provides "zero-day" protection because it detects threats before traditional virus and spyware detection definitions have been created to address the threats.

SONAR uses heuristics as well as reputation data to detect emerging and unknown threats. SONAR provides an additional level of protection on your client computers and complements your existing Virus and Spyware Protection, intrusion prevention, Memory Exploit Mitigation, and firewall protection

SONAR uses a heuristics system that leverages online intelligence network with proactive local monitoring on your client computers to detect emerging threats. SONAR also detects changes or behavior on your client computers that you should monitor.

With the only difference being SONAR can detect and stop ransomwares that are not detected by signatures whereas ESET cannot. ☹️

[L0ckJaw 3]

9 minutes ago, wraith said:

With the only difference being SONAR can detect and stop ransomwares that are not detected by signatures whereas ESET cannot. ☹️

Correct Sonar blocks and stops the thread happening and deletes the file, rates the risk of the file.

If ESET could implement a system like this, all areas are covered, signatures and without signatures.

[Marcos 5,074]

The fact thatba file is new and only very few users have encountered it doesn't make it malicious. The example above appears to have been detected by a signature as Linux/Mirai.

[L0ckJaw 3]

13 minutes ago, Marcos said:

The fact thatba file is new and only very few users have encountered it doesn't make it malicious. The example above appears to have been detected by a signature as Linux/Mirai.

i get your comment, you work for eset, the point is Eset lacks a good behaviour blocker that works together with the firewall.

And linux/mirai is indeed the name of the file, but detected with Sonar, If Sonar is enabled ALL users of Norton are protected regardless if they received the signatures or not. Thats what @wraith is trying to point out, if Eset does not detect by received signatures the virus or malware slips through the security, there is no active BB or online check active or the online check is hibernating and not active, i personally never seen the behaviour blocker of Eset in action ( im an active malware tester ).

Edited September 1, 2019 by L0ckJaw

[BALTAGY 32]

Isn't LiveGrid should be doing the same ?

[itman 1,659]

37 minutes ago, BALTAGY said:

Isn't LiveGrid should be doing the same ?

LiveGrid only submits suspicious processes to Eset servers for analysis. It won't alert or stop the process from executing.

It does raise the question that given the testing the OP was doing with this sample previously, it had to have been submitted some time ago to Eset servers for analysis. @wraith you do have LiveGrid enabled and also the option to submit suspicious files to Eset for analysis?

[wraith 25]

6 hours ago, itman said:

LiveGrid only submits suspicious processes to Eset servers for analysis. It won't alert or stop the process from executing.

It does raise the question that given the testing the OP was doing with this sample previously, it had to have been submitted some time ago to Eset servers for analysis. @wraith you do have LiveGrid enabled and also the option to submit suspicious files to Eset for analysis?

Yes LiveGrid is Enabled and I have set it to submit all files (including documents).

[wraith 25]

8 hours ago, Marcos said:

The fact thatba file is new and only very few users have encountered it doesn't make it malicious. The example above appears to have been detected by a signature as Linux/Mirai.

ESET doesn't need to have the same capability as SONAR. If the anti-ransomware module works proactively, it will be enough. Take this example. I executed the same ransomware while having AppCheck running in the background. It immediately stopped the ransomware based on it's behaviour since it was encrypting a large number of files. My question is why can't ESET ransomware module do the same? 

Edited September 2, 2019 by wraith

[Marcos 5,074]

7 hours ago, itman said:

LiveGrid only submits suspicious processes to Eset servers for analysis. It won't alert or stop the process from executing.

You are referring to the LiveGrid feedback system. However, LiveGrid Reputation System provides cloud data, e.g. about the age and the number of users where a particular file has been seen.

As I wrote, those are not data that would tell anything about the dangerousness of a file. Even if we were to block files never seen on users' machines that are new, it would mean blocking dozens of thousands benign untrusted and not whitelisted files that emerge on a daily basis, causing issues to those users.

By the way, by EED that you referred to before I assume you meant EDTD - ESET Dynamic Threat Defense, didn't you?

[itman 1,659]

6 hours ago, Marcos said:

By the way, by EED that you referred to before I assume you meant EDTD - ESET Dynamic Threat Defense, didn't you?

Correct.

[itman 1,659]

6 hours ago, wraith said:

Take this example. I executed the same ransomware while having AppCheck running in the background. It immediately stopped the ransomware based on it's behaviour since it was encrypting a large number of files. My question is why can't ESET ransomware module do the same? 

Most of the dedicated anti-ransomware solutions do the same. BTW - Checkpoint has an excellent anti-ransomware solution that costs around $15 USD w/yearly subscription.

I believe Kaspersky also works the same way. In addition if its System Watcher feature is enabled, it will use a snapshot to restore any files encrypted prior to its ransomware detection mechanism kicking in.

As far as Eset goes, your best solution is to create HIPS rules to monitor file modification activities against any of your User folders. This really shouldn't be too much of an inconvenience for the average user since those directories are not updated that frequently in normal daily use. For business environments, process exceptions would have to be created increasing the risk of ramsonware succeeding due to malware modification of those processes.

[wraith 25]

17 minutes ago, itman said:

Most of the dedicated anti-ransomware solutions do the same. BTW - Checkpoint has an excellent anti-ransomware solution that costs around $15 USD w/yearly subscription.

I believe Kaspersky also works the same way. In addition if its System Watcher feature is enabled, it will use a snapshot to restore any files encrypted prior to its ransomware detection mechanism kicking in.

As far as Eset goes, your best solution is to create HIPS rules to monitor file modification activities against any of your User folders. This really shouldn't be too much of an inconvenience for the average user since those directories are not updated that frequently in normal daily use. For business environments, process exceptions would have to be created increasing the risk of ramsonware succeeding due to malware modification of those processes.

BINGO!!! That's what I'm trying to point out. Products with dedicated Anti-Ransomware Module should proactively block the ransomwares when they detect that they are trying to encrypt files. ESET is not doing that in spite of having a dedicated Ransomware Module. Creating HIPS rules is another topic. Since ESET already employs anti-ransomware module, why doesn't it kick into action when all the others can like Kaspersky System Watcher? Finally someone got my point.

[Marcos 5,074]

Well, I'm not sure if the 3rd party blockers are installed on millions of machines both in home user and business environments without adverse effect on various applications that are used there. We have to take into account false positives seriously as they could cause issues especially in business environment and not to detect every process that manipulates with files. Also we have to take into account impact on performance so creating some snapshots of files (especially of bigger files) would be really a problem. While it was thought of as a possible solution, it was denied because of the performance impact and the need for a lot of free disk space if I remember correctly.

Also I tend to believe that if we took any of the 3rd party ransomware blocker, it would not withstand attacks by various ransomware. If I remember correctly, we've analyzed several solutions and always found they failed at some point.

Last but not least, I'd like to remind that any further comments without investigation of the sample in question are futile.