Jump to content

Archived

This topic is now archived and is closed to further replies.

wraith

Ransomware

Recommended Posts

2 minutes ago, itman said:

At least, Eset should do something in this area to prevent long time users like myself from moving on to security solutions that have such capability.

It's currently planned for Endpoint. Whether or not the settings will get to consumer products, time will tell. No decision has been made in this regard yet.

Share this post


Link to post
Share on other sites
2 minutes ago, Marcos said:

It's currently planned for Endpoint. Whether or not the settings will get to consumer products, time will tell. No decision has been made in this regard yet.

This is the problem. I would gladly switch to Endpoint. However, I don't want to buy 5 licenses which it appears is Eset's purchase minimum for the product. Eset should have a single license purchase option with a higher cost which would be perfectly acceptable.

Another suggestion is Eset offer an "advanced" Internet Security version which in effect would be a "re-bagged" Endpoint version.

Share this post


Link to post
Share on other sites

Break in again, but why do other AV vendors have the option implemented in their AV suite for Consumers and Eset only wants to apply it for business users only ? If ESET wants the Endpoint protection as their core business i can understand that, but stop with stripped consumer versions and switch to Endpoint protection only or offer Endpoint protection to Consumers to.

Share this post


Link to post
Share on other sites

Imho ESET should add some advanced features like itman suggested. Keep them switched off by default so that only advanced users can enable them. I agree with the LiveGrid implementation part. Allow all safe processes(green), monitor the activities of non-popular(yellow) and alert upon suspicious behaviour and block for unsafe processes(red). If that sounds too much, implement a protected folders feature like defender, trend micro, BitDefender, avast so that files in those folders can only be accessed by safe applications and will be prompted if accessed by unknown applications.

Share this post


Link to post
Share on other sites
On 9/3/2019 at 7:40 PM, Marcos said:

 

@wraith, please collect logs with ESET Log Collector from the machine where you tested the sample and provide me with the generated archive. It looks like we didn't get it via the LiveGrid feedback system and couldn't react to it earlier.

I'll send you the logs once I reach home from work, although I highly doubt it would be useful since I always run any unknown file in shadow defender shadow mode before executing in the real mode.

Share this post


Link to post
Share on other sites
11 minutes ago, wraith said:

Allow all safe processes(green), monitor the activities of non-popular(yellow) and alert upon suspicious behaviour and block for unsafe processes(red).

Windows update files may be also suspicious from the beginning (yellow) so blocking them just because of this could crash Windows updates or the whole OS for instance (not every binary is signed by MS). Or imagine explorer.exe being continuously terminated if there were no antiFP mechanisms. We need to be careful about FPs; a single serious FP could cause bigger damage than actual undetected malware.

Share this post


Link to post
Share on other sites
On 9/1/2019 at 1:07 AM, Marcos said:

Please check https://www.eset.com/int/about/technology and see how many of ESET's features are missing in competitive AVs :)

HIPS itself is the basement for:
- Self-defense
- Ransomware Shield
- Advanced Memory Scanner
- Exploit Blocker
- Deep Behavioral Inspection
image.png

Plus non-HIPS feature Advanced Machine Learning (v13 beta):

image.png

 

Where can I find features "DEEP BEHAVIORAL INSPECTION' ?

I didn't find that feature in the ESET Endpoint Security (7.1.2053.0),
is that feature found in another eset version?
or there must be a button that I have to enable?

 

This installed components on my computer

image.thumb.png.621cd9a65ebcafaffe0858e65e9e1d90.png

This my menu on advance setting 

image.thumb.png.37244be25b1e9fe2db61227186e72d38.png

Share this post


Link to post
Share on other sites
5 minutes ago, Dump Kids said:

Where can I find features "DEEP BEHAVIORAL INSPECTION' ?

I didn't find that feature in the ESET Endpoint Security (7.1.2053.0)

The screen shot is from ESET Internet Security v12.2.23 for home users. As far as I know, it's planned to be enabled in Endpoint v7.2 which will bring bigger changes later this year.

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

Windows update files may be also suspicious from the beginning (yellow) so blocking them just because of this could crash Windows updates or the whole OS for instance (not every binary is signed by MS). Or imagine explorer.exe being continuously terminated if there were no antiFP mechanisms. We need to be careful about FPs; a single serious FP could cause bigger damage than actual undetected malware.

Ok that sounds reasonable. But ESET can surely implement the idea of protected folders. Let it be disabled by default. Advanced users who want that can enable that but at least provide it as an option.

Share this post


Link to post
Share on other sites
3 hours ago, Marcos said:

Windows update files may be also suspicious from the beginning (yellow) so blocking them just because of this could crash Windows updates or the whole OS for instance (not every binary is signed by MS). Or imagine explorer.exe being continuously terminated if there were no antiFP mechanisms. We need to be careful about FPs; a single serious FP could cause bigger damage than actual undetected malware.

Agreed. But if Eset hueristics detects a Live Grid red status risky unknown process, it should throw a suspicious alert and let the user make the decision. Again this should be an advanced Live Grid option with the disclaimer that activating it could lead to a FP detection. Also, it is highly unlikely Live Grid is going to classify a Win base OS process as risky.

Really, this isn't "rocket science."

Share this post


Link to post
Share on other sites

Also on Win 10, native SmartScreen goes much farther in that it will block (default setting) or warn of any executable not downloaded from the Win Store. Problem is I don't fully trust it in regards to stealthy malware code execution such as reverse shell and the like. -EDIT- Also another major issue with native SmartScreen is Microsoft in its "infinite dis-wisdom" runs it as a medium integrity process. As such, it can be easily suspended by malware to run its code.

Share this post


Link to post
Share on other sites
2 hours ago, itman said:

Agreed. But if Eset hueristics detects a Live Grid red status risky unknown process, it should throw a suspicious alert and let the user make the decision. Again this should be an advanced Live Grid option with the disclaimer that activating it could lead to a FP detection. Also, it is highly unlikely Live Grid is going to classify a Win base OS process as risky.

Really, this isn't "rocket science."

Yeah I'd go for this and have it disabled by default.

I get the whole thing about false positives and it is a risky balance but really the users eset wants to protect should hardly ever need to go into the advanced option. These users would probably just install eset with standard defaults.

The thing is a lot of users like choice and I'd worry eset would put some more advanced users off by not having these options. 

Hips for example can be dangerous in the wrong hands but it's an option and generally standard users will not enable because of the risks so things like the thing above should work as only those knowing the risks should enable them

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...