Controlled Folder feature

[SeriousHoax 83]

Pardon me if this topic has already been discussed here or somewhere else on the forum

Description: Protect folders using the HIPS module

Details: Currently HIPS can protect specific files from modifications which I personally think is one of the coolest feature but the same can't be done for folders. I wanna protect my important folders from ransomwares or any other programs from modifying the contents of it. Like normal HIPS rules for files, user should be able to set whether ESET would ask the user for permission or always deny modification. Many other AVs have implemented this with their Ransomware protection module. ESET probably has the best and most customizable HIPS module of all the consumer AVs out there but it's missing this important feature at the moment. It should be one of the top priorities. I guess it won't be hard to implemented this.

[Marcos 5,074]

6 minutes ago, SeriousHoax said:

Pardon me if this topic has already been discussed here or somewhere else on the forum

Description: Protect folders using the HIPS module

Details: Currently HIPS can protect specific files from modifications which I personally think is one of the coolest feature but the same can't be done for folders. I wanna protect my important folders from ransomwares or any other programs from modifying the contents of it. Like normal HIPS rules for files, user should be able to set whether ESET would ask the user for permission or always deny modification. Many other AVs have implemented this with their Ransomware protection module. ESET probably has the best and most customizable HIPS module of all the consumer AVs out there but it's missing this important feature at the moment. It should be one of the top priorities. I guess it won't be hard to implemented this.

It's been already discussed here in the past. Such trivial protection similar to Controlled Access Folder can be achieved using HIPS rules, e.g. if you allow writing to a particular folder for Office applications and block it for the other. Of course, such protection can be circumvented by ransowmare that injects into trusted processes or by Office VBA macros.

[SeriousHoax 83]

3 minutes ago, Marcos said:

It's been already discussed here in the past. Such trivial protection similar to Controlled Access Folder can be achieved using HIPS rules, e.g. if you allow writing to a particular folder for Office applications and block it for the other. Of course, such protection can be circumvented by ransowmare that injects into trusted processes or by Office VBA macros.

But isn't that a bit more complicating? More so for average users. It would be much easier to simply have the ability protect folders. Windows Defenders Controlled Access Folder gives that option and it also lets you allow any programs you trust.

For ESET another example, personally my ESET is set to ask me when any program tries to modify my host file. I don't need to permanently allow or disallow any application. I can simply click Allow or Deny every time it happens. I find this extremely useful. I want the exact same thing for folders.

[Marcos 5,074]

We don't want to present users with a new feature based on trivial HIPS rules that could be easily circumvented,e.g. as mentioned above. Our goal is to provide smart and dependable solutions.

[wraith 25]

I think this thread should be disabled. ESET mods will NEVER listen to any user feedback rather they'll counter your every argument with a baseless one. Simply they think that they have made a 100% bulletproof product and any change to it will always result in False positives. I'm done and fed up posting in this forum. The moderators do not listen to any user feedback. It's sad but true in this way the future looks bleak for ESET. Many old users will switch to other competitive products simply because they listen to the users and implement the rational features. But here only you get is defensive posts about ESET. The developers are NEVER open to constructive or positive criticism.

[itman 1,659]

16 minutes ago, wraith said:

The developers are NEVER open to constructive or positive criticism.

The developers do not actively participate in the forum. Rather, they receive input from the Eset forum moderators and that input is selective at best and done to rectify existing "bugs" and operational issues in existing features.

Even if the developers were active participants, they do not initiate product revisions on their own. That is done like in most organizations under management direction and approval.

So what gets management's immediate attention? A sudden and prolonged drop in sales revenue most certainly would. As of late, Eset sales revenue is surging. Until that changes, don't expect any radical changes in existing Eset product offerings.

[wraith 25]

9 minutes ago, itman said:

The developers do not actively participate in the forum. Rather, they receive input from the Eset forum moderators and that input is selective at best and done to rectify existing "bugs" and operational issues in existing features.

Even if the developers were active participants, they do not initiate product revisions on their own. That is done like in most organizations under management direction and approval.

So what gets management's immediate attention? A sudden and prolonged drop in sales revenue most certainly would. As of late, Eset sales revenue is surging. Until that changes, don't expect any radical changes in existing Eset product offerings.

I just simply can't buy their explanations of false positives. Kaspersky has trusted application mode, avast and avg have hardened mode. But these are not enabled by default since they may cause false positives and hence are enabled only by the advanced users. So what's the problem with ESET in implementing it like that? Only advanced users will enable those features since by default it will be disabled. Marcos states that ESET employs proactive mechanisms but I'm sorry to say that in that case it's one of the worst implementations ever made. ESET is terrible in proactive protection. Kaspersky, Norton, BitDefender are vastly superior. Even free AV's like AVG and Avast have superior dynamic protection. If static detection fails, most of the time the PC is compromised. You don't need to take my word for it. Google it, look at YouTube tests results, static detection is excellent but dynamic detection is one of the worst. Still then the mods never pay any heed to the users who suggest to make the dynamic protection strong. 

[Marcos 5,074]

In fact, product owners watch this forum on a regular basis and also go through Future changes topics when deciding about improvements for future versions they put on a to-do list. We are open to constructive feedback and many improvements in our products have been inspired by the feedback from users. Especially when it comes to business products, product managers together with CPO and other staff responsible for the development of products arranged dozens of personal face-to-face meetings with big customers across the world, listened to them to learn more about tasks or issues they come across and all reasonable feedback was implemented or will be implemented in our products.

The wish above was to have a Protected folder feature. It's not a feature that we would deny, quite the contrary. We would like to have it but it must withstand attempts to encrypt files by trusted processes and macros run by Office. The functionality that 3rd party applications offer can be currently achieved by HIPS rules. Last but not least, I'd like to emphasize that we are open to any constructive feedback, we listen to our customers and implement reasonable feedback.

[itman 1,659]

1 hour ago, Marcos said:

We would like to have it but it must withstand attempts to encrypt files by trusted processes and macros run by Office. The functionality that 3rd party applications offer can be currently achieved by HIPS rules.

Translation - you're never going to see the feature any time in the near future in Eset.

If a controlled folder protection option is very important, you are probably better served by upgrading to Win 10 which you should have done long ago. Then use Windows Defender which has such a feature and save yourself some money to boot.

Edited September 6, 2019 by itman

[SeriousHoax 83]

2 hours ago, Marcos said:

We don't want to present users with a new feature based on trivial HIPS rules that could be easily circumvented,e.g. as mentioned above. Our goal is to provide smart and dependable solutions.

I think it doesn't matter whether it's a trivial feature or an advanced one. As long as it's effective there shouldn't be any problem to implement this as an optional feature.

52 minutes ago, Marcos said:

The wish above was to have a Protected folder feature. It's not a feature that we would deny, quite the contrary. We would like to have it but it must withstand attempts to encrypt files by trusted processes and macros run by Office.

This shouldn't matter either. ESET's HIPS already gives users the freedom to set rules to Ask, Allow or Deny. Like the example I gave above about my host file rule. It doesn't matter whether it's a trusted file or not ESET asks me when any programs tries to modify the file. If it can be done for files then why not for folders? I'm not asking for anything huge and new. Windows Defender, Bitdefender, F-Secure, Trend-Micro etc AVs have this feature. Even if a ransomware bypass ESET my protected folders would be safe. This feature shouldn't be enabled by default. It's an advanced feature for advanced users.

[SeriousHoax 83]

3 minutes ago, itman said:

Translation - you're never going to see the feature any time in the near future in Eset.

If a controlled folder protection option is very important, you are probably better served by upgrading to Win 10 which you should have done long ago. Then use Windows Defender which has such a feature and save yourself some money to boot.

This seems like sad but true.

[itman 1,659]

I was doing some testing with Win 10's Windows Defender Controlled Folders option and my findings parallel those comments made on wilderssecurity.com. That is it is way too aggressive.

It was flagging modification attempts by IE11 to the Favorites directory of all things. It also flagged rundll32.exe attempts to the modify the same folder. This runs normally at IE11 shutdown when you have the option set to clear all your temp files.

I am still scratching my head why either of the mentioned processes would be doing anything to the Favorites folder in the first place or the detection is just a bug. In any event, that WD feature is not for the average user.

The above is a preview of the issues you will run into when attempting to created like Controlled Folders Eset HIPS rules.

Edited September 6, 2019 by itman

[itman 1,659]

Did some additional research. Besides prior mentioned Trend Micro and Symantec having some form of controlled folders protection option, I found three more:

BitDefender - Safe Files

Kaspersky - Protected Resources

Avast/AVG - Protected Folders

So it pretty much appears that Eset is the only major AV software vendor not having such a feature. Also since all Eset's major competitors have such a feature, the argument that it is insecure and can be easily bypassed somewhat "rings hollow."

 

Edited September 7, 2019 by itman

[itman 1,659]

There is an alternative solution to controlled folders that Eset could implement. It is a better solution since it is virtually "bulletproof" against a ransomware attack.

Provide an auto backup/restore solution for the User directories. An Eset default scheduled task would perform the backup on a periodic basis. Basis could be modified by the user to suit his needs; more frequent user activity to those directories would dictate an increased backup frequency. Existing Eset "Smart" scan technology would be employed resulting in updates to the backup directories being made only for newly created or updated files. 

Obviously the only process that could modify these backup directories would be ekrn.exe via HIPS internal rule enforcement. A few system process activity process exceptions like defrag and the like it is assumed would be allowed.

In the case of a ransomware incident, the user would run an Eset GUI provided restore feature to replace all encrypted files in the User directories with those present in the backup directories.

Most important, Eset would need to recognize that a ransomware incident has occurred and prevent any further auto backup activities from executing until an Eset restore operation has been completed. There are a number of ways this could be done by examining User encrypted file characteristics.

Edited September 7, 2019 by itman

[wraith 25]

Anyways it seems pointless to discuss this since the mods will not implement it because according to them it's basically useless. I can also say that ESET can implement a smart firewall like Norton where the firewall will block known malicious applications from making outbound connections, allow safe apps to connect and ask for unknown apps when they try to connect to the internet. But again the same answer will come up that this will lead to false positives and inconvenience for some users. Again I can say that this smart feature can be disabled by default but will be enabled by advanced users but again I will be replied that ESET interactive mode will do the job. Basically this goes on in a loop and so I quit giving suggestions to improve ESET. 

Edited September 8, 2019 by wraith

[itman 1,659]

15 hours ago, wraith said:

I can also say that ESET can implement a smart firewall like Norton where the firewall will block known malicious applications from making outbound connections,

Really don't understand the logic behind this. If its a known malicious app, why is it running in the first place?

Eset has Botnet protection which works by blocking communication to C&C servers known to be malicious. Perhaps this is what Norton is actually doing.

15 hours ago, wraith said:

I will be replied that ESET interactive mode will do the job. Basically this goes on in a loop and so I quit giving suggestions to improve ESET. 

This one I will agree with. Have tried both firewall and HIPS interactive modes in the past only to abandon both due to bugs and usability issues.

I long ago requested an anti-exec feature for the HIPS. Rather than create a dozen HIPS rules for everything a process does as is the case when Learning mode is enabled, just simply create a whitelist of processes allowed to execute. When switched to Anti-exec interactive mode, you would get an alert for any process not currently in the whitelist. Obviously, a trusted process feature would be incorporated for .exes in Windows directories and the like. PC Matic looking better by each passing day.

[SRT 1]

On 9/6/2019 at 6:02 AM, itman said:

 

"Even if the developers were active participants, they do not initiate product revisions on their own. That is done like in most organizations under management direction and approval."

And there, is the problem.

Won't renew, for now.

 

 

Edited September 9, 2019 by SRT

[itman 1,659]

The real question in regards to the Controlled Folders concept is it bullet-proof against 0-day ransomware?

As far as Windows Defender goes, the answer is definitely no since there have been multiple bypasses of it. What about other third party AV solutions that offer the feature? Testing of BitDefender's top of the line consumer product which has the feature had 0-day ransomware twice encrypt files in less than two weeks: https://malwaretips.com/threads/bitdefender-total-security-2020-september-2019-report.94769/ .

So is there any conventional AV solution that is bullet-proof against 0-day ransomware? No. The prevailing opinion over at malwaretips.com is Kaspersky and Avast configured with "hardened" or maximum protection settings come close abet at the price of usability (false positives, etc.) and/or performance issues. The main point to take away from the aforementioned is at least there are other AV solutions that provide aggressive protection settings. And they do so in a manner that does not require detailed Window's operational process interaction knowledge or require one to create individual rules using a HIPS with user features paralleling those from the "stone age" of HIPS development.

[SeriousHoax 83]

On 9/7/2019 at 4:53 AM, itman said:

I was doing some testing with Win 10's Windows Defender Controlled Folders option and my findings parallel those comments made on wilderssecurity.com. That is it is way too aggressive.

Yes, it is aggressive. It blocks any attempts to modify the contents of protected folders. It doesn't matter whether it's a trusted application or not. That's why it's not enabled by default. It's for advanced users only. But if implemented in ESET, user should be able to set it in ask/interactive mode so it would be more user friendly for advanced users.

On 9/7/2019 at 6:53 PM, itman said:

Besides prior mentioned Trend Micro and Symantec having some form of controlled folders protection option, I found three more:

BitDefender - Safe Files

Kaspersky - Protected Resources

Avast/AVG - Protected Folders

So it pretty much appears that Eset is the only major AV software vendor not having such a feature. Also since all Eset's major competitors have such a feature, the argument that it is insecure and can be easily bypassed somewhat "rings hollow."

Yes, exactly. If they can provide such option then why can't ESET? I think these products don't have it enabled by default but users have the option to do so.

On 9/7/2019 at 10:20 PM, itman said:

Provide an auto backup/restore solution for the User directories. An Eset default scheduled task would perform the backup on a periodic basis. Basis could be modified by the user to suit his needs; more frequent user activity to those directories would dictate an increased backup frequency. Existing Eset "Smart" scan technology would be employed resulting in updates to the backup directories being made only for newly created or updated files.

I don't think ESET would do that. This seems like too much work for an antivirus. Unless ESET can do something similar to what Kaspersky does with System Watcher there's no way. Kaspersky has set an example in the industry with their System Watcher module. It's extremely good and I think it's the best behavior blocker of all. But of course this is not 100% bulletproof but very capable and Marcos already discussed they thought about it but weren't able to do so because of performance issue.

 

15 hours ago, itman said:

The real question in regards to the Controlled Folders concept is it bullet-proof against 0-day ransomware?

I don't think anyone claims such feature is bulletproof. Here it depends on the capability of ESET HIPS. If it can block modifications for the protected folders then it should do the job. Besides ESET has other capabilities against Ransomwares and this protected folders option is gonna be only an additional option.

ESET can experimentally add this feature on ESET beta. If it does what it's supposed to do and receive positive feedback from the beta testers then it would be added to the main product. I'll gladly become a beta tester.

[itman 1,659]

13 hours ago, SeriousHoax said:

Yes, it is aggressive. It blocks any attempts to modify the contents of protected folders. It doesn't matter whether it's a trusted application or not. That's why it's not enabled by default. It's for advanced users only. But if implemented in ESET, user should be able to set it in ask/interactive mode so it would be more user friendly for advanced users.

First, WD will alert about controlled folder access and allow you to create an exception. So functionally, it is no different than what would occur in an Eset HIPS ask rule scenario.

Also all the same previously noted trusted process hijacking capability apply. So HIPS rules would have to be created for those ....... ad infinitum.

As far as User directory file backup goes, one already exists in Win 10; File History. And its an excellent backup since it only backup's file changes. Likewise a Restore feature exists to recreate your files.

The main disadvantage of it is noted in this Microsoft article: https://answers.microsoft.com/en-us/windows/forum/windows_10-update/protecting-file-history-from-ransomware/714710a4-2d3f-4080-bd7f-f77562cf812f . Namely if the backup source drive is online, all its File History backup files will be also encrypted by ransomware. Presently, I am protecting my online backup source using an Eset HIPS rule to only allow svchost.exe which runs File History to modify the backup source. Here again I am "hamstrung" by the archaic Eset HIPS functionality. If the ransomware can install a service to run its encryption activities, I am screwed. Note that unlike the Eset firewall, individual Win 10 services can not be specified in a HIPS rule. Nor can any process parameter options be specified; another request I made long ago that "fell on deaf Eset ears."

Edited September 11, 2019 by itman

[peteyt 393]

On 9/10/2019 at 3:25 PM, itman said:

The real question in regards to the Controlled Folders concept is it bullet-proof against 0-day ransomware?

As far as Windows Defender goes, the answer is definitely no since there have been multiple bypasses of it. What about other third party AV solutions that offer the feature? Testing of BitDefender's top of the line consumer product which has the feature had 0-day ransomware twice encrypt files in less than two weeks: https://malwaretips.com/threads/bitdefender-total-security-2020-september-2019-report.94769/ .

So is there any conventional AV solution that is bullet-proof against 0-day ransomware? No. The prevailing opinion over at malwaretips.com is Kaspersky and Avast configured with "hardened" or maximum protection settings come close abet at the price of usability (false positives, etc.) and/or performance issues. The main point to take away from the aforementioned is at least there are other AV solutions that provide aggressive protection settings. And they do so in a manner that does not require detailed Window's operational process interaction knowledge or require one to create individual rules using a HIPS with user features paralleling those from the "stone age" of HIPS development.

I thought I replied to this so hopefully I didn't - if my reply was deleted e.g. against rules I apologise. 

Basically I agree - the main reason I began using Eset is because it didn't follow what other AVs did - it did its own thing but I'm wondering if this is causing issues now. I came to Eset from BitDefender which a few years back became far too unreliable due to bugs - I wanted something that didn't slow my PC. Too many other AVs did things that in my opinion should be done by separate programs e.g. I have ccleaner so don't need an AV to clean unneeded junk files. That's what sold me on eset - sticking to just security.

However I do feel like it's behind in advanced stuff - by advanced I mean things for advanced users and not advanced technology. I get the whole thing about not wanting to confuse users. An average user should never be given a choice or at least this should be avoided e.g. is this safe or risky - the user will not know and could block something by mistake that could cause issues or even allow a dangerous file. However there should in my opinion be options to allow stuff for those with the knowledge and willing to take the risk. There is always the risk that if advanced features like this are not included in fear of how it will affect average users, those advanced users will end up going to a competitor.

[itman 1,659]

Continuing the above posted thought, Eset's Firewall and HIPS both have learning, policy, and interactive modes. It is far more likely that an end user could bork his system processing by improperly employing those features than by applying optional aggressive reputational, anti-exec whitelisting, etc. options. So I can only assume Eset just doesn't want to allocate the resources with resultant cost to provide the more aggressive mitigation options a number of its customers want.

[SeriousHoax 83]

Anyway, I think I made my point so don't wanna waste my time anymore on this. If ESET don't want to add a simple yet strong feature and like to stay behind other AVs then it's their wish.

I'm using Windows Defender at the moment and really impressed. Signature is a lot weaker than ESET but their cloud protection is performing a lot better against newer threats than ESET so overall doing a better job. Controlled folder access works with other AVs too so I'll come back to ESET later.

Edited September 13, 2019 by SeriousHoax

[itman 1,659]

3 hours ago, SeriousHoax said:

Signature is a lot weaker than ESET

I noticed that also. I am also surprised this issue still exists since Microsoft is now supposedly outsourcing their sigs. to a competent third party source.

As far as as WD goes, it is still not ready for "prime time" protection as evidenced by its exploit and fileless malware detection rate on this AV lab test: https://www.mrg-effitas.com/wp-content/uploads/2019/08/MRG_Effitas_2019Q2_360.pdf where it missed 80% of the malware samples.

Edited September 13, 2019 by itman

[SeriousHoax 83]

19 hours ago, itman said:

I noticed that also. I am also surprised this issue still exists since Microsoft is now supposedly outsourcing their sigs. to a competent third party source.

Yes, surprising indeed. Maybe those sync with cloud first and they create signatures later. I don't know but WD is massively cloud depended and it's serving them pretty well lately so maybe they focus less on local signatures. ESET is kind of the opposite. ESET relies on signatures a lot and that's not a bad thing because available signature of a new malware is always better than protecting via other modules.

19 hours ago, itman said:

As far as as WD goes, it is still not ready for "prime time" protection as evidenced by its exploit and fileless malware detection rate on this AV lab test: https://www.mrg-effitas.com/wp-content/uploads/2019/08/MRG_Effitas_2019Q2_360.pdf where it missed 80% of the malware samples.

About this test, you should keep in mind that, this is the only test that was done in Windows 7. As far as I know Windows Defender is not available in Windows 7. Did they use Microsoft Security Essential! Even if it's possible maybe in Enterprise level, it's always going to be a lot weaker than it is in Windows 10 with Exploit Protection and etc. So, I think there's this flaw in that test.