Jump to content

Using Eset Dynamic Threat Defense - Results available for other customers w/wo EDTD


Recommended Posts

Posted

Hi!

 

I am quite confused about the real benefit of the EDTD license. The docs are not clear in one important point: WHO is getting the detection information and WHEN.

 

Customer A is using ETDR and submitts a malware-file.

--> Customer A is getting the response and all of his endpoints are protected, when the result is available

 

WHEN will Customer B's ESET Endpoints detect THAT file as malware, if he owns a EDTD-license (witout submitting the file)?

WHEN will Customer C's ESET Endpoints detect THAT file as malware, if he does not own a EDTD-license?

 

Same question, different wording:

Does a Customer get ANY benefit from the EDTD-license, if he does not submit any samples?

 

Thank you for your help

KPS

  • Administrators
Posted

All computers within a particular organization share EDTD results. Moreover, files that turn out to be malicious are also blocked for users with LiveGrid reputation system. This is, however, limited only to PE files, such as exe and dlls and it doesn't concern malicious documents for instance. Unlike LiveGrid, EDTD analyzes files immediately and client (e.g. mail server) waits for the result of analysis prior to delivering email or allowing the file to run.

Users with the LiveGrid Feedback system enabled submit detected or suspicious PE files to LiveGrid; the response is not instant and it may take a while until a malicious file is blocked in LiveGrid, a detection is added or improved and delivered either via a standard module or streamed (pico) update.

EDTD

  • instant analysis in EDTD cloud (files are run in a sandbox and are also assessed by machine learning models)
  • analysis of any file possibly carrying malware, including documents with macros
  • files with malicious behavior are blocked typically within less than 5 minutes
  • possibility to delay email delivery or file execution until a result from EDTD is received
  • results are shared within your organization instantly (only 100% malicious files are also blocked for users with LiveGrid)

LiveGrid

  • analysis of mainly suspicious executable files (ie. not documents)
  • not possible to delay email delivery or file execution until malware recognition is added
  • it may take up to 30 minutes for brand new malware (executable) to be recognized via LiveGrid and streamed updates
Posted

Hi!

 

So, using EDTD "passively" is stupid - right? There is no benefit over "normal" LiveGrid about the delay after detection.

 

Thank you for your help!

KPS

  • Administrators
Posted

EDTD cannot be used passively. If activated, files will be sent to EDTD instead of LiveGrid and a response will be received quickly, typically in less than 5 minutes. The result will be shared instantly with other machines within the organization.

Also without EDTD and only with LiveGrid, files like email attachments will not be submitted for analysis and may appear clean until a detection is added via a module update after some time.

Posted

That's sad. EDTD would be much more attractive, if also small companys could benefit from the samples of thousands of other people through push-updates of infected hashes.

 

Something like "LiveGrid Premium"

 

That would be a great sales pitch.

Posted
2 hours ago, KPS said:

That's sad. EDTD would be much more attractive, if also small companys could benefit from the samples of thousands of other people through push-updates of infected hashes.

Appears you misunderstood  what @Marcos posted. Anything detected malicious by EDTD would be immediately added to Eset's detection blacklist. Shortly thereafter when completed, a full signature detection would be pushed to all Eset installations.

  • Administrators
Posted
2 hours ago, KPS said:

That's sad. EDTD would be much more attractive, if also small companys could benefit from the samples of thousands of other people through push-updates of infected hashes.

That's what LiveGrid is for. It works the way that if a user encounters a suspicious sample, it's sent to ESET for replication and, if it turns out to be malware, a detection is created either automatically or manually and is then delivered to users either via streamed updates, module updates or via LiveGrid blacklists.

Unlike LiveGrid, EDTD provides a quick response to any file, including documents which is one of the added values it provides. Documents are highly sensitive, hence everything uploaded to EDTD is treated as highly confidential and even access to files in EDTD is highly restricted to analysts. Moreover, malware in documents varies a lot so the chance that two different users would receive binary same malicious documents by email is very small; it's more likely to encounter them within the particular organisation.

 

Posted (edited)

Hi!

 

I think, I am aware of how it works, now. I just disagree with the "very small chance", that two different companys are are getting the same malicious documents in a small time frame.

 

Example: Malicious mails start to use more and more "links" instead of "attachments". The links are dead within the first minutes to avoid to be detected by gateway-scanners.

 

In that case, I would wish to get the update via live-grid directly, when any installation with EDTD detected the downloaded file.

 

About confidential samples: It would be sufficient to share the hashes of all malicious files.

Edited by KPS
  • Administrators
Posted
Quote

In that case, I would wish to get the update via live-grid directly, when any installation with EDTD detected the downloaded file.

If EDTD evaluates a downloaded file (not document) as 100% malicious, it will also make it to LiveGrid blacklists and will be detected and blocked also for those who don't use EDTD. However, today a lot of malware spreads in malicious documents; in such case LiveGrid is usually already aware of the payload that the malicious macros in documents download and blocks further download and execution.

  • Former ESET Employees
Posted

Hello KPS,

hashes of malicious files are shared via LiveGrid Reputation System or other mechanism mentioned above as Marcos wrote. Please don't forget, that if you're the first with a new malware and you would not upload anything to ESET and non of detection layers on the endpoint itself would detect it, you get infected. That's why EDTD works only with when files are sent. Otherwise it's almost the same as LiveGris...

Also, EDTD analysis can result in file being suspicious or highly suspicious... for Endpoint, it looks clean so far. For LiveGrid it looks clean as well. However, with EDTD, you can set a sensitivity to block also files with such result. 

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...