Jump to content
KPS

Using Eset Dynamic Threat Defense - Results available for other customers w/wo EDTD

Recommended Posts

Hi!

 

I am quite confused about the real benefit of the EDTD license. The docs are not clear in one important point: WHO is getting the detection information and WHEN.

 

Customer A is using ETDR and submitts a malware-file.

--> Customer A is getting the response and all of his endpoints are protected, when the result is available

 

WHEN will Customer B's ESET Endpoints detect THAT file as malware, if he owns a EDTD-license (witout submitting the file)?

WHEN will Customer C's ESET Endpoints detect THAT file as malware, if he does not own a EDTD-license?

 

Same question, different wording:

Does a Customer get ANY benefit from the EDTD-license, if he does not submit any samples?

 

Thank you for your help

KPS

Share this post


Link to post
Share on other sites

All computers within a particular organization share EDTD results. Moreover, files that turn out to be malicious are also blocked for users with LiveGrid reputation system. This is, however, limited only to PE files, such as exe and dlls and it doesn't concern malicious documents for instance. Unlike LiveGrid, EDTD analyzes files immediately and client (e.g. mail server) waits for the result of analysis prior to delivering email or allowing the file to run.

Users with the LiveGrid Feedback system enabled submit detected or suspicious PE files to LiveGrid; the response is not instant and it may take a while until a malicious file is blocked in LiveGrid, a detection is added or improved and delivered either via a standard module or streamed (pico) update.

EDTD

  • instant analysis in EDTD cloud (files are run in a sandbox and are also assessed by machine learning models)
  • analysis of any file possibly carrying malware, including documents with macros
  • files with malicious behavior are blocked typically within less than 5 minutes
  • possibility to delay email delivery or file execution until a result from EDTD is received
  • results are shared within your organization instantly (only 100% malicious files are also blocked for users with LiveGrid)

LiveGrid

  • analysis of mainly suspicious executable files (ie. not documents)
  • not possible to delay email delivery or file execution until malware recognition is added
  • it may take up to 30 minutes for brand new malware (executable) to be recognized via LiveGrid and streamed updates

Share this post


Link to post
Share on other sites

Hi!

 

So, using EDTD "passively" is stupid - right? There is no benefit over "normal" LiveGrid about the delay after detection.

 

Thank you for your help!

KPS

Share this post


Link to post
Share on other sites

EDTD cannot be used passively. If activated, files will be sent to EDTD instead of LiveGrid and a response will be received quickly, typically in less than 5 minutes. The result will be shared instantly with other machines within the organization.

Also without EDTD and only with LiveGrid, files like email attachments will not be submitted for analysis and may appear clean until a detection is added via a module update after some time.

Share this post


Link to post
Share on other sites

That's sad. EDTD would be much more attractive, if also small companys could benefit from the samples of thousands of other people through push-updates of infected hashes.

 

Something like "LiveGrid Premium"

 

That would be a great sales pitch.

Share this post


Link to post
Share on other sites
2 hours ago, KPS said:

That's sad. EDTD would be much more attractive, if also small companys could benefit from the samples of thousands of other people through push-updates of infected hashes.

Appears you misunderstood  what @Marcos posted. Anything detected malicious by EDTD would be immediately added to Eset's detection blacklist. Shortly thereafter when completed, a full signature detection would be pushed to all Eset installations.

Share this post


Link to post
Share on other sites
2 hours ago, KPS said:

That's sad. EDTD would be much more attractive, if also small companys could benefit from the samples of thousands of other people through push-updates of infected hashes.

That's what LiveGrid is for. It works the way that if a user encounters a suspicious sample, it's sent to ESET for replication and, if it turns out to be malware, a detection is created either automatically or manually and is then delivered to users either via streamed updates, module updates or via LiveGrid blacklists.

Unlike LiveGrid, EDTD provides a quick response to any file, including documents which is one of the added values it provides. Documents are highly sensitive, hence everything uploaded to EDTD is treated as highly confidential and even access to files in EDTD is highly restricted to analysts. Moreover, malware in documents varies a lot so the chance that two different users would receive binary same malicious documents by email is very small; it's more likely to encounter them within the particular organisation.

 

Share this post


Link to post
Share on other sites

Hi!

 

I think, I am aware of how it works, now. I just disagree with the "very small chance", that two different companys are are getting the same malicious documents in a small time frame.

 

Example: Malicious mails start to use more and more "links" instead of "attachments". The links are dead within the first minutes to avoid to be detected by gateway-scanners.

 

In that case, I would wish to get the update via live-grid directly, when any installation with EDTD detected the downloaded file.

 

About confidential samples: It would be sufficient to share the hashes of all malicious files.

Edited by KPS

Share this post


Link to post
Share on other sites
Quote

In that case, I would wish to get the update via live-grid directly, when any installation with EDTD detected the downloaded file.

If EDTD evaluates a downloaded file (not document) as 100% malicious, it will also make it to LiveGrid blacklists and will be detected and blocked also for those who don't use EDTD. However, today a lot of malware spreads in malicious documents; in such case LiveGrid is usually already aware of the payload that the malicious macros in documents download and blocks further download and execution.

Share this post


Link to post
Share on other sites

Hello KPS,

hashes of malicious files are shared via LiveGrid Reputation System or other mechanism mentioned above as Marcos wrote. Please don't forget, that if you're the first with a new malware and you would not upload anything to ESET and non of detection layers on the endpoint itself would detect it, you get infected. That's why EDTD works only with when files are sent. Otherwise it's almost the same as LiveGris...

Also, EDTD analysis can result in file being suspicious or highly suspicious... for Endpoint, it looks clean so far. For LiveGrid it looks clean as well. However, with EDTD, you can set a sensitivity to block also files with such result. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...