The failure of several tests

[Twersky 2]

Hi Eset! comss.ru is a very popular russian-language web-portal about antiviruses in Russia and the CIS, which regularly tests new versions of well-known antivirus products. For two tests in a row, Eset has unfortunately failed their testing, which makes me very sad, as a loyal fan of your product. It becomes really difficult for me to protect Eset's reputation, although I try to do it there =(

Below are links to a video with tests.

Test for ESET NOD32 Internet Security 13.2 - https://www.comss.ru/page.php?id=7740

Test for ESET NOD32 Internet Security 14.0 - https://www.comss.ru/page.php?id=8256

During the test, Eset perfectly blocked all threats and showed a very high detection rate, but in both cases one of the malware was able to remove all programs installed on the test machine, and in the second case it also deleted user files on the desktop. Judging by the words of the tester, this is some kind of encryptor that could not fully work, a message appears that the files are encrypted, but there is no encryption, but the programs and files on the desktop have been deleted.

Perhaps you should contact the administration of this portal (this tester) and ask this malware to be included in the detection, or even better, train HIPS to resist detailed threats? I would do it myself, but I'm afraid that I will be denied this as an unofficial third party.

For contact, you can use this form - https://www.comss.ru/page.php?id=1173 or the mail info@comss.ru and also just write in the comments to the last test. 

I hope that you do not perceive this topic as anti-advertising, but I see no reason to write that to a support, as it requires some kind of reaction from the managers.

[Marcos 5,074]

It's not a prestigious testing organization such as AV-Comparatives.org or AV-test. There are many youtube "testers" who put together files that are detected by at least one AV and use it as a test set for evaluating other AVs. Then the test set is a mix of everything, including corrupted, non-function or perfectly clean files. If you come across a suspicious file that you are unsure if it should be detected or not, please email it in an archive protected with the password "infected" to samples[at]eset.com.

[SeriousHoax 83]

50 minutes ago, Marcos said:

f you come across a suspicious file that you are unsure if it should be detected or not, please email it in an archive protected with the password "infected" to samples[at]eset.com.

I've sent multiple potential samples multiple times since November 2 and none of the files have been downloaded by a malware analyst. I can tell because it shows how many times the zip has been downloaded and when they did previously it always showed the number which has always been 1 download. But like I said it's 0 for every samples since November 2. What's going on? Are the mails not checked anymore?

[Twersky 2]

5 hours ago, Marcos said:

It's not a prestigious testing organization such as AV-Comparatives.org or AV-test. There are many youtube "testers" who put together files that are detected by at least one AV and use it as a test set for evaluating other AVs. Then the test set is a mix of everything, including corrupted, non-function or perfectly clean files. If you come across a suspicious file that you are unsure if it should be detected or not, please email it in an archive protected with the password "infected" to samples[at]eset.com.

Do you think anyone else is looking at these tests from "prestigious" labs? Where does the spanish Panda have 100% detection, and your own Eset is the 5th in performance (latest performance tests by AV-Comparatives)? Where, in principle, almost all antiviruses have a protection level of 97 percent or higher (I'm talking about the latest dynamic test from AV-Comparatives), which does not coincide with the real experience of most professional PC users?

Consumers either do not look at tests at all or look at live tests / reviews, but these prestigious laboratories have drawn completely stupid pictures so many times that it is a shame to even mention them. How can I recommend your antivirus to someone? Based on pictures from AV-Comparatives and AV-Test? I use your product because of the excellent firewall and web filter, but it's still a pity that progress in the development of protection is not visible at all.

Ok, I will not continue this topic. I just wanted to help.

[peteyt 393]

9 hours ago, Twersky said:

Do you think anyone else is looking at these tests from "prestigious" labs? Where does the spanish Panda have 100% detection, and your own Eset is the 5th in performance (latest performance tests by AV-Comparatives)? Where, in principle, almost all antiviruses have a protection level of 97 percent or higher (I'm talking about the latest dynamic test from AV-Comparatives), which does not coincide with the real experience of most professional PC users?

Consumers either do not look at tests at all or look at live tests / reviews, but these prestigious laboratories have drawn completely stupid pictures so many times that it is a shame to even mention them. How can I recommend your antivirus to someone? Based on pictures from AV-Comparatives and AV-Test? I use your product because of the excellent firewall and web filter, but it's still a pity that progress in the development of protection is not visible at all.

Ok, I will not continue this topic. I just wanted to help.

I mean I'm wary of YouTube videos AV wise. This one at least didn't do the thing that most seem to get wrong, not showing them downloading the stuff. I belive a lot of YouTube testers disable the AVs often to download the viruses but that doesn't show the full product as web protection for example would normally prevent the virus from being downloaded in the first place.

I had a quick check on your video but as it was in Russian didn't really know what was being said. Wasn't keen on the edit effect thing either as it makes you wonder if something is happening in between the transition effect.

My own personal belief is any AV tests should be used as a guide but don't take them as gospel. If the AV works for you and protects you then just keep using it. Tests can be engineered to make one AV look good and one look bad. They also tend to not represent real usage e.g. if they are downloading a big file containing lots of samples the average user wouldn't be doing this.

As for the actual malware on that test as I can't understand what is being said I don't know anything about it 

[DKech 1]

On 11/22/2020 at 5:12 PM, peteyt said:

I mean I'm wary of YouTube videos AV wise. This one at least didn't do the thing that most seem to get wrong, not showing them downloading the stuff. I belive a lot of YouTube testers disable the AVs often to download the viruses but that doesn't show the full product as web protection for example would normally prevent the virus from being downloaded in the first place.

I had a quick check on your video but as it was in Russian didn't really know what was being said. Wasn't keen on the edit effect thing either as it makes you wonder if something is happening in between the transition effect.

My own personal belief is any AV tests should be used as a guide but don't take them as gospel. If the AV works for you and protects you then just keep using it. Tests can be engineered to make one AV look good and one look bad. They also tend to not represent real usage e.g. if they are downloading a big file containing lots of samples the average user wouldn't be doing this.

Что касается собственно вредоносного ПО на этом тесте так как я не могу понять о чем идет речь я ничего об этом не знаю

Now I will briefly outline the situation that happened in the test. For some very rare programs, special uninstallers have been written, which, if run in the folder of this program, correctly remove this specific program. But if the same uninstaller is run outside the folder of this program, then it literally deletes EVERYTHING from the hard disk (programs, documents, even some system files). Samples of this uninstaller were sent to the EsET laboratory a year ago, and after analyzing the program, analysts recognized it as malicious, creating a signature Win32/KillFiles.NJT trojan. But apparently later the signature was removed, and now this program and similar antivirus does not consider it dangerous, hence the result in the test. In fact, these are of course legitimate programs, and if they are launched in the folder of a specific program that they must delete, then they only delete it correctly, but they can be dangerous if they are not launched in the program folder, therefore, they absolutely fall under the POTENTIALLY DANGEROUS category. their actions in such cases cause irreparable damage to the system and the user's files, and a complete reinstallation of the system and restoration of the user's personal files are required. 

[itman 1,659]

1 hour ago, DKech said:

In fact, these are of course legitimate programs, and if they are launched in the folder of a specific program that they must delete, then they only delete it correctly, but they can be dangerous if they are not launched in the program folder, therefore, they absolutely fall under the POTENTIALLY DANGEROUS category

Appears what is being said here is these uninstallers are in effect borked uninstallers.

The question is if they even meet the criteria of potentially unwanted or unsafe applications. Note Eset doesn't have a category for potentially dangerous applications. 

The first and major issue here is the app uninstallers do not exhibit any undesirable behavior if created in their assumed default installation directory. Next, the undesirable uninstaller behavior appears to occur when the aforementioned is not the case. Finally and implied is that someone is maliciously deploying these uninstallers under bork run criteria. What if the deployment was not with malicious intent but done by some inadvertent or unintentional method?

I guess if I "stretch" reasoning in this regard, this could fall under "living off the land" malware deployment methods. The problem is Eset presently doesn't detect many of those that are known. I would rather they concentrate on those known attacks rather than expending resources a theoretical borked uninstaller misuse.

Edited November 25, 2020 by itman

[peteyt 393]

Weirdly Googling  Win32/KillFiles brings up Eset as if it is detected but as Win32/KillFiles.NBL and is on the singapore website.

[Twersky 2]

14 minutes ago, itman said:

I guess if I "stretch" reasoning in this regard, this could fall under "living off the land" malware deployment methods. The problem is Eset presently doesn't detect many of those that are known. I would rather they concentrate on those known attacks rather than expending resources a theoretical borked uninstaller misuse.

Any good antivirus has at least two tasks - to protect information from theft, to protect the system and files from destruction. The fact that in the test there is only a broken uninstaller does not mean that you can close your eyes to it, because tomorrow such a file may be sent to a some person with some message, I don't know, for example, look at what a cool game or something like that, with intent for a person to run the file and lose the working system and part of the working files. So, this is an attack vector, yes, this is not a terrible hacker technique and not a zero-day vulnerability, but this can damage a person.

I was provided with a similar installer (mb from DKech?) that removes everything, and I sent it for analysis to Eset by mail and from the program interface. I am absolutely sure that HIPS, at least in smart mode, must block the batch deletion of files and programs.

[itman 1,659]

3 hours ago, peteyt said:

Weirdly Googling  Win32/KillFiles brings up Eset as if it is detected but as Win32/KillFiles.NBL and is on the singapore website.

According to Eset VirusRadar database, Eset has a sig. for Win32/KillFiles.NJT. The infection rate for this malware since 2016 for all Win32/KillFiles variants never exceeded .1%. In the last month, the avg. rate was .01%. In other words, the chance of getting infected by this is nill:

Quote

Samples of this uninstaller were sent to the EsET laboratory a year ago, and after analyzing the program, analysts recognized it as malicious, creating a signature Win32/KillFiles.NJT trojan. But apparently later the signature was removed, and now this program and similar antivirus does not consider it dangerous, hence the result in the test.

Whatever this bugger is, its not being detected as Win32/KillFiles.NJT. My best guess is someone "tampered" with the original uninstaller to bypass sig, detection.

Edited November 26, 2020 by itman

[Marcos 5,074]

Please make sure that you have detection of pot. unsafe applications enabled:

Win32/ETKA.A potentially unsafe application

[Twersky 2]

8 hours ago, Marcos said:

Please make sure that you have detection of pot. unsafe applications enabled:

Win32/ETKA.A potentially unsafe application

I tested the detection on a sample provided to me by other user, similar to the one used in the test on the links above, the principle of operation is very similar, but it is unlikely that they are the same. All detection settings were set to maximum. There was no detection. Fortunately, apparently your laboratory received samples either from the interface or by email, and the detection was added today https://www.virustotal.com/gui/file/32a095cbad3232c38e2f6dd1d01db655c7c817b8bd858a916a368741902743a6/detection I hope that in the future Eset will be able to detect any similar uninstallers that try to remove everything on the PC that is not blocked by access.