Jump to content

Avast Now Also Has Block-At-First-Site-Capability


itman
 Share

Recommended Posts

Avast blog article here: https://blog.avast.com/cybercapture-protection-against-zero-second-attacks .

Detail on configuration options here: https://support.avast.com/en-us/article/54/

Of note is this feature exists even in Avast free version.

Time Eset "get with the program" and offer same like capability for their home use products.

Edited by itman
Link to comment
Share on other sites

The fact is Eset has all the internal mechanisms in place to accomplish this. All they have to do is block the process until LiveGrid black list determination processing has completed. As to the false positive element, I say "to hell with that." Most home users would not be significantly impacted by such process blocking. 

This could be also further refined by adding Trusted Publisher, signing, etc. criteria to Eset Reputation scanner. Failure on reputation coupled with suspected malicious activity should be enough to block until LiveGrid initial scanning is completed.

Link to comment
Share on other sites

  • Most Valued Members
5 hours ago, itman said:

The fact is Eset has all the internal mechanisms in place to accomplish this. All they have to do is block the process until LiveGrid black list determination processing has completed. As to the false positive element, I say "to hell with that." Most home users would not be significantly impacted by such process blocking. 

This could be also further refined by adding Trusted Publisher, signing, etc. criteria to Eset Reputation scanner. Failure on reputation coupled with suspected malicious activity should be enough to block until LiveGrid initial scanning is completed.

It could also be optional if they are worried. 

I do think out of all the security programs I've used in the past Eset is my favourite. However as I've mentioned before I do feel they are holding back due to their worry of false positives and non technical users. This is seen by a lot of the same feature requests constantly asked for. 

Link to comment
Share on other sites

4 hours ago, SeriousHoax said:

BTW, this particular feature on Avast requires MOTW

Makes sense since WD's block-at-first-sight also uses it as the scan trigger mechanism. Also means it would be vulnerable to MOTW bypasses such as ADS "stripping." However, overall MOTW is adequate for most Internet based attacks except APT targeted variety.

Where one would need to employ caution is publicly used external media such as USB drive.

4 hours ago, SeriousHoax said:

ESET should take inspiration from Kaspersky's Application Control

If you review past forums, this is something @Marcos mentioned as always on the Eset "near implementation horizon," but has yet to materialize like a number of other requested enhancements.

Edited by itman
Link to comment
Share on other sites

17 hours ago, itman said:

If you review past forums, this is something @Marcos mentioned as always on the Eset "near implementation horizon," but has yet to materialize like a number of other requested enhancements.

Hmm, only promises with no result so far 😕

Link to comment
Share on other sites

  • 2 weeks later...
5 hours ago, Aryeh Goretsky said:

It has been available for a while to business customers:  https://www.eset.com/int/business/solutions/cloud-sandbox-analysis/

The problem with this alternative is:

1. Eset has a five seat minimum purchase requirement for its endpoint solutions.

2. It requires an additional monthly subscription.

I don't know what a monthly subscription for EDTD costs. However, that is additional cost on top of EES yearly license cost.

-EDIT- I didn't realize Eset now has an integrated endpoint + EDTD solution called CloudProtect. The cost is $310 USD per one year license due to the 5 seat minimum purchase requirement. Obviously, no home user will pay that for single device protection.

If I were to go this route, I would pay a one-time upgrade cost to Win 10 Professional which is $100. I would then purchase a Windows Defender ATP monthly license which I believe is $4 - $5 a month. In other words, my yearly AV cost would be approx. what a one year subscription for EIS costs.

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members
1 hour ago, Aryeh Goretsky said:

Hello,

It has been available for a while to business customers:  https://www.eset.com/int/business/solutions/cloud-sandbox-analysis/


Regards,

Aryeh Goretsky

Which is good, and I get you want to offer business customers great protection. However is there any plans to roll this out to home users, considering the fact other competitors have. Don't worry I don't plan to move to another AV ha, I'm just thinking how it may look for new customers who might compare features before purchasing

Link to comment
Share on other sites

My suggestion is one that has been asked for previously. That is Eset offer a Professional version to its home users. Eset's marketing for this would be its only suitable for advanced technical users and support for it is limited primarily to bug fixes. In other words, it is not Eset's responsibility to show users how to properly configure the product other than providing on-line documentation.

EDTD would be included and its cost would be embedded in the license yearly subscription cost. The product would also include other complimentary features such as configurable Reputation features such as Trusted Publisher capability and other criteria associated with determining "known" status of a process.

It should also be noted the main difference between what EDTD provides versus what for example, Avast's block-at-first-sight does. That is rapid; i.e. less than 5 mins, process status determination.

Finally, Eset must be mindful in pricing of its competitors cost as noted in my above WD ATP comments.

Edited by itman
Link to comment
Share on other sites

"The other side of the protection coin" is if most home users need the responsiveness provided by EDTD. I would say the answer to that is no. Normal LiveGrid sandbox analysis times appear to be on par to those stated by Avast; a couple of hours. Again, the only thing Eset needs to do is block process execution until this determination is had.

This does bring up the question of just how many "suspicious" detection's are being submitted to LiveGrid for analysis. Based on my Eset installation, the answer is very few. As such, providing EDTD capability w/o extra cost to the purchaser should not be a cost issue to Eset.

Link to comment
Share on other sites

😉Hi, 

  I think you have a good idea, but for me, it's not a bad thing to add a similar feature like EDTD to the home version. Or rather, the home version  should just include a bit of aggressive detection.(of course you can change it in advance settings)

 Because sometimes I'll suddenly find a low-propagation threat (livegrid no any data ) that scans with no alerts, so I try to upload it using the software's right-click menu, and I wait for ages without receiving a response The threat isn't detected either, this makes me a little sad.

Greeting. 

Link to comment
Share on other sites

  • Most Valued Members
24 minutes ago, ReinaKirisame said:

😉Hi, 

  I think you have a good idea, but for me, it's not a bad thing to add a similar feature like EDTD to the home version. Or rather, the home version  should just include a bit of aggressive detection.(of course you can change it in advance settings)

 Because sometimes I'll suddenly find a low-propagation threat (livegrid no any data ) that scans with no alerts, so I try to upload it using the software's right-click menu, and I wait for ages without receiving a response The threat isn't detected either, this makes me a little sad.

Greeting. 

Yeah I think eset are just worried that some novice users will use the advanced features and then mess things up

Link to comment
Share on other sites

I also would be satisfied if two features from EDTD Proactive Protection referenced here: https://help.eset.com/edtd/en-US/index.html?proactive_protection.html were included in the Home versions as optional settings in Cloud Protection. Neither of these would involve cloud scanning by Eset.

The first setting would be Detection threshold. The second setting would be Proactive protection.

Proactive protection would have the following options:

1. Suspend process execution.

An alert window would be displayed showing process detail including file location. Tab options available would be "Resume" or "Block." This would allow the user to submit the file to an alternative scanning service such as VirusTotal, Hybrid-Analysis, or perform in depth local sandbox analysis on the process.

2. Block process execution.

An alert window would be displayed showing process detail including file location along with wording the process was blocked.

Edited by itman
Link to comment
Share on other sites

  • ESET Moderators

Hello,

As I believe my colleague @Marcos noted, the feature is being considered for a release of ESET's home software at some point in the future.  That said, I do not know if there is a specific version or date targeted.

Sometimes, features appear first in a consumer versions and migrate to the enterprise versions, and sometimes they first appear in enterprise versions and migrate to the consumer ones.

One thing to keep in mind here is that you are dealing with two very different classes of users with wildly-diverging software-use cases and expectations about protection, performance, usability, and so forth.

Regards,

Aryeh Goretsky

Link to comment
Share on other sites

  • 2 weeks later...
Posted (edited)

There is also another alternative to "block-at-first-sight" that I have mentioned previously in the forum. This is a usable whitelisting capability via Eset HIPS.

The current problem with the HIPS existing learning mode is that it records every activity a process performs. This in effect makes the existing HIPS rule set unusable due to both the sheer number of rules created plus the fact there is no present way to sort/order rules.

My previous and current suggestion is Eset provide a HIPS option that only creates allow rules for processes run while in learning mode. This could be further refined by an option to always allowing trusted system processes to run. Obviously an exclusion list would be needed to exclude abused system processes like PowerShell from being auto allowed.

Likewise, existing Eset HIPS Interactive mode be provided an option where only process run activity is monitored and only allow/block rules created regarding process startup.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...