New_Style_xd 62 Posted August 20, 2021 Share Posted August 20, 2021 Good evening, I have doubts, below an image that explains better what I will say. The reputation that is orange and a bad sign can I use this type of software? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted August 20, 2021 Administrators Share Posted August 20, 2021 You can if you know it's safe. It's just not popular enough. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 70 Posted August 20, 2021 ESET Insiders Share Posted August 20, 2021 Yellow is fine to use, Red is risky Running processes | ESET Smart Security Premium | ESET Online Help Link to comment Share on other sites More sharing options...
New_Style_xd 62 Posted August 21, 2021 Author Share Posted August 21, 2021 5 hours ago, NewbyUser said: Yellow is fine to use, Red is risky Running processes | ESET Smart Security Premium | ESET Online Help Thanks for the link and information. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 359 Posted August 21, 2021 Most Valued Members Share Posted August 21, 2021 5 hours ago, New_Style_xd said: Thanks for the link and information. Also I belive but I could be wrong, new updated processes might show as yellow because being new they haven't as many users. For example a new Microsoft update might even show as yellow if it hasn't got as many users currently using it. Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 21, 2021 Share Posted August 21, 2021 (edited) Another thing to remember in regards to Eset Reputation classification is the number of users frequency ranking applies to number of Eset installations where the software has been recorded on. Likewise a "red" colored process indicates the same; it is unknown to existing Eset installations. Overall and in its present state, Eset Reputation ranking is of minimum value in determining a process's trustworthy status, Edited August 21, 2021 by itman Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 359 Posted August 21, 2021 Most Valued Members Share Posted August 21, 2021 5 hours ago, itman said: Another thing to remember in regards to Eset Reputation classification is the number of users frequency ranking applies to number of Eset installations where the software has been recorded on. Likewise a "red" colored process indicates the same; it is unknown to existing Eset installations. Overall and in its present state, Eset Reputation ranking is of minimum value in determining a process's trustworthy status, Could it ever be used in theory in a way that used non eset users in the data? Link to comment Share on other sites More sharing options...
New_Style_xd 62 Posted August 21, 2021 Author Share Posted August 21, 2021 1 hour ago, peteyt said: Could it ever be used in theory in a way that used non eset users in the data? If it weren't for Eset users, I believe the database would be bigger. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted August 22, 2021 Administrators Share Posted August 22, 2021 You should be concerned about files with no information or with risky (red) reputation. Below is an example of brand new malware. If reputation is red, the file should be 100% malicious. Link to comment Share on other sites More sharing options...
ESET Insiders Minimalist 16 Posted August 22, 2021 ESET Insiders Share Posted August 22, 2021 Only application I have with red reputation is utorrent. So even software that is not malicious (but can be considered PUA, which is in this case debatable) can be mark in red. Even with high number of users. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 187 Posted August 22, 2021 Most Valued Members Share Posted August 22, 2021 37 minutes ago, Minimalist said: Only application I have with red reputation is utorrent. So even software that is not malicious (but can be considered PUA, which is in this case debatable) can be mark in red. Even with high number of users. You can switch it with an open source alternative like Qbittorrent or Deluge , they have a better reputation and no PUA detection. Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 22, 2021 Share Posted August 22, 2021 (edited) 7 hours ago, Marcos said: You should be concerned about files with no information or with risky (red) reputation. Below is an example of brand new malware. If reputation is red, the file should be 100% malicious. This comment needs further clarification. The problem here is if Eset Reputation scanning classifies a running process as "red" colored status; i.e. risky, you will receive no interactive notification from Eset that this is the case when the process attempts execution. Hence my prior statement that Eset Reputation scanner is a worthless feature. In contrast, Win 10 native SmartScreen will at least alert on process startup if the app wasn't downloaded from the Win Store, Also in the case of signed apps, it will alert if the certificate is invalid; i.e. revoked or expired. Edited August 22, 2021 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted August 22, 2021 Administrators Share Posted August 22, 2021 A risky process should not be running. If it's malware it would have already been detected. In my screenshot above I had real-time protection disabled in order to be able to access the risky / malicious file. Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 22, 2021 Share Posted August 22, 2021 What would make Eset Reputation scanning worthwhile for me would be an optional "suspicious" detection/category. This would be triggered by like current upload processing to Livegrid servers of suspicious processes. Rather than Eset auto allowing these processes to run, an Eset alert would be displayed allowing the user to block execution. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted August 22, 2021 Administrators Share Posted August 22, 2021 15 minutes ago, itman said: This would be triggered by like current upload processing to Livegrid servers of suspicious processes. Rather than Eset auto allowing these processes to run, an Eset alert would be displayed allowing the user to block execution. This is what proactive protection in ESET Dynamic Threat Defense does. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 359 Posted August 22, 2021 Most Valued Members Share Posted August 22, 2021 (edited) 1 minute ago, Marcos said: This is what proactive protection in ESET Dynamic Threat Defense does. Which if I'm right is sadly not included with home products. Do you think eset would ever include this feature in the premium version? Edited August 22, 2021 by peteyt Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 22, 2021 Share Posted August 22, 2021 Just now, peteyt said: Which if I'm right is sadly not included with home products +1 Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 22, 2021 Share Posted August 22, 2021 Also in regards to ESET Dynamic Threat Defense and in comparison, Windows Defender includes cloud scanning and process suspension until completed by default. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted August 22, 2021 Administrators Share Posted August 22, 2021 Just now, itman said: Also in regards to ESET Dynamic Threat Defense and in comparison, Windows Defender includes cloud scanning and process suspension until completed by default. We temporarily block only suspicious files, ie. not whitelisted files, files signed by Microsoft, etc. It's not a good idea to enable proactive protection in business products by default; theoretically it could cause issues with Windows updates or with updating business applications that do not count with the fact that files could be temporarily blocked. Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 22, 2021 Share Posted August 22, 2021 1 minute ago, Marcos said: We temporarily block only suspicious files, ie. not whitelisted files, files signed by Microsoft, etc. If I am correct, this is not done dynamically at detection time. If initial Livegrid scanning shows suspect activity, it will issue an update to Eset internal process blacklist. However and obviously, the process has long ago completed execution on the source device that did the intial Livegrid upload. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted August 22, 2021 Administrators Share Posted August 22, 2021 1 minute ago, itman said: If I am correct, this is not done dynamically at detection time. If initial Livegrid scanning shows suspect activity, it will issue an update to Eset internal process blacklist. However and obviously, the process has long ago completed execution on the source device that did the intial Livegrid upload. We first check if the file meets criteria for running (e.g. signed by Microsoft, whitelisted file, etc.) and only then allow execution or temporarily block execution of the file the same way as if it was recognized malware. Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 22, 2021 Share Posted August 22, 2021 (edited) 36 minutes ago, Marcos said: We first check if the file meets criteria for running (e.g. signed by Microsoft, whitelisted file, etc.) and only then allow execution or temporarily block execution of the file the same way as if it was recognized malware. Based on the above, Eset does not perform any cloud scanning of process execution code. Edited August 22, 2021 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted August 22, 2021 Administrators Share Posted August 22, 2021 5 minutes ago, itman said: Based on the above, Eset suspends a process, performs limited Livegrid cloud scanning, and then releases the process for execution if benign or, blocks the process from execution if malicious. Is this a correct statement? No, the process is not started at all. We block access to the file completely so that it cannot be executed nor accessed/read by other processes either until the analysis in the cloud sandbox has completed or the timeout set for analysis has elapsed (normally it shouldn't take more than 2 minutes, yet the default timeout is 5 min). Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 22, 2021 Share Posted August 22, 2021 2 minutes ago, Marcos said: No, the process is not started at all. We block access to the file completely so that it cannot be executed nor accessed/read by other processes either until the analysis in the cloud sandbox has completed or the timeout set for analysis has elapsed (normally it shouldn't take more than 2 minutes, yet the default timeout is 5 min). Well, I am totally confused by these replies at this point. What you stated above is Eset is currently performing EDTD processing by default on the current consumer product versions? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted August 22, 2021 Administrators Share Posted August 22, 2021 4 minutes ago, itman said: Well, I am totally confused by these replies at this point. What you stated above is Eset is currently performing EDTD processing by default on the current consumer product versions? To make it clear, I was referring to the proactive protection feature of EDTD which is supported by the current version of Endpoint. Link to comment Share on other sites More sharing options...
Recommended Posts