Jump to content

Recommended Posts

Good evening,
I have doubts, below an image that explains better what I will say.
The reputation that is orange and a bad sign can I use this type of software? 

image.png.e7ebb6426271617b4b1e649cb99ae727.png

Link to comment
Share on other sites

  • Most Valued Members
5 hours ago, New_Style_xd said:

Thanks for the link and information. 

Also I belive but I could be wrong, new updated processes might show as yellow because being new they haven't as many users. For example a new Microsoft update might even show as yellow if it hasn't got as many users currently using it. 

Link to comment
Share on other sites

Another thing to remember in regards to Eset Reputation classification is the number of users frequency ranking applies to number of Eset installations where the software has been recorded on.

Likewise a "red" colored process indicates the same; it is unknown to existing Eset installations.

Overall and in its present state, Eset Reputation ranking is of minimum value in determining a process's trustworthy status,

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members
5 hours ago, itman said:

Another thing to remember in regards to Eset Reputation classification is the number of users frequency ranking applies to number of Eset installations where the software has been recorded on.

Likewise a "red" colored process indicates the same; it is unknown to existing Eset installations.

Overall and in its present state, Eset Reputation ranking is of minimum value in determining a process's trustworthy status,

Could it ever be used in theory in a way that used non eset users in the data?

Link to comment
Share on other sites

1 hour ago, peteyt said:

Could it ever be used in theory in a way that used non eset users in the data?

If it weren't for Eset users, I believe the database would be bigger. 

Link to comment
Share on other sites

  • Administrators

You should be concerned about files with no information or with risky (red) reputation. Below is an example of brand new malware. If reputation is red, the file should be 100% malicious.

image.png

image.png

Link to comment
Share on other sites

  • ESET Insiders

Only application I have with red reputation is utorrent. So even software that is not malicious (but can be considered PUA, which is in this case debatable) can be mark in red. Even with high number of users.

Link to comment
Share on other sites

  • Most Valued Members
37 minutes ago, Minimalist said:

Only application I have with red reputation is utorrent. So even software that is not malicious (but can be considered PUA, which is in this case debatable) can be mark in red. Even with high number of users.

You can switch it with an open source alternative like Qbittorrent or Deluge , they have a better reputation and no PUA detection.

Link to comment
Share on other sites

7 hours ago, Marcos said:

You should be concerned about files with no information or with risky (red) reputation. Below is an example of brand new malware. If reputation is red, the file should be 100% malicious.

This comment needs further clarification.

The problem here is if Eset Reputation scanning classifies a running process as "red" colored status; i.e. risky, you will receive no interactive notification from Eset that this is the case when the process attempts execution. Hence my prior statement that Eset Reputation scanner is a worthless feature.

In contrast, Win 10 native SmartScreen will at least alert on process startup if the app wasn't downloaded from the Win Store, Also in the case of signed apps, it will alert if the certificate is invalid; i.e. revoked or expired.

Edited by itman
Link to comment
Share on other sites

  • Administrators

A risky process should not be running. If it's malware it would have already been detected. In my screenshot above I had real-time protection disabled in order to be able to access the risky / malicious file.

Link to comment
Share on other sites

What would make Eset Reputation scanning worthwhile for me would be an optional "suspicious" detection/category.

This would be triggered by like current upload processing to Livegrid servers of suspicious processes. Rather than Eset auto allowing these processes to run, an Eset alert would be displayed allowing the user to block execution.

Link to comment
Share on other sites

  • Administrators
15 minutes ago, itman said:

This would be triggered by like current upload processing to Livegrid servers of suspicious processes. Rather than Eset auto allowing these processes to run, an Eset alert would be displayed allowing the user to block execution.

This is what proactive protection in ESET Dynamic Threat Defense does.

image.png

Link to comment
Share on other sites

  • Most Valued Members
Posted (edited)
1 minute ago, Marcos said:

This is what proactive protection in ESET Dynamic Threat Defense does.

Which if I'm right is sadly not included with home products.

Do you think eset would ever include this feature in the premium version?

Edited by peteyt
Link to comment
Share on other sites

Also in regards to ESET Dynamic Threat Defense and in comparison, Windows Defender includes cloud scanning and process suspension until completed by default.

Link to comment
Share on other sites

  • Administrators
Just now, itman said:

Also in regards to ESET Dynamic Threat Defense and in comparison, Windows Defender includes cloud scanning and process suspension until completed by default.

We temporarily block only suspicious files, ie. not whitelisted files, files signed by Microsoft, etc. It's not a good idea to enable proactive protection in business products by default; theoretically it could cause issues with Windows updates or with updating business applications that do not count with the fact that files could be temporarily blocked.

Link to comment
Share on other sites

1 minute ago, Marcos said:

We temporarily block only suspicious files, ie. not whitelisted files, files signed by Microsoft, etc.

If I am correct, this is not done dynamically at detection time. If initial Livegrid scanning shows suspect activity, it will issue an update to Eset internal process blacklist.

However and obviously, the process has long ago completed execution on the source device that did the intial Livegrid upload.

Link to comment
Share on other sites

  • Administrators
1 minute ago, itman said:

If I am correct, this is not done dynamically at detection time. If initial Livegrid scanning shows suspect activity, it will issue an update to Eset internal process blacklist.

However and obviously, the process has long ago completed execution on the source device that did the intial Livegrid upload.

We first check if the file meets criteria for running (e.g. signed by Microsoft, whitelisted file, etc.) and only then allow execution or temporarily block execution of the file the same way as if it was recognized malware.

Link to comment
Share on other sites

36 minutes ago, Marcos said:

We first check if the file meets criteria for running (e.g. signed by Microsoft, whitelisted file, etc.) and only then allow execution or temporarily block execution of the file the same way as if it was recognized malware.

Based on the above, Eset does not perform any cloud scanning of process execution code.

Edited by itman
Link to comment
Share on other sites

  • Administrators
5 minutes ago, itman said:

Based on the above, Eset suspends a process, performs limited Livegrid cloud scanning, and then releases the process for execution if benign or, blocks the process from execution if malicious. Is this a correct statement?

No, the process is not started at all. We block access to the file completely so that it cannot be executed nor accessed/read  by other processes either until the analysis in the cloud sandbox has completed or the timeout set for analysis has elapsed (normally it shouldn't take more than 2 minutes, yet the default timeout is 5 min).

Link to comment
Share on other sites

2 minutes ago, Marcos said:

No, the process is not started at all. We block access to the file completely so that it cannot be executed nor accessed/read  by other processes either until the analysis in the cloud sandbox has completed or the timeout set for analysis has elapsed (normally it shouldn't take more than 2 minutes, yet the default timeout is 5 min).

Well, I am totally confused by these replies at this point. What you stated above is Eset is currently performing EDTD processing by default on the current consumer product versions?

Link to comment
Share on other sites

  • Administrators
4 minutes ago, itman said:

Well, I am totally confused by these replies at this point. What you stated above is Eset is currently performing EDTD processing by default on the current consumer product versions?

To make it clear, I was referring to the proactive protection feature of EDTD which is supported by the current version of Endpoint.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...