Reputation of Programs.

[New_Style_xd 69]

Good evening,
I have doubts, below an image that explains better what I will say.
The reputation that is orange and a bad sign can I use this type of software? 

[Marcos 5,070]

You can if you know it's safe. It's just not popular enough.

[NewbyUser 72]

Yellow is fine to use, Red is risky  

Running processes | ESET Smart Security Premium | ESET Online Help

[New_Style_xd 69]

5 hours ago, NewbyUser said:

Yellow is fine to use, Red is risky  

Running processes | ESET Smart Security Premium | ESET Online Help

Thanks for the link and information. 

[peteyt 393]

5 hours ago, New_Style_xd said:

Thanks for the link and information. 

Also I belive but I could be wrong, new updated processes might show as yellow because being new they haven't as many users. For example a new Microsoft update might even show as yellow if it hasn't got as many users currently using it. 

[itman 1,659]

Another thing to remember in regards to Eset Reputation classification is the number of users frequency ranking applies to number of Eset installations where the software has been recorded on.

Likewise a "red" colored process indicates the same; it is unknown to existing Eset installations.

Overall and in its present state, Eset Reputation ranking is of minimum value in determining a process's trustworthy status,

Edited August 21, 2021 by itman

[peteyt 393]

5 hours ago, itman said:

Another thing to remember in regards to Eset Reputation classification is the number of users frequency ranking applies to number of Eset installations where the software has been recorded on.

Likewise a "red" colored process indicates the same; it is unknown to existing Eset installations.

Overall and in its present state, Eset Reputation ranking is of minimum value in determining a process's trustworthy status,

Could it ever be used in theory in a way that used non eset users in the data?

[New_Style_xd 69]

1 hour ago, peteyt said:

Could it ever be used in theory in a way that used non eset users in the data?

If it weren't for Eset users, I believe the database would be bigger. 

[Marcos 5,070]

You should be concerned about files with no information or with risky (red) reputation. Below is an example of brand new malware. If reputation is red, the file should be 100% malicious.

[Minimalist 16]

Only application I have with red reputation is utorrent. So even software that is not malicious (but can be considered PUA, which is in this case debatable) can be mark in red. Even with high number of users.

[Nightowl 202]

37 minutes ago, Minimalist said:

Only application I have with red reputation is utorrent. So even software that is not malicious (but can be considered PUA, which is in this case debatable) can be mark in red. Even with high number of users.

You can switch it with an open source alternative like Qbittorrent or Deluge , they have a better reputation and no PUA detection.

[itman 1,659]

7 hours ago, Marcos said:

You should be concerned about files with no information or with risky (red) reputation. Below is an example of brand new malware. If reputation is red, the file should be 100% malicious.

This comment needs further clarification.

The problem here is if Eset Reputation scanning classifies a running process as "red" colored status; i.e. risky, you will receive no interactive notification from Eset that this is the case when the process attempts execution. Hence my prior statement that Eset Reputation scanner is a worthless feature.

In contrast, Win 10 native SmartScreen will at least alert on process startup if the app wasn't downloaded from the Win Store, Also in the case of signed apps, it will alert if the certificate is invalid; i.e. revoked or expired.

Edited August 22, 2021 by itman

[Marcos 5,070]

A risky process should not be running. If it's malware it would have already been detected. In my screenshot above I had real-time protection disabled in order to be able to access the risky / malicious file.

[itman 1,659]

What would make Eset Reputation scanning worthwhile for me would be an optional "suspicious" detection/category.

This would be triggered by like current upload processing to Livegrid servers of suspicious processes. Rather than Eset auto allowing these processes to run, an Eset alert would be displayed allowing the user to block execution.

[Marcos 5,070]

15 minutes ago, itman said:

This would be triggered by like current upload processing to Livegrid servers of suspicious processes. Rather than Eset auto allowing these processes to run, an Eset alert would be displayed allowing the user to block execution.

This is what proactive protection in ESET Dynamic Threat Defense does.

[peteyt 393]

1 minute ago, Marcos said:

This is what proactive protection in ESET Dynamic Threat Defense does.

Which if I'm right is sadly not included with home products.

Do you think eset would ever include this feature in the premium version?

Edited August 22, 2021 by peteyt

[itman 1,659]

Just now, peteyt said:

Which if I'm right is sadly not included with home products

+1

[itman 1,659]

Also in regards to ESET Dynamic Threat Defense and in comparison, Windows Defender includes cloud scanning and process suspension until completed by default.

[Marcos 5,070]

Just now, itman said:

Also in regards to ESET Dynamic Threat Defense and in comparison, Windows Defender includes cloud scanning and process suspension until completed by default.

We temporarily block only suspicious files, ie. not whitelisted files, files signed by Microsoft, etc. It's not a good idea to enable proactive protection in business products by default; theoretically it could cause issues with Windows updates or with updating business applications that do not count with the fact that files could be temporarily blocked.

[itman 1,659]

1 minute ago, Marcos said:

We temporarily block only suspicious files, ie. not whitelisted files, files signed by Microsoft, etc.

If I am correct, this is not done dynamically at detection time. If initial Livegrid scanning shows suspect activity, it will issue an update to Eset internal process blacklist.

However and obviously, the process has long ago completed execution on the source device that did the intial Livegrid upload.

[Marcos 5,070]

1 minute ago, itman said:

If I am correct, this is not done dynamically at detection time. If initial Livegrid scanning shows suspect activity, it will issue an update to Eset internal process blacklist.

However and obviously, the process has long ago completed execution on the source device that did the intial Livegrid upload.

We first check if the file meets criteria for running (e.g. signed by Microsoft, whitelisted file, etc.) and only then allow execution or temporarily block execution of the file the same way as if it was recognized malware.

[itman 1,659]

36 minutes ago, Marcos said:

We first check if the file meets criteria for running (e.g. signed by Microsoft, whitelisted file, etc.) and only then allow execution or temporarily block execution of the file the same way as if it was recognized malware.

Based on the above, Eset does not perform any cloud scanning of process execution code.

Edited August 22, 2021 by itman

[Marcos 5,070]

5 minutes ago, itman said:

Based on the above, Eset suspends a process, performs limited Livegrid cloud scanning, and then releases the process for execution if benign or, blocks the process from execution if malicious. Is this a correct statement?

No, the process is not started at all. We block access to the file completely so that it cannot be executed nor accessed/read  by other processes either until the analysis in the cloud sandbox has completed or the timeout set for analysis has elapsed (normally it shouldn't take more than 2 minutes, yet the default timeout is 5 min).

[itman 1,659]

2 minutes ago, Marcos said:

No, the process is not started at all. We block access to the file completely so that it cannot be executed nor accessed/read  by other processes either until the analysis in the cloud sandbox has completed or the timeout set for analysis has elapsed (normally it shouldn't take more than 2 minutes, yet the default timeout is 5 min).

Well, I am totally confused by these replies at this point. What you stated above is Eset is currently performing EDTD processing by default on the current consumer product versions?

[Marcos 5,070]

4 minutes ago, itman said:

Well, I am totally confused by these replies at this point. What you stated above is Eset is currently performing EDTD processing by default on the current consumer product versions?

To make it clear, I was referring to the proactive protection feature of EDTD which is supported by the current version of Endpoint.