Jump to content

Reputation of Programs.

New_Style_xd
 Share

Recommended Posts

  • Most Valued Members
peteyt

peteyt 387

Posted
  • Most Valued Members
Posted
5 hours ago, New_Style_xd said:

Thanks for the link and information. 

Also I belive but I could be wrong, new updated processes might show as yellow because being new they haven't as many users. For example a new Microsoft update might even show as yellow if it hasn't got as many users currently using it. 

Link to comment
Share on other sites
itman

itman 1,629

Posted
Posted (edited)

Another thing to remember in regards to Eset Reputation classification is the number of users frequency ranking applies to number of Eset installations where the software has been recorded on.

Likewise a "red" colored process indicates the same; it is unknown to existing Eset installations.

Overall and in its present state, Eset Reputation ranking is of minimum value in determining a process's trustworthy status,

Edited by itman
Link to comment
Share on other sites
  • Most Valued Members
peteyt

peteyt 387

Posted
  • Most Valued Members
Posted
5 hours ago, itman said:

Another thing to remember in regards to Eset Reputation classification is the number of users frequency ranking applies to number of Eset installations where the software has been recorded on.

Likewise a "red" colored process indicates the same; it is unknown to existing Eset installations.

Overall and in its present state, Eset Reputation ranking is of minimum value in determining a process's trustworthy status,

Could it ever be used in theory in a way that used non eset users in the data?

Link to comment
Share on other sites
New_Style_xd

New_Style_xd 68

Posted
  • Author
Posted
1 hour ago, peteyt said:

Could it ever be used in theory in a way that used non eset users in the data?

If it weren't for Eset users, I believe the database would be bigger. 

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,919

Posted
  • Administrators
Posted

You should be concerned about files with no information or with risky (red) reputation. Below is an example of brand new malware. If reputation is red, the file should be 100% malicious.

image.png

image.png

Link to comment
Share on other sites
  • ESET Insiders
Minimalist

Minimalist 16

Posted
  • ESET Insiders
Posted

Only application I have with red reputation is utorrent. So even software that is not malicious (but can be considered PUA, which is in this case debatable) can be mark in red. Even with high number of users.

Link to comment
Share on other sites
  • Most Valued Members
Nightowl

Nightowl 198

Posted
  • Most Valued Members
Posted
37 minutes ago, Minimalist said:

Only application I have with red reputation is utorrent. So even software that is not malicious (but can be considered PUA, which is in this case debatable) can be mark in red. Even with high number of users.

You can switch it with an open source alternative like Qbittorrent or Deluge , they have a better reputation and no PUA detection.

Link to comment
Share on other sites
itman

itman 1,629

Posted
Posted (edited)
7 hours ago, Marcos said:

You should be concerned about files with no information or with risky (red) reputation. Below is an example of brand new malware. If reputation is red, the file should be 100% malicious.

This comment needs further clarification.

The problem here is if Eset Reputation scanning classifies a running process as "red" colored status; i.e. risky, you will receive no interactive notification from Eset that this is the case when the process attempts execution. Hence my prior statement that Eset Reputation scanner is a worthless feature.

In contrast, Win 10 native SmartScreen will at least alert on process startup if the app wasn't downloaded from the Win Store, Also in the case of signed apps, it will alert if the certificate is invalid; i.e. revoked or expired.

Edited by itman
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,919

Posted
  • Administrators
Posted

A risky process should not be running. If it's malware it would have already been detected. In my screenshot above I had real-time protection disabled in order to be able to access the risky / malicious file.

Link to comment
Share on other sites
itman

itman 1,629

Posted
Posted

What would make Eset Reputation scanning worthwhile for me would be an optional "suspicious" detection/category.

This would be triggered by like current upload processing to Livegrid servers of suspicious processes. Rather than Eset auto allowing these processes to run, an Eset alert would be displayed allowing the user to block execution.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,919

Posted
  • Administrators
Posted
15 minutes ago, itman said:

This would be triggered by like current upload processing to Livegrid servers of suspicious processes. Rather than Eset auto allowing these processes to run, an Eset alert would be displayed allowing the user to block execution.

This is what proactive protection in ESET Dynamic Threat Defense does.

image.png

Link to comment
Share on other sites
  • Most Valued Members
peteyt

peteyt 387

Posted
  • Most Valued Members
Posted (edited)
1 minute ago, Marcos said:

This is what proactive protection in ESET Dynamic Threat Defense does.

Which if I'm right is sadly not included with home products.

Do you think eset would ever include this feature in the premium version?

Edited by peteyt
Link to comment
Share on other sites
itman

itman 1,629

Posted
Posted

Also in regards to ESET Dynamic Threat Defense and in comparison, Windows Defender includes cloud scanning and process suspension until completed by default.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,919

Posted
  • Administrators
Posted
Just now, itman said:

Also in regards to ESET Dynamic Threat Defense and in comparison, Windows Defender includes cloud scanning and process suspension until completed by default.

We temporarily block only suspicious files, ie. not whitelisted files, files signed by Microsoft, etc. It's not a good idea to enable proactive protection in business products by default; theoretically it could cause issues with Windows updates or with updating business applications that do not count with the fact that files could be temporarily blocked.

Link to comment
Share on other sites
itman

itman 1,629

Posted
Posted
1 minute ago, Marcos said:

We temporarily block only suspicious files, ie. not whitelisted files, files signed by Microsoft, etc.

If I am correct, this is not done dynamically at detection time. If initial Livegrid scanning shows suspect activity, it will issue an update to Eset internal process blacklist.

However and obviously, the process has long ago completed execution on the source device that did the intial Livegrid upload.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,919

Posted
  • Administrators
Posted
1 minute ago, itman said:

If I am correct, this is not done dynamically at detection time. If initial Livegrid scanning shows suspect activity, it will issue an update to Eset internal process blacklist.

However and obviously, the process has long ago completed execution on the source device that did the intial Livegrid upload.

We first check if the file meets criteria for running (e.g. signed by Microsoft, whitelisted file, etc.) and only then allow execution or temporarily block execution of the file the same way as if it was recognized malware.

Link to comment
Share on other sites
itman

itman 1,629

Posted
Posted (edited)
36 minutes ago, Marcos said:

We first check if the file meets criteria for running (e.g. signed by Microsoft, whitelisted file, etc.) and only then allow execution or temporarily block execution of the file the same way as if it was recognized malware.

Based on the above, Eset does not perform any cloud scanning of process execution code.

Edited by itman
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,919

Posted
  • Administrators
Posted
5 minutes ago, itman said:

Based on the above, Eset suspends a process, performs limited Livegrid cloud scanning, and then releases the process for execution if benign or, blocks the process from execution if malicious. Is this a correct statement?

No, the process is not started at all. We block access to the file completely so that it cannot be executed nor accessed/read  by other processes either until the analysis in the cloud sandbox has completed or the timeout set for analysis has elapsed (normally it shouldn't take more than 2 minutes, yet the default timeout is 5 min).

Link to comment
Share on other sites
itman

itman 1,629

Posted
Posted
2 minutes ago, Marcos said:

No, the process is not started at all. We block access to the file completely so that it cannot be executed nor accessed/read  by other processes either until the analysis in the cloud sandbox has completed or the timeout set for analysis has elapsed (normally it shouldn't take more than 2 minutes, yet the default timeout is 5 min).

Well, I am totally confused by these replies at this point. What you stated above is Eset is currently performing EDTD processing by default on the current consumer product versions?

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,919

Posted
  • Administrators
Posted
4 minutes ago, itman said:

Well, I am totally confused by these replies at this point. What you stated above is Eset is currently performing EDTD processing by default on the current consumer product versions?

To make it clear, I was referring to the proactive protection feature of EDTD which is supported by the current version of Endpoint.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...