What is your experience with aggressive detection ?

[Marcos 5,070]

If you use aggressive detection or at least reporting, have you come across a false positive already? If not, could you try it and share your experience?

[AZ Tech 32]

I already useing aggressive detection for all settings and I did not have any problems with it, by the way, one of the best things I like about eset is the ability to control Real-time & Machine learning protection settings in the form of categories, this gives me great power in control, it is really great.

The only problem I had with it was not a false positive, meaning that a clean file is detected as a threat, no it didn't, but the opposite happened.
There is a malicious file "ransomware" that is categorized as Potentially unwanted applications, and this puts users at risk, so the user might think It's not a serious threat, or it's just adware or something.

MD5 : 08684a98326e5e871ee7832859ff16da
SHA-1 : d43d471b3ba5a29edb0910ac5b8db6ce079fece2
SHA-256 : 24a163dbbbd12e458bcbcfa3e9707da5c7364369060344f062ef46dbf208169d

https://www.virustotal.com/gui/file/24a163dbbbd12e458bcbcfa3e9707da5c7364369060344f062ef46dbf208169d

[AZ Tech 32]

29 minutes ago, AZ Tech said:

and this puts users at risk, so the user might think It's not a serious threat, or it's just adware or something.

Unfortunately, if detection of Potentially unwanted applications is disabled, the user will end up with all their files encrypted, as happened here in the attached screenshots.

So I demand eset to develop an advanced behavior detection system, and I hope they look into it seriously, to give the user a product that does not consume a lot of device resources is really good, but if you can't keep up with the technology of your competitors, sooner or later you will fall.
Therefore, eset's acquisition of the Advanced Behavioral Detection System with Ransomware Remediation and rolls back the changes made by malicious applications is no longer a luxury requirement, but rather an urgent necessity.

[shocked 60]

i've always kept reporting > aggressive & protection > balanced. that way i think it will always report any suspicious files and keep the protection to good levels so as to not interfere with my "daily life".

even if i (sometimes willingly) download a malicious file but don't run it, it will either quarantine it or delete it. i haven't encountered any false positive (or when detection/database updates could cause FPs it was fixed before i could encounter one) and for that i'm quite satisfied.

overall i'm extremely satisfied with the provided options/settings. ✌️

Edited October 30, 2021 by shocked

[itman 1,659]

I have had all my Eset real-time settings set to aggressive ever since the option became available. I have yet to receive any detection from Eset with these settings. Hence, the FP question is a moot point for me.

Note: The above comment excludes Web Filtering detection's. However, those detection's were known to exist prior to attempted download. Also in the majority of cases, access to the web site was blocked by Eset preventing any download activity.

Edited October 30, 2021 by itman

[AZ Tech 32]

19 minutes ago, itman said:

Note: The above comment excludes Web Filtering detection's. However, those detection's were known to exist prior to attempted download. Also in the majority of cases, access to the web site was blocked by Eset preventing any download activity.

In case you don't remember

[AZ Tech 32]

55 minutes ago, itman said:

Note: The above comment excludes Web Filtering detection's. However, those detection's were known to exist prior to attempted download. Also in the majority of cases, access to the web site was blocked by Eset preventing any download activity.

Initially, I take this into account, and I have already mentioned that eset has the strongest protection against malicious sites, and I also previously mentioned that this cannot happen under normal conditions of use, so let's skip that point.
Seriously speaking, does eset recognize the results of the AV-Comparatives and AV-TEST tests?
So tell me How do they do the test !! Do they download samples while eset Web access protection is enabled ? Do they not take that into account?
I don't think so, I like eset but I don't have to be a hypocrite, there is a big difference between Web access protection and real-time protection, I think you remember that when I reported some malicious sites @Marcos asked me "Were you able to find malware which was downloaded and undetected in the end?"

If eset does not like me to let them know about these problems that I am facing even if they will not occur under normal conditions of use, I will apologize and withdraw from the discussion and promise that I will not contact them again about any problem, and if they are as they always tell me they are happy to cooperate with us as customers to improve the product then I do my part .
I hope someone will answer me and not forget my question about AV-TEST and AV-Comparatives

[SeriousHoax 83]

2 hours ago, AZ Tech said:

Seriously speaking, does eset recognize the results of the AV-Comparatives and AV-TEST tests?
So tell me How do they do the test !! Do they download samples while eset Web access protection is enabled ? Do they not take that into account?

For AV-Test, the "Real-World testing" in the Protection category uses web and email threats. So every product's Web access protection is tested. For the "the AV-TEST reference set" a large malware pack is used, so here I think the web access protection doesn't play a part in stopping the malware from reaching the system. 

For AV-Comparatives, their "Real-World Protection Test" use live malware URLs so web access protection plays its part in stopping malware before it's downloaded and their "Malware Protection Test" use a large malware pack similar to AV-TEST reference set. 

[AZ Tech 32]

18 minutes ago, SeriousHoax said:

For the "the AV-TEST reference set" a large malware pack is used, so here I think the web access protection doesn't play a part in stopping the malware from reaching the system. 

This is exactly what I mean, there are other layers of protection that must be tested, otherwise why is eset not just a browser add-on or a firewall, of course eset functions are more than just web access protection, it is unfortunate that you find those who criticize you when you highlight weaknesses that need improvement , Knowing that you are asking for something that will be in everyone's interest.

Now eset has updated or, more precisely, corrected the detection of the sample that I mentioned "as shown in the attached screenshots".
The question here is, will eset seriously consider working on developing a behavior detection system?
Or will they just ignore it as if nothing happened? "Based on my experience with them, they won't."

[Marcos 5,070]

12 minutes ago, AZ Tech said:

The question here is, will eset seriously consider working on developing a behavior detection system?
Or will they just ignore it as if nothing happened? "Based on my experience with them, they won't."

We already have Deep Behavioral Inspection which monitors the behavior of running processes and it's being continually improved via module updates like other protection mechanisms that ESET employs.

However, I'd like to stress that there's nothing like 100% malware protection, otherwise there would be already at least one AV that would protect against all threats with no false positives without requiring updates.

[itman 1,659]

As far as Deep Behavior Inspection goes, there are two versions of it.

The first is monitoring of suspicious behavior. I  have only seen it invoked on one occasion in recent history on my device. It will inject ebehmonl.dll into a process and monitor it for some time. I mean days here until it decides the process is safe.

The second is predetermined monitoring for select processes such as cmd.exe which can be abused by malware. It will inject ebehmoni.dll into these processes.

In any case, this type of behavioral monitoring can't be described as dynamic monitoring of all process execution at first run time such as exists in select other AV solutions.

[peteyt 393]

2 hours ago, Marcos said:

We already have Deep Behavioral Inspection which monitors the behavior of running processes and it's being continually improved via module updates like other protection mechanisms that ESET employs.

However, I'd like to stress that there's nothing like 100% malware protection, otherwise there would be already at least one AV that would protect against all threats with no false positives without requiring updates.

Didn't Eset mention on the public forums I.e. not beta areas, they where looking into a full behaviour system in the next two years (a few years back)

[SeriousHoax 83]

3 hours ago, AZ Tech said:

This is exactly what I mean, there are other layers of protection that must be tested, otherwise why is eset not just a browser add-on or a firewall, of course eset functions are more than just web access protection

You're highlighting one point but ignored the other. As I explained above, both AV-Test and AV-Comparatives test AVs properly. Web protection, signatures, heuristics, behavior blockers all comes into play based on the particular test. 

Personally I like AV-Comparatives tests more. Their real-world test is to test a product's quality on dealing with threats that comes via the web. When the last Real-World test report showed that ESET compromised 1.1% malware on the test, it means those malware were able to infect the system bypassing all the protection component of the AV from web protection to signature to cloud to behavior blocking. 

Malware Protection test is for testing malware that's already on the disk or came from a USB drive and things like that. In their latest test, ESET let 18 malware compromise the system.

So, depending on the particular tests, all AVs protection components are being tested appropriately.  AV-Test do real-world, malware protection, performance, false positives all in one test where AV-Comparative tests separately. 

[New_Style_xd 69]

9 hours ago, AZ Tech said:

Unfortunately, if detection of Potentially unwanted applications is disabled, the user will end up with all their files encrypted, as happened here in the attached screenshots.

So I demand eset to develop an advanced behavior detection system, and I hope they look into it seriously, to give the user a product that does not consume a lot of device resources is really good, but if you can't keep up with the technology of your competitors, sooner or later you will fall.
Therefore, eset's acquisition of the Advanced Behavioral Detection System with Ransomware Remediation and rolls back the changes made by malicious applications is no longer a luxury requirement, but rather an urgent necessity.

Wow in these images, Eset failed to pick up on this threat. as you said, it is no longer a luxury and a necessity to have in tools. ESET gives more value to our needs, competitors' products are with much more efficient tools than NOSSA.

[New_Style_xd 69]

7 hours ago, AZ Tech said:

Initially, I take this into account, and I have already mentioned that eset has the strongest protection against malicious sites, and I also previously mentioned that this cannot happen under normal conditions of use, so let's skip that point.
Seriously speaking, does eset recognize the results of the AV-Comparatives and AV-TEST tests?
So tell me How do they do the test !! Do they download samples while eset Web access protection is enabled ? Do they not take that into account?
I don't think so, I like eset but I don't have to be a hypocrite, there is a big difference between Web access protection and real-time protection, I think you remember that when I reported some malicious sites @Marcos asked me "Were you able to find malware which was downloaded and undetected in the end?"

If eset does not like me to let them know about these problems that I am facing even if they will not occur under normal conditions of use, I will apologize and withdraw from the discussion and promise that I will not contact them again about any problem, and if they are as they always tell me they are happy to cooperate with us as customers to improve the product then I do my part .
I hope someone will answer me and not forget my question about AV-TEST and AV-Comparatives

I am always dismayed when ESET loses on AVTEST and AVCOMPARATIVES test scores for free products. I keep wondering why? since we pay ourselves for a quality product, but each year ESET always loses to Free products. and not to mention that Kaspersky gets first every test. I need an explanation in relation to this, if anyone knows could they let me know?

[itman 1,659]

17 hours ago, SeriousHoax said:

Malware Protection test is for testing malware that's already on the disk or came from a USB drive and things like that. In their latest test, ESET let 18 malware compromise the system.

The primary purpose of the AV-C Malware Protection test is to determine how AV solutions perform when malware tampers with the installation's network settings; primarily those dealing with Internet access. AV-C deploys a larger malware sample set but the malware is in the known prevalent category.

Quote

This Malware Protection Test checks not only the detection rates, but also the protection capabilities, i.e. the ability to prevent a malicious program from actually making any changes to the system. In some cases, an antivirus program may not recognise a malware sample when it is inactive, but will recognise it when it is running. Additionally, a number of AV products use behavioural detection to look for, and block, attempts by a program to carry out system changes typical of malware. Our Malware Protection Test measures the overall ability of security products to protect the system against malicious programs, whether before, during or after execution.

https://www.av-comparatives.org/tests/malware-protection-test-september-2021/

The problem with this test is it doesn't show offline protection capability. Therefore, no way to ascertain the cloud protection component impact.

-EDIT- Of note is EIS scored second from last place in this test; missing 18 out of 10,029 sample malware.

One could argue that is a respectable score. However, this was not 0-day malware. Rather, it was malware that had been in circulation for a while. Therefore, one could also argue Eset's signature detection ability is slipping of late. This is also strong justification that LiveGuard needs to be included in all Eset home versions.

Edited October 31, 2021 by itman

[AZ Tech 32]

2 hours ago, SeriousHoax said:

You're highlighting one point but ignored the other.

Ignoring is the denial of the effectiveness of Web access protection, and what I have said does not say that, I consider eset the best option currently available in this particular point.

What I'm saying is that eset uses a multi-layered Protection approach, and as an eset user, when I highlight weaknesses in one of these layers, I'm not saying that eset is completely ineffective. I'm not saying that at all.

What I am saying is that one of these layers, specifically the Behavioral Detection, needs to be better, as is the case with certain competitors, so what is the problem with my words !!

5 hours ago, Marcos said:

We already have Deep Behavioral Inspection which monitors the behavior of running processes and it's being continually improved via module updates like other protection mechanisms that ESET employs.

Even I already know that eset has a Deep Behavioral Inspection but In fact there are competitors who already have an Advanced Behavioral Detection System though it is not bulletproof but it is very powerful and very effective compared to what eset have , so why is the blame on me ? 
I hope that eset will listen to me and take it seriously in terms of rebuilding the Advanced Behavioral Detection System as powerful and effective as the other competitors.

There will be no evolution unless we face the weaknesses.
There will be no evolution if we are all hypocrites and deny reality. 
Competitors who have done great work in this field, If they took the approach of denying weaknesses and said that we already have good behavior detection systems and deny reality, they would not have reached what they have reached.

In the end, I am just a user looking for the best for the product I use, I won't lose much if one of the vendors is unable to keep pace with the technology of its competitors. If this happens, I can simply move to an option that has technologies that matches the requirements, as for vendors, they are without listening to us as customers, they are the party the aggrieved

I hope that you will appreciate my efforts in trying to help as much as I can by reporting problems and weaknesses that I find, I have no goal in doing so other than to help improve the product, so I hope eset will take that into account and reconsider what was presented today ,Thanks

[itman 1,659]

17 hours ago, AZ Tech said:

Even I already know that eset has a Deep Behavioral Inspection but In fact there are competitors who already have an Advanced Behavioral Detection System though it is not bulletproof but it is very powerful and very effective compared to what eset have

Kaspersky is one example and it has proven quite effective against 0-day ransomware. By coupling ransomware behavior monitoring with system snapshot taking, Kaspersky is capable of restoring all files encrypted by ransomware.

Also, Kaspersky is not 100% bulletproof in this regard. I have seen a few ransomware that have bypassed its protections. However, they are a very rare occurrence.

It should be additionally noted that it appears Kaspersky has "worked out the kinks" in regards to previous versions system performance impact issues in regards to its system snapshot processing. System snapshot also gives Kaspersky the capability to "rollback" system modifications done by malware. Of note and in reference to postings in the forum Malware section, Eset might detect malware upon execution. However it is powerless to remove system changes performed by the malware prior to discovery. Those changes have to be manually removed.

Edited October 31, 2021 by itman

[peteyt 393]

49 minutes ago, itman said:

Kaspersky is one example and it has proven quite effective against 0-day ransomware. By coupling ransomware behavior monitoring with system snapshot taking, Kaspersky is capable of restoring all files encrypted by ransomware.

Also, Kaspersky is not 100% bulletproof in this regard. I have seen a few ransomware that have bypassed its protections. However, they are a very rare occurrence.

It should be additionally noted that it appears Kaspersky has "worked out the kinks" in regards to previous versions system performance impact issues in regards to its system snapshot processing. System snapshot also gives Kaspersky the capability to "rollback" system modifications done by malware. Of note and in reference to postings in the forum Malware section, Eset might detect malware upon execution, however it is powerless to remove system changes performed by the malware prior to discovery. Those changes have to be manually removed.

This is the issue i have. I'm a fan of Eset but it seems other AVs are looking at extra features.

For example some AVs have a protected folder feature that could protect user files if infected by ransomware e.g. certain documents that the user rated important and/or critical. Notice my use of the word "could" as nothing is every bulletproof but ESET's answer to this seems to be it could theoretically be bypassed so why bother. I mean to me an AV could theoretically be bypassed so why bother?

To me even if something is not 100 percent guaranteed as @itmanmentioned in regards to the ransomware rollback features of Kaspersky (and what ever can be truly 100 percent), surely if they are generally reliable as in they work in most cases, then it worth it. I feel it's better to have that extra layer and extra options and customers will also favour the options.

At the end of the day marketing also plays a crucial role in AV sales and if an AV is offering more features that users want and at a cheaper or even free price then they will go for that AV. As I mentioned in the feedback post I have to plan to leave Eset and hope this doesn't appear to be a threat as it isn't. As someone who tests Beta versions of Eset and helps where I can (although my knowledge is basic) I just want Eset to be the best it can and to grow. I sadly however do feel Eset is holding itself back, possibly scared how to implant some features to avoid complicating users who don't have any knowledge and would be afraid of an alert asking the user to make a decision.

[SeriousHoax 83]

16 hours ago, itman said:

The problem with this test is it doesn't show offline protection capability. Therefore, no way to ascertain the cloud protection component impact.

You're right on this. The test doesn't show offline protection capability.

 

16 hours ago, AZ Tech said:

Ignoring is the denial of the effectiveness of Web access protection, and what I have said does not say that, I consider eset the best option currently available in this particular point.

What I'm saying is that eset uses a multi-layered Protection approach, and as an eset user, when I highlight weaknesses in one of these layers, I'm not saying that eset is completely ineffective. I'm not saying that at all.

What I am saying is that one of these layers, specifically the Behavioral Detection, needs to be better, as is the case with certain competitors

My answer was only related to clarifying the tests done by AV-Test and AV-Comparatives. It was not about ESET or any other product's protection capability. 

Well to talk about ESET, I agree with what you said about its behavioral protection, Kaspersky comparison, etc. I also suggested on the forum that ESET needs to implement those feature but they haven't yet. I also said how useless the Ransomware Shield is. It has never managed to stop ransomware encryption in my tests. 

[Marcos 5,070]

Since this topic has gone astray and turned out into features requests and comparisons, we'll draw it to a close. The purpose of the topic was to determine how many users have come across a false positive with aggressive detection set.

Regarding behavior monitoring, I have checked with developers and confirm that the system is continually being improved and we plan to continually work on it.