Jump to content

Why doesn't ESET have this System Watcher module?


Recommended Posts

This tool does the following. makes approach highly effective. Such an approach is capable of blocking the destructive actions of any malicious program, regardless of whether its signature is available or not in the database. The System Watcher provides high detection rates with few false positives. Continuous and detailed monitoring allows accurate restoration of the malware-damaged system.

1- Why doesn't ESET have this tool yet? being that several software have this tool already in their products?

Link to comment
Share on other sites

  • Administrators

It's HIPS that monitors system operations and employs behavior detections.

Link to comment
Share on other sites

3 minutes ago, Marcos said:

It's HIPS that monitors system operations and employs behavior detections.

But when it's zero-day ransomware, there's no way to detect it. only using System Watcher.

Link to comment
Share on other sites

  • Administrators
Just now, New_Style_xd said:

But when it's zero-day ransomware, there's no way to detect it. only using System Watcher.

How do you know? For detection of zero day ransomware, there is Ransomware shield, a part of HIPS that monitors the system for ransowmare-like behavior. If you have an undetected ransomware sample, we'll be glad to analyze it.

Link to comment
Share on other sites

  • Most Valued Members

I believe @New_Style_xd is talking about an Application Control module which is similar to what Kaspersky offers or NGFWs(Next Generation Firewalls) , which can control and show which apps are suspicious or not and what can run and what cannot

ESET shows this type of information about the Applications from the Running Processes tab , but you cannot control anything through it.

Link to comment
Share on other sites

11 minutes ago, Marcos said:

How do you know? For detection of zero day ransomware, there is Ransomware shield, a part of HIPS that monitors the system for ransowmare-like behavior. If you have an undetected ransomware sample, we'll be glad to analyze it.

As you said a part of HIPS that monitors the system. but not the other part. it has already been commented on the forum because eset does not have the System Watcher tool like other security software has. what's the problem with that?
Will the eset software lose performance?
that was never talking. I wanted to know why you don't put this protection?

Link to comment
Share on other sites

5 minutes ago, Nightowl said:

I believe @New_Style_xd is talking about an Application Control module which is similar to what Kaspersky offers or NGFWs(Next Generation Firewalls) , which can control and show which apps are suspicious or not and what can run and what cannot

ESET shows this type of information about the Applications from the Running Processes tab , but you cannot control anything through it.

That's not the protection I'm talking about.

Link to comment
Share on other sites

Since this subject keeps appearing in the forum, let's review System Watcher and compare it to Eset protections.

First, what does System Watcher do:

Quote

Threat detection

The built-in BSS module decides whether a program is malicious or not. The module
compares each program’s real-life behavior with models of typical malware behavior.

Cryptomalware countermeasures subsystem *

The increasing spread of cryptomalware, which encrypts user data and demands a ransom
for the decryption key, led to an urgent need for countermeasures, and the corresponding
technology was implemented in the System Watcher. It negates the consequences of crypto-
attacks by making local protected backup copies of user data files
as soon as they are
Kaspersky Lab opened by suspicious program. Therefore, there is no need to decrypt any affected data — it will be replaced from the backup copies.

Protection against Screen Lockers *

Screen lockers are another type of ransomware, programs that try to block user access to
computer functions with a supposedly immobile banner demanding a ransom.

Automatic Exploit Prevention subsystem

Another part of the System Watcher is the Automatic Exploit Prevention module made to
deal with malware that utilizes software vulnerabilities, even zero-day vulnerabilities.

Java applications control module *

Protection against vulnerabilities in the Java platform has always been a critical security
issue due to the popularity and opacity of the Java Virtual Machine environment, where every
Java program is executed.

Rolling back unwanted changes in the system *

Upon detecting an infection, System Watcher initiates a roll-back (i.e. a return of the
computer system to its previous, safe parameters). The roll-back system works with created
and modified executable files, MBR modifications, important Windows files and registry keys.

In the latest versions of Kaspersky Lab’s security products, the roll-back mechanisms can be
updated.

https://media.kaspersky.com/pdf/Kaspersky_Lab_Whitepaper_System_Watcher_ENG.pdf

* - features not contained within Eset products.

Also, the System Watcher section in the Kaspersky GUI incorporates settings spread out all over the place in the Eset GUI.

I will also state this. If Kaspersky was not a Russian based product, I would be using it instead of Eset.

Edited by itman
Link to comment
Share on other sites

I believe ESET's equivalent of Kaspersky's System Watcher module is Deep Behavior Inspection and Ransomware Shield. To be honest, in my testing, these two modules are not very effective against ransomware and other types of malware. 

The deep Behavior Inspection module has not been updated for several months, showing ESET focuses on signature detection instead of behavior blocking. Although this strategy is nothing wrong, I still hope ESET can further improve its behavior blocker module. 

Link to comment
Share on other sites

  • Administrators
10 minutes ago, AnthonyQ said:

To be honest, in my testing, these two modules are not very effective against ransomware and other types of malware.

I would appreciate if you could provide me with details of this test. We'll be glad to look into it.

Link to comment
Share on other sites

I will also state this in regards to Kaspersky's ransomware protection. It is not "bullet proof." I have seen documented cases of 0-day ransomware bypassing it although they are a rare occurrence.

Then there is the question of Kaspersky's effectiveness against "destroyer" ransomware versions that upload all your files and then either deletes them, or Base64 encrypts them rendering them useless.

The reality of the matter is there is no known security solution that is 100% effective against ransomware. This means that you're only effective mitigation is maintaining frequent off-line backups of all your important files.

Link to comment
Share on other sites

8 minutes ago, Marcos said:

I would appreciate if you could provide me with details of this test. We'll be glad to look into it.

Sure! 

For example, this ransomware (https://www.virustotal.com/gui/file/e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f). ESET's scanner couldn't detect it on 17/5/2022. So I executed it on VM. ESET's ransomware shield was triggered after several seconds, but 700+ test files were unfortunately encrypted. 

Another ransomware (https://www.virustotal.com/gui/file/11b7a09a345dc9f9f4e8f91211e4d4e05f7773ee34af0411dc6f30cc3dcbe32b). ESET's scanner couldn't detect it on 9/5/2022. So I executed it on VM. ESET's ransomware shield and deep behavior blocker were not triggered and test files were encrypted. 

Another example, this sample (https://www.virustotal.com/gui/file/6e3f4c2e85d7fb134f7ca95e0593e76447baed8c9e2def7ae94d88bad3257189), now detected as Win32/Agent.AEIU after submission. I ran this sample on VM and ESET's deep behavior inspection cannot block this malicious behavior. 

Link to comment
Share on other sites

It also might be "illuminating" as to what limitations apply to System Watcher in regards to ransomware protection:

Quote

Limitations of System Watcher functionality

Protection against cryptors (malware that encrypts user files) has the following limitations:

  • The Temp system folder is used to support this functionality. If the system drive with the Temp folder has insufficient disk space to create temporary files, protection against cryptors is not provided. In this case, the application does not display a notification that files are not backed up (protection is not provided).
  • Temporary files are deleted automatically when you close Kaspersky Internet Security or disable the System Watcher component.
  • In case of an emergency termination of Kaspersky Internet Security, temporary files are not deleted automatically. To delete temporary files, clear the Temp folder manually. To do so, open the Run window (Run command under Windows XP) and in the Open field type %TEMP%. Click OK.
  • Protection against encryptors is provided only for files that are located on data drives that have been formatted with the NTFS file system.
  • The number of files that can be restored cannot exceed 50 per one encryption process.
  • The total volume of modifications to files cannot exceed 100 MB. Files with modifications that exceed this limit cannot be restored.
  • File modifications initiated via network interface are not monitored.
  • Files encrypted with EFS are not supported.

 

https://support.kaspersky.com/KIS/2019/en-US/85549.htm

Pay note to the points I underlined.

If your HDD is short on space, you're "dead meat."

If you're using an external HDD, you leave the drive permanently connected to your PC, and you didn't format the drive to NTFS, you're "dead meat."

If Kaspersky doesn't detect the ransomware within the first 50 file encryption's, you're "dead meat."

If you're using a Win Pro+ version and forgot to disable EFS service, you're "dead meat." This also means you can't use it to otherwise encrypt files.

I think that old truism, "the devil is in the detail" is applicable here.

Edited by itman
Link to comment
Share on other sites

@Marcos on the subject of Eset missed ransomware, here's one.

Posted to malware feed on 6/7/2022.

Currently not detected by Eset at VirusTotal: https://www.virustotal.com/gui/file/f4d742d82698f532e0215832cb484619a4e84547d8a1ca8dc8f2e9f791a6f27d?nocache=1 .

Upon download and archive extraction, sent to LiveGuard:

Time;Hash;File;Size;Category;Reason;Sent to;User
6/12/2022 2:42:13 PM;EB2C417A29D2F08E37D63F3B75CDC61B42855E91;C:\Users\xxxxx\Downloads\f4d742d82698f532e0215832cb484619a4e84547d8a1ca8dc8f2e9f791a6f27d.exe;58880;Executable;Automatic;ESET LiveGuard;xxxxxxxx

No detection by LiveGuard. Again, what value is LiveGuard if it can't even detect ransomware? Also, I received no Eset popup notification on this file submission although applicable Eset GUI setting is enabled.

Now, I didn't attempt to run this .exe since I don't have a VM setup. But at this point, I say it's an Eset miss. Sample attached. Password is infected.

f4d742d82698f532e0215832cb484619a4e84547d8a1ca8dc8f2e9f791a6f27d.zip

Edited by itman
Link to comment
Share on other sites

  • Administrators
32 minutes ago, itman said:

This is a corrupted file that crashes when run, ie. it's not subject to detection. Even Hiew reports a read error.

Link to comment
Share on other sites

23 minutes ago, Marcos said:

This is a corrupted file that crashes when run, ie. it's not subject to detection. Even Hview reports a read error.

Everything I am seeing says the file is legit. SHA-1 hash at VT:

Eset_VT.thumb.png.f4ceb5be960e8b3be8ade1155812bd98.png

matches that of file I manually quarantined:

Eset_Hash.png.e959bbcedd3a0c21b1da88645fb72a58.png

 

Edited by itman
Link to comment
Share on other sites

42 minutes ago, itman said:

@Marcos on the subject of Eset missed ransomware, here's one.

Posted to malware feed on 6/7/2022.

Currently not detected by Eset at VirusTotal: https://www.virustotal.com/gui/file/f4d742d82698f532e0215832cb484619a4e84547d8a1ca8dc8f2e9f791a6f27d?nocache=1 .

Upon download and archive extraction, sent to LiveGuard:

Time;Hash;File;Size;Category;Reason;Sent to;User
12/06/2022 14:42:13; EB2C417A29D2F08E37D63F3B75CDC61B42855E91; 😄 \ Usuários \ xxxxx \ Downloads \ f4d742d82698f532e0215

No detection by LiveGuard. Again, what value is LiveGuard if it can't even detect ransomware? Also, I received no Eset popup notification on this file submission although applicable Eset GUI setting is enabled.

Now, I didn't attempt to run this .exe since I don't have a VM setup. But at this point, I say it's an Eset miss. Sample attached. Password is infected.

f4d742d82698f532e0215832cb484619a4e84547d8a1ca8dc8f2e9f791a6f27d.zipUnavailable

As your wise words you said it all:
"No detection by LiveGuard. Again, what's the value of LiveGuard if it can't even detect ransomware?"
I wonder if the value I pay for the ESET license is really worth it. Based on the information provided, I am not having protection as promised. liveguard did not detect. it is better to use BASIC version of antivirus or EIS

Link to comment
Share on other sites

  • Administrators
1 minute ago, New_Style_xd said:

As your wise words you said it all:
"No detection by LiveGuard. Again, what's the value of LiveGuard if it can't even detect ransomware?"
I wonder if the value I pay for the ESET license is really worth it. Based on the information provided, I am not having protection as promised. liveguard did not detect. it is better to use BASIC version of antivirus or EIS

You make your choice. ESET is not going to intentionally detect corrupted or otherwise non-functional files.

Link to comment
Share on other sites

32 minutes ago, Marcos said:

This is a corrupted file that crashes when run, ie. it's not subject to detection. Even Hiew reports a read error.

Another possibility is since this appears to be exploiting CVE-2017-0213, it won't run on a patched system?

Ref.: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-0213

Edited by itman
Link to comment
Share on other sites

  • Administrators

If it was not corrupted, hiew would not report a read error. Also our emulator internally shows an error emulating the code.

Link to comment
Share on other sites

7 minutes ago, Marcos said:

If it was not corrupted, hiew would not report a read error. Also our emulator internally shows an error emulating the code.

I downloaded the zipped sample again without touching it on my PC. Again, password is infected.

f4d742d82698f532e0215832cb484619a4e84547d8a1ca8dc8f2e9f791a6f27d.zip

Edited by itman
Link to comment
Share on other sites

  • Administrators

The file uploaded to VT has SHA1 EB2C417A29D2F08E37D63F3B75CDC61B42855E91 and this file is corrupted.

Link to comment
Share on other sites

4 minutes ago, Marcos said:

The file uploaded to VT has SHA1 EB2C417A29D2F08E37D63F3B75CDC61B42855E91 and this file is corrupted.

Did you see my screen shot above of the SHA1 hash of the extracted file in my Eset quarantine? It's the same value.

Did you extract the file using 7-Zip?

Link to comment
Share on other sites

2 minutes ago, Marcos said:

So are you saying that all the VirusTotal detection's of this supposed "corrupted" file are bogus?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...