av-comparatives rating

[AnthonyQ 48]

13 minutes ago, itman said:

Guess what? Eset now has a sig. for it; see below screen shot. So this puppy was in-the-wild  undetected by anyone for quite a while.

I was pondering this script later after posting in the forum. And came to two conclusions about it;

1. It is just a custom script written by someone to enable security mitigations in Windows and Chrome for his installations.

2. It was a "test run" by a malware developer to see if all the reg changes plus Chrome modifications would go undetected by the AV solutions.

I am leaning toward no. 2 as the reason for the script. Of note is all the reg changes were adds for security policy settings. They were all to enable the mitigations. On the other hand, the adds could also be deployed to disable those security policy settings.

Of note is AV's are poor at monitoring reg. add modifications. Eset HIPS for example doesn't even have an option to do so. You have to create a wildcard rule that monitors for modification to the associated higher level reg key to detect any add activity to its subordinate settings.

Interestingly, ESET finally added a detection, which I think makes sense because this script is dangerous in nature and definitely not clean. 

Edited June 26, 2022 by AnthonyQ

[Marcos 5,125]

27 minutes ago, AnthonyQ said:

Interestingly, ESET finally added a detection, which I think makes sense because this script is dangerous in nature and definitely not clean. 

It's rather grey than malicious, all depends on its purpose. If used in a kiosk, the behavior is desired. If run in a corporate environment where policies are set by an administrator, it would be malicious.

Likewise file compressors are normally considered clean, however, if used by malware or an attacker to encrypt files with a password, the behavior would be considered malicious.

[AnthonyQ 48]

13 minutes ago, Marcos said:

It's rather grey than malicious, all depends on its purpose. If used in a kiosk, the behavior is desired. If run in a corporate environment where policies are set by an administrator, it would be malicious.

Likewise file compressors are normally considered clean, however, if used by malware or an attacker to encrypt files with a password, the behavior would be considered malicious.

Well, that makes sense as well... Then ESET needs to remove that detection?

[Marcos 5,125]

7 minutes ago, AnthonyQ said:

Well, that makes sense as well... Then ESET needs to remove that detection?

We'll probably keep it until somebody complaints about FP. Then it would be probably reclassified to a potentially unsafe application.

[itman 1,698]

21 minutes ago, Marcos said:

It's rather grey than malicious, all depends on its purpose. If used in a kiosk, the behavior is desired. If run in a corporate environment where policies are set by an administrator, it would be malicious.

Which get's to the point of malware behavior detection.

OSArmor prevented the recent CVE-2022-30190 Follina exploit from day 1 with its default settings. How?

It uses existing MITRE known attack methods as the basis for its rule detections. It so happens that msdt.exe is a known WIN LOL binary that can and has been abused locally for sometime. OSA monitors any malformed parm command line input to it and upon detection, blocks msdt.exe execution.

[itman 1,698]

@AnthonyQ, here's one that will make you happy.

Found Chinese APT based Netwire .exe sample. It was signed with a valid DigiCert EV code signing cert.. No submission to VT yet. Eset nailed it via sig. detection:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
6/26/2022 3:32:25 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\17a3a47fee308ff270af546a193a78a7328f43a1fa3bdaee5fdbd96f4bf6cbd4.exe;a variant of Win32/Kryptik.HPXB trojan;cleaned by deleting;xxxxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (DF22612647E9404A515D48EBAD490349685250DE).;1FB4B1EE0A4256D58D3C0CCF94CF5D3E508DB76C;6/26/2022 3:32:13 PM

Edited June 26, 2022 by itman

[AnthonyQ 48]

5 hours ago, itman said:

@AnthonyQ, here's one that will make you happy.

Found Chinese APT based Netwire .exe sample. It was signed with a valid DigiCert EV code signing cert.. No submission to VT yet. Eset nailed it via sig. detection:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
6/26/2022 3:32:25 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\17a3a47fee308ff270af546a193a78a7328f43a1fa3bdaee5fdbd96f4bf6cbd4.exe;a variant of Win32/Kryptik.HPXB trojan;cleaned by deleting;xxxxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (DF22612647E9404A515D48EBAD490349685250DE).;1FB4B1EE0A4256D58D3C0CCF94CF5D3E508DB76C;6/26/2022 3:32:13 PM

Btw, the detection rate on VT is 25/67 now.

[peteyt 394]

On 6/26/2022 at 3:36 PM, Marcos said:

We'll probably keep it until somebody complaints about FP. Then it would be probably reclassified to a potentially unsafe application.

I'm just curious why it wasn't classes as potentially unsafe in the first place as it seems it could have been used maliciously 

[New_Style_xd 69]

Good morning, You are checking once again ESET does not enter the comparison of your product against others, I want to know if it was a lack of money to put? since the products being tested have fewer features than ESET, once again ESET is not in the tests, is it possible that your product is having a problem not to be exposed to fireproof in these tests?

[itman 1,698]

9 hours ago, New_Style_xd said:

Good morning, You are checking once again ESET does not enter the comparison of your product against others

What AV Lab test are you referring to?

[czesetfan 29]

On 6/22/2022 at 9:19 PM, itman said:

Eset withdrew from AV-Test consumer product testing the beginning of 2022. As i recollect as posted in this forum, the reason was again cost. Also noted was that Eset participates in A-V Comparative testing of its consumer products.

Ditto for SE Labs testing. Eset no longer participates in their consumer product test series, but still participates in the commercial product testing series.

Finally, Eset no longer participates in Virus Bulletin testing in any form. This was a shocker since Eset had used them as a testing source since Eset's founding.

The conclusion drawn here is there has been some "belt tightening" at Eset in regards to expenses. The causality was Eset consumer product testing. My best guess as to why is the bulk of Eset's revenue comes from its commercial products.

The year 2021 was the most financially successful in ESET's history, according to its press release. I hope that maximizing profits will not lead to a discontinuation of the user product line. Optimization has already "buried" the Linux Home edition.

Quote

ESET, a global leader in cybersecurity, has released its 2021 financial results, with revenues increasing by over €30 million to a total of €564 million. This is a 6% increase compared to last year. The company's after-tax profit also grew and for the first time in the company's history exceeded the 80-million mark, namely it is more than 84 million euros.

 

[New_Style_xd 69]

7 hours ago, itman said:

What AV Lab test are you referring to?

This test here. Mac Security Test & Review 2022 - AV-Comparatives

[itman 1,698]

12 minutes ago, New_Style_xd said:

This test here. Mac Security Test & Review 2022 - AV-Comparatives

It appears Eset dropped out of A-V Comparatives testing of its Mac OS based software in 2017: https://www.av-comparatives.org/list-of-av-vendors-mac/ .

The question is if Eset consumer versions for Mac OS are certified by any AV lab?

Edited July 1, 2022 by itman