av-comparatives rating

[Aryeh Goretsky 378]

Hello,

You are aware that ESET is one of the leading researchers into Brazilian banking trojans?  Articles on them can be found on our research blog at https://www.welivesecurity.com/br/ (note: site is in Portuguese, you can change language to English in upper-right corner).

Regards,

Aryeh Goretsky
 

 

On 6/15/2022 at 2:46 PM, New_Style_xd said:

10- Have a research center here in BRAZIL, because there are several Malware that only works in Brazil as an example Malware that creates fake payment slips.

 

 

[New_Style_xd 69]

23 hours ago, Aryeh Goretsky said:

Hello,

You are aware that ESET is one of the leading researchers into Brazilian banking trojans?  Articles on them can be found on our research blog at https://www.welivesecurity.com/br/ (note: site is in Portuguese, you can change language to English in upper-right corner).

Regards,

Aryeh Goretsky
 

 

 

 

The senior analyst at eset who works in Brazil could make videos and post them on youtube like the senior analyst at kaspersky Fabio Assoline does, to better explain the Brazilian threats.

[SeriousHoax 83]

Once again, ESET didn't take part in the ransomware test done by AV-Test. This make it look like ESET is afraid to take part in this test because they know very well that their product is weak against ransomware.

https://www.av-test.org/en/news/26-security-solutions-undergo-an-advanced-threat-protection-test-against-ransomware/

[itman 1,659]

3 hours ago, SeriousHoax said:

Once again, ESET didn't take part in the ransomware test done by AV-Test.

It appears this is an on-going series test. Assumed is if you didn't sign up initially to participate, AV-Test just won't let you join in later.

I will also add Eset is not the only AV-Test real-time test commercial series participant that declined testing in this ransomware test series. AhnLab, MalwareBytes, Sangfor, TrendMicro, Sophos (Intercept X), and W/TH also did not participate. MalwareBytes, TrendMicro, and Sophos have pretty  good anti-ransomware protection. So there might be merit to Eset's stated reason for non-participation; i.e. test cost.

Edited June 22, 2022 by itman

[New_Style_xd 69]

3 hours ago, itman said:

It appears this is an on-going series test. Assumed is if you didn't sign up initially to participate, AV-Test just won't let you join in later.

I will also add Eset is not the only AV-Test real-time test commercial series participant that declined testing in this ransomware test series. AhnLab, MalwareBytes, Sangfor, TrendMicro, Sophos (Intercept X), and W/TH also did not participate. MalwareBytes, TrendMicro, and Sophos have pretty  good anti-ransomware protection. So there might be merit to Eset's stated reason for non-participation; i.e. test cost.

So this happens every year the forgetting of the registration, because it always falls out of some test in the elapses of every year. as the picture below shows.

https://www.av-test.org/en/antivirus/home-windows/manufacturer/eset/

Now look at KASPERSKY as it has more months tested.

https://www.av-test.org/en/antivirus/home-windows/manufacturer/kaspersky-lab/

Edited June 22, 2022 by New_Style_xd

[New_Style_xd 69]

Comparing the two links it is very clear to see that KASPERSKY has been tested more than ESET.
The question is did ESET forget to write itself in all previous tests?

 

[sesk 23]

yea

got your point.

can we close the thread now?

[itman 1,659]

2 hours ago, New_Style_xd said:

Comparing the two links it is very clear to see that KASPERSKY has been tested more than ESET.
The question is did ESET forget to write itself in all previous tests?

Eset withdrew from AV-Test consumer product testing the beginning of 2022. As i recollect as posted in this forum, the reason was again cost. Also noted was that Eset participates in A-V Comparative testing of its consumer products.

Ditto for SE Labs testing. Eset no longer participates in their consumer product test series, but still participates in the commercial product testing series.

Finally, Eset no longer participates in Virus Bulletin testing in any form. This was a shocker since Eset had used them as a testing source since Eset's founding.

The conclusion drawn here is there has been some "belt tightening" at Eset in regards to expenses. The causality was Eset consumer product testing. My best guess as to why is the bulk of Eset's revenue comes from its commercial products.

Edited June 22, 2022 by itman

[TJP 143]

I see AV tests as great for marketing purposes but for little else. Many of the highest scoring AV vendors have dedicated test departments to ensure they get great test scores. I'm yet to read a sponsored AV report in which the sponsor fared badly.

I've been around long enough to when Wilder's Security Forum was the go-to site; developers and researchers would post in threads about test results, security news, AV trends etc.

Eset Nod32 was the first test darling, then Kaspersky, then Avira, then Bit Defender and so on.

People would swap their AV based on test results which I never understood. Has a product failed you in the real world? If not, why change? Has the AV product caused issues with your PC? If not, why change?

It's like changing cars because one car is faster to 100 km/h (or 60 MPH) or quarter mile in a group test. What about all the other aspects?

I use Eset because its never failed me, never perceptively slowed my PC down, never deleted key files due to a virus definition update error and never blue-screened my PC.

I'll take zero false positives, low system impact, little to no feature bloat (an area some AV suites go overboard with 'extra' features) and zero real world issues vs a high test score with FP's, system drag and whatever else it takes to be #1.

Edited June 28, 2022 by TJP
Removed names of other AV vendors

[AnthonyQ 48]

1 hour ago, TJP said:

I see AV tests as great for marketing purposes but for little else. Many of the highest scoring AV vendors have dedicated testing departments to ensure they get great test scores. I'm yet to read a sponsored AV report in which the sponsor fared badly.

I've been around long enough to when Wilder's Security Forum was the go-to site; developers and researchers would post in threads about test results, security news, AV trends etc.

Eset Nod32 was the first test darling, then Kaspersky, then Avira, then Bit Defender and so on.

People would swap their AV based on test results which I never understood. Has a product failed you in the real world? If not, why change? Has the AV product caused issues with your PC? If not, why change?

It's like changing cars because one car is faster to 100 km/h (or 60 MPH) or quarter mile in a group test. What about all the other aspects?

I use Eset because its never failed me, never slowed my PC down (looking at you Kaspersky), never deleted system files due to a definitions update error (thanks Kaspersky) and never blue-screened my PC on numerous occasions during testing (thanks Bit Defender).

I'll take zero false positives, low system impact, little to no feature bloat (some AV suites take the cake with 'extra' features) and zero real world issues vs a high test score with FP's, system drag and whatever else it takes to be #1.

Although it’s ESET forum, I still would like point it out that the latest version of Kaspersky is very light on system resource usage.
 

In terms of deleting system files, it is ESET that has recently flagged system files as “Suspicious Object” (https://www.virustotal.com/gui/file/38e40668272b48b1502bfdd51667afe2a35e57ebaa47790a7a3a650663ff8bea; https://www.virustotal.com/gui/file/3669d83be517a0620259c71d4ad66211495ac3723e82bfa7ee5630c876a60ceb). This FP issue has been fixed after submission.

[Marcos 5,074]

44 minutes ago, AnthonyQ said:

In terms of deleting system files, it is ESET that has recently flagged system files as “Suspicious Object” (https://www.virustotal.com/gui/file/38e40668272b48b1502bfdd51667afe2a35e57ebaa47790a7a3a650663ff8bea; https://www.virustotal.com/gui/file/3669d83be517a0620259c71d4ad66211495ac3723e82bfa7ee5630c876a60ceb). This FP issue has been fixed after submission.

It's important to add that these were new, unsigned files and even after a week only very few users have got it worldwide.

[AnthonyQ 48]

48 minutes ago, Marcos said:

It's important to add that these were new, unsigned files and even after a week only very few users have got it worldwide.

They are system files belonging to Windows 11 Insider Preview Build 25136. So generally everyone participating in the Windows Insider Program will have these two files on computer.

Although installing 3rd party AV on beta version of OS is not recommended, these two samples are still harmless and legitimate system files and other famous AV products haven't incorrectly detected them. 

Edited June 23, 2022 by AnthonyQ

[itman 1,659]

On the subject of ad hoc malware testing, let's see how ESSP LiveGuard performs against 0-day advanced malware scripts. Again, the definition of 0-day here is that the script had not been submitted to VirusTotal.

Downloaded the malware .vbs sample yesterday afternoon. Upon archive extraction, the script was submitted to LiveGuard:

Time;Hash;File;Size;Category;Reason;Sent to;User
6/23/2022 5:29:49 PM;414FAAA0BF15450BC7F84C31024FA8FED26EB156;C:\Users\xxxxx\Downloads\ac1cad78a2be2e78a05a51cf4d1b5eac2a6b302a40c3f6157496e00b4dcb81cd.vbs;406244;Script;Automatic;ESET LiveGuard;xxxxxxxxx

LiveGuard scan came back clean.

Let's analyze this bugger.

Joe's Cloud Sandbox which classified the script as malicious: https://www.joesandbox.com/analysis/1018938 also showed that the CryptOne packer was deployed. CryptOne: https://www.deepinstinct.com/blog/a-deep-dive-into-packing-software-cryptone has sandbox evasion capability. Also, note that CryptOne usage is often deployed in ransomware attacks:

Quote

Indeed, researchers from SentinelOne, in a standalone analysis, called out the "evolutionary" links, citing near-identical configuration, implementation, and functionality between successive variants of the ransomware, with the file-encrypting malware concealed using a packer called CryptOne.

https://thehackernews.com/2022/02/dridex-malware-deploying-entropy.html

Just checked VT again: https://www.virustotal.com/gui/file/ac1cad78a2be2e78a05a51cf4d1b5eac2a6b302a40c3f6157496e00b4dcb81cd?nocache=1 at 9 AM EST on 6/24, and scan from 6 hours ago showed 10 vendors including Microsoft detecting it . Eset was not one of them.

Did a re-scan at VT and finally, Eset now detects it. So this is proof the sample was indeed malicious and LiveGuard scanning did not detect it.

[AnthonyQ 48]

23 minutes ago, itman said:

On the subject of ad hoc malware testing, let's see how ESSP LiveGuard performs against 0-day advanced malware scripts. Again, the definition of 0-day here is that the script had not been submitted to VirusTotal.

Downloaded the malware .vbs sample yesterday afternoon. Upon archive extraction, the script was submitted to LiveGuard:

Time;Hash;File;Size;Category;Reason;Sent to;User
6/23/2022 5:29:49 PM;414FAAA0BF15450BC7F84C31024FA8FED26EB156;C:\Users\xxxxx\Downloads\ac1cad78a2be2e78a05a51cf4d1b5eac2a6b302a40c3f6157496e00b4dcb81cd.vbs;406244;Script;Automatic;ESET LiveGuard;xxxxxxxxx

LiveGuard scan came back clean.

Let's analyze this bugger.

Joe's Cloud Sandbox which classified the script as malicious: https://www.joesandbox.com/analysis/1018938 also showed that the CryptOne packer was deployed. CryptOne: https://www.deepinstinct.com/blog/a-deep-dive-into-packing-software-cryptone has sandbox evasion capability. Also, note that CryptOne usage is often deployed in ransomware attacks:

https://thehackernews.com/2022/02/dridex-malware-deploying-entropy.html

Just checked VT again: https://www.virustotal.com/gui/file/ac1cad78a2be2e78a05a51cf4d1b5eac2a6b302a40c3f6157496e00b4dcb81cd?nocache=1 at 9 AM EST on 6/24, and scan from 6 hours ago showed 10 vendors including Microsoft detecting it . Eset was not one of them.

Did a re-scan at VT and finally, Eset now detects it. So this is proof the sample was indeed malicious and LiveGuard scanning did not detect it.

Clearly, regarding LiveGuard, there is plenty room for improvement.  

Another dangerous script (https://www.virustotal.com/gui/file/7a0113a1b29f2047831d3989e1c76479782c6269473a3c6e212a8bfa32281b82) that was missed by ESET LiveGuard yesterday. Very obvious ransomware-like behavior, though this sample is not in-the-wild.

[itman 1,659]

8 hours ago, AnthonyQ said:

Clearly, regarding LiveGuard, there is plenty room for improvement.  

Agreed.

Ditch using MS Azure servers deploying Eset M/L algorithms and use Joe Sandbox instead:

Quote

Joe Sandbox is the platform to be integrated into Firewall-, Gateway-, AV-, Next-Gen Endpoint-, Threat Intelligence- and Automated Incident solutions. Joe Sandbox analyzes any malware on Windows, Mac OS X, Android and iOS. Vendors get a very flexible tool running on Linux they can integrate easily via various APIs.

https://www.joesecurity.org/contact-solutions#oem-integration .

Edited June 24, 2022 by itman

[New_Style_xd 69]

5 hours ago, itman said:

Concordou.

Abandone o uso de servidores MS Azure implantando algoritmos Eset M/L e use Joe Sandbox em vez disso:

https://www.joesecurity.org/contact-solutions#oem-integration .

It would really be better to change servers.
I noticed that nothing goes through Kaspersky is detecting at all.

[AnthonyQ 48]

5 hours ago, itman said:

Agreed.

Ditch using MS Azure servers deploying Eset M/L algorithms and use Joe Sandbox instead:

https://www.joesecurity.org/contact-solutions#oem-integration .

Using Joe sandbox or something like that might increase the FP rate, which goes against ESET's zero-FP philosophy. 🤣

[AnthonyQ 48]

The main problems of LiveGuard are:

1. Malware refuses to exhibit malicious behaviors in LiveGuard sandbox due to various reasons.
2. Malware has been coded to exhibit malicious behaviors after a long period of time (long sleep).
3. Malware does show its malicious behaviors, but LiveGuard sees no need for detection.

For the 1st problem, after detecting potential Anti-VM/Anti-Sandbox functionality, LiveGuard should not declare that the sample is CLEAN. Instead, the sample should be marked as Suspicious and automatically sent to Research Lab for analysis. Meanwhile, LiveGuard should ask the users whether or not to open the file.

[itman 1,659]

Found a real "humdinger" of a .bat malware sample.

To begin, this one wasn't even submitted to LiveGuard.

Next, zero detection's at VirusTotal: https://www.virustotal.com/gui/file/0d73505f996bb77f391c764ce2d15f8c099806dc0509d3a8d72fb00ee86181af/detection/f-0d73505f996bb77f391c764ce2d15f8c099806dc0509d3a8d72fb00ee86181af-1656155964 .

Below is Joe's Cloud Sandbox overall malicious indicators. If you have any doubts about the malicious behavior, Joe's detailed behavior analysis clearly show those. Additionally, anyrun.com: https://app.any.run/tasks/040489b3-890e-46b0-a438-d98d33128a79/ and Dr. Web vxCube sandboxes also rendered malicious verdicts.

 

Edited June 25, 2022 by itman

[Marcos 5,074]

25 minutes ago, itman said:

Found a real "humdinger" of a .bat malware sample.

To begin, this one wasn't even submitted to LiveGuard.

Next, zero detection's at VirusTotal: https://www.virustotal.com/gui/file/0d73505f996bb77f391c764ce2d15f8c099806dc0509d3a8d72fb00ee86181af/detection/f-0d73505f996bb77f391c764ce2d15f8c099806dc0509d3a8d72fb00ee86181af-1656155964 .

Appears to be clean - PSLockDownPolicy. Not subject to detection.

Modifies certain system policies, sets restricted PowerShell execution policy, blocks PowerShell from running, etc. Adds the script to the Startup folder.

[peteyt 393]

On 6/22/2022 at 8:19 PM, itman said:

Eset withdrew from AV-Test consumer product testing the beginning of 2022. As i recollect as posted in this forum, the reason was again cost. Also noted was that Eset participates in A-V Comparative testing of its consumer products.

Ditto for SE Labs testing. Eset no longer participates in their consumer product test series, but still participates in the commercial product testing series.

Finally, Eset no longer participates in Virus Bulletin testing in any form. This was a shocker since Eset had used them as a testing source since Eset's founding.

The conclusion drawn here is there has been some "belt tightening" at Eset in regards to expenses. The causality was Eset consumer product testing. My best guess as to why is the bulk of Eset's revenue comes from its commercial products.

Yeah the VB thing was odd as they always went on about how they had the best VB results.

I suppose it's cheaper to have just one set of products reviewed rather than consumer and commercial although I'd love to see the savings made go into product development

[itman 1,659]

3 hours ago, Marcos said:

Appears to be clean

Take a closer look on regards to what is going on in regards to Chrome.

1. Any existing running Chrome process is terminated.

2. Chrome is then started to connect to what appears to be a remote share and download whatever is there.

3. I also see additional Chrome Store downloads taking place.

4. Finally, Chrome internal settings are being modified including its sandbox settings.

-EDIT- The above 1). is setting Chrome to kiosk mode. Assume the other like Chrome modifications are further use restrictions in regards to Chrome.

Appears this .vbs sample is just a script to lockdown Windows and Chrome settings. However, I can't fault the web based sandboxes for labeling it malicious based on the Windows and Chrome modifications it does.

Edited June 25, 2022 by itman

[itman 1,659]

Speaking of Brazil targeted malware Eset doesn't detect, here's one: https://www.virustotal.com/gui/file/467a2a514d8a52ddf01ffb3f14818a4ffd8c76b2f0d944a6854ae478d62cc348/detection/f-467a2a514d8a52ddf01ffb3f14818a4ffd8c76b2f0d944a6854ae478d62cc348-1656125257 . Sample had Brazil tag associated with it, hence the inference to Brazil.

The .msi file indicates it is an Adobe Reader installer.

Again, no submission to LiveGuard.

Some detail on how the sample submitter found it:

Quote

Auto-downloaded from a malicious webpage (hxxps://iciid022202022.canadacentral.cloudapp.azure.com/?cid=%email%). Redirect to said page happens from e-mail URL (http://67.110.205.92.host.secureserver.net/.vp22/?cid=email&tk=$fingerprint).

From there a malicious DLL (WinSparkle.dll) is loaded by SpotifyConverter.exe and reaches out to download and decrypt a zip from hxxps://2206498789798465.s3.amazonaws.com/s.ssh. This in turn contains a PDF converter exe alongside several other files.

 

Edited June 25, 2022 by itman

[AnthonyQ 48]

12 hours ago, itman said:

Found a real "humdinger" of a .bat malware sample.

To begin, this one wasn't even submitted to LiveGuard.

Next, zero detection's at VirusTotal: https://www.virustotal.com/gui/file/0d73505f996bb77f391c764ce2d15f8c099806dc0509d3a8d72fb00ee86181af/detection/f-0d73505f996bb77f391c764ce2d15f8c099806dc0509d3a8d72fb00ee86181af-1656155964 .

Below is Joe's Cloud Sandbox overall malicious indicators. If you have any doubts about the malicious behavior, Joe's detailed behavior analysis clearly show those. Additionally, anyrun.com: https://app.any.run/tasks/040489b3-890e-46b0-a438-d98d33128a79/ and Dr. Web vxCube sandboxes also rendered malicious verdicts.

 

I found this bat sample yesterday. I don't think it is clean because it disables multiple key functions of OS and renders PC unusable - it is actually very dangerous. But it may not meet some AV vendors' detection standard.

Bitdefender adds detection after submission.

Symantec said it is not malicious itself, but may be an artifact of a threat.

Kaspersky seems to have blacklisted in the cloud based on sandbox analysis. 

[itman 1,659]

10 hours ago, AnthonyQ said:

I found this bat sample yesterday. I don't think it is clean because it disables multiple key functions of OS and renders PC unusable - it is actually very dangerous. But it may not meet some AV vendors' detection standard.

Guess what? Eset now has a sig. for it; see below screen shot. So this puppy was in-the-wild  undetected by anyone for quite a while.

I was pondering this script later after posting in the forum. And came to two conclusions about it;

1. It is just a custom script written by someone to enable security mitigations in Windows and Chrome for his installations.

2. It was a "test run" by a malware developer to see if all the reg changes plus Chrome modifications would go undetected by the AV solutions.

I am leaning toward no. 2 as the reason for the script. Of note is all the reg changes were adds for security policy settings. They were all to enable the mitigations. On the other hand, the adds could also be deployed to disable those security policy settings.

Of note is AV's are poor at monitoring reg. add modifications. Eset HIPS for example doesn't even have an option to do so. You have to create a wildcard rule that monitors for modification to the associated higher level reg key to detect any add activity to its subordinate settings.

Edited June 26, 2022 by itman