itman 1,806 Posted November 27, 2022 Posted November 27, 2022 (edited) Here's a list of Intel processors that Eset ver. 16 will interface with in regards to Intel TDT: https://support.eset.com/en/kb8336-intel-threat-detection-technology-tdt-supported-processors?ref=esf . Many of those are not 11+ generation processors regardless of the whether they are Core vPro processors or not. As such at this time, it can be assumed that Eset consumer products will not be interfacing with the ransomware protection provided by Intel Hardware Shield. Perhaps that will only be done so for Eset business version products. Edited November 27, 2022 by itman
rotaru 15 Posted November 27, 2022 Posted November 27, 2022 2 hours ago, New_Style_xd said: any malware has signature. There is a fine line between paranoia and normal life..... we do not trust Kaspersky because is from Russia we do not trust 360TotalSecurity because is from China we do not trust Microsoft because is spying on us we do not trust DrWEb because is from Russia we do not trust Avira, Avast!, AWG because is part of Norton now we do not trust "ConfigureDefender"..........😀
New_Style_xd 71 Posted November 27, 2022 Posted November 27, 2022 2 hours ago, rotaru said: There is a fine line between paranoia and normal life..... we do not trust Kaspersky because is from Russia we do not trust 360TotalSecurity because is from China we do not trust Microsoft because is spying on us we do not trust DrWEb because is from Russia we do not trust Avira, Avast!, AWG because is part of Norton now we do not trust "ConfigureDefender"..........😀 In short, you will have to BE BORN AGAIN😊
czesetfan 29 Posted November 27, 2022 Posted November 27, 2022 7 hours ago, itman said: Here's a list of Intel processors that Eset ver. 16 will interface with in regards to Intel TDT: https://support.eset.com/en/kb8336-intel-threat-detection-technology-tdt-supported-processors?ref=esf . Many of those are not 11+ generation processors regardless of the whether they are Core vPro processors or not. As such at this time, it can be assumed that Eset consumer products will not be interfacing with the ransomware protection provided by Intel Hardware Shield. Perhaps that will only be done so for Eset business version products. I'm still not entirely clear on that either. 🤔 It seems to me that Intel and ESET's statements about processor support for ransomware protection are not clearly in agreement. It would require a more precise explanation.
itman 1,806 Posted November 27, 2022 Posted November 27, 2022 (edited) 8 hours ago, czesetfan said: I'm still not entirely clear on that either. 🤔 It seems to me that Intel and ESET's statements about processor support for ransomware protection are not clearly in agreement. It would require a more precise explanation. You can use this: https://en.wikichip.org/wiki/intel/cpuid#Family_6 to cross-reference to Eset's list of supported processors. The latest Eset supported processor family I see on the list is the 11th generation Rocket Lake; i.e. Family 6 Model 167. This means at present, Eset won't be supporting the latest Intel processors. As far as the 11th+ generation vPro aspect which again is the only processor with Intel built-in ransomware protection, here's how to determine if the processor supports it: Quote How do I know if the Intel® processor is eligible for Intel® vPro® platform? To find out if your processor is eligible for Intel® vPro platform, follow the steps below: 1. Visit the product specifications page. 2. Enter the processor number in the search box located in the upper right corner. 3. Click to navigate to the processor specification page. 4 Click the Security & Reliability section, located on the left side. You can also scroll down for the Security & Reliability section. 5. Check the Intel® vPro® Platform Eligibility field. If it is set to Yes, the processor is eligible for this technology. https://www.intel.com/content/www/us/en/support/articles/000030111/processors.html I would say unless you have a workstation level desktop PC or a business level laptop, it won't include the vPro technology. Edited November 27, 2022 by itman
itman 1,806 Posted November 27, 2022 Posted November 27, 2022 6 hours ago, itman said: I would say unless you have a workstation level desktop PC or a business level laptop, it won't include the vPro technology. Confirmed. Here's a list of workstations with Intel vPro: https://www.dell.com/en-us/shop/desktop-computers/sr/desktops/intel-vpro?page=2&appliedRefinements=38855 . Also vPro comes in two versions; active management for enterprise and essential for small business. We can therefore conclude that Eset won't be interfacing with vPro Intel Hardware Shield in its consumer product versions.
czesetfan 29 Posted November 28, 2022 Posted November 28, 2022 If I understand correctly. Intel TDT actually allows AV manufacturers to read telemetry data at the CPU level. So ESET uses this capability, but the decision algorithms themselves are in ESET's product. ESET's KB8336 indicates the supported processors for this feature. For Core vPro11+, is it ransomware detection that Intel's algorithms do within Intel prosesor itself? 🤔
itman 1,806 Posted November 28, 2022 Posted November 28, 2022 (edited) 10 hours ago, czesetfan said: For Core vPro11+, is it ransomware detection that Intel's algorithms do within Intel prosesor itself? Actually, it's Intel's Hardware Shield that performs this and it's only available on vPro supported processors. Again, refer to this: https://www.intel.com/content/www/us/en/architecture-and-technology/threat-detection-technology-brief.html for further details on Hardware Shield ransomware detection capabilities. The confusion comes from Intel referring to TDT and Hardware Shield in the same context. The Hardware Shield component only exists on 11th+ gen. processors with vPro capability. The outstanding question is how will Eset consumer versions, interfacing with Intel TDT supported processors that do not include Hardware Shield; i.e. non-vPro processors, be able to detect ransomware more effectively than currently exists? -EDIT- Answering my own question, below is the relevant extract from the above Intel linked article: Quote Intel® Threat Detection Technology (Intel® TDT), as shown in Figure 2, provides an augmentation for EDRs to help increase detection efficacy, lower false positive alerts, expand visibility to catch advanced evasion techniques, and boost the overall security performance of endpoint agents. Intel TDT is not a standalone product but provides the source code that is integrated into the EDR agent to enable these CPU-assisted capabilities. As such, it will be Eset's full responsibility to properly deploy these "CPU-assisted capabilities" to detect ransomware behavior. On vPro platforms with Hardware Shield, it would be providing the initial telemetry that ransomware behavior has been detected to the EDR agent. Edited November 28, 2022 by itman
itman 1,806 Posted November 28, 2022 Posted November 28, 2022 For those wanting to take "a deep dive" into vPro's Hardware Shield capability, refer to pages 5 - 9 in this document: https://www.sogeti.com/globalassets/reports/intel-sogeti-security-white-paper-fordistribution.pdf .
itman 1,806 Posted November 28, 2022 Posted November 28, 2022 (edited) On 11/26/2022 at 4:15 PM, SeriousHoax said: Even Microsoft Defender supports Intel TDT. But Microsoft's documents almost never mention home version in anything, even though many Endpoint features are supported. So, I'm not sure if home users also benefits from it. It is only supported on Microsoft Defender for Endpoint version: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-against-ransomware-with-microsoft-defender-for/ba-p/3243941 . Edited November 28, 2022 by itman
SeriousHoax 87 Posted November 28, 2022 Posted November 28, 2022 33 minutes ago, itman said: It is only supported on Microsoft Defender for Endpoint version: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-against-ransomware-with-microsoft-defender-for/ba-p/3243941 . Microsoft everywhere writes documents only for MD Endpoint only, even though some of those are available for home MD. So it's not possible to know without an official answer. Their shared screenshot shows the MD home version's behavioral detection UI, so it's possible MD Endpoint is not necessary for this.
itman 1,806 Posted November 28, 2022 Posted November 28, 2022 16 minutes ago, SeriousHoax said: Their shared screenshot shows the MD home version's behavioral detection UI Yes. This MS article just states Microsoft Defender: https://www.microsoft.com/en-us/security/blog/2022/08/18/hardware-based-threat-defense-against-increasingly-complex-cryptojackers/ . However note that no where in the article is mentioned ransomware protection. SeriousHoax 1
SeriousHoax 87 Posted November 28, 2022 Posted November 28, 2022 5 minutes ago, itman said: Yes. This MS article just states Microsoft Defender: https://www.microsoft.com/en-us/security/blog/2022/08/18/hardware-based-threat-defense-against-increasingly-complex-cryptojackers/ . However note that no where in the article is mentioned ransomware protection. Great find and well noticed. This article was written to mainly showcase protection against cryptojackers. Maybe that's why they didn't write it. If the home version can use Intel TDT for cryptojackers then there doesn't seem to be any valid reason for not doing the same for ransomwares. I'm not sure of course, just assuming.
itman 1,806 Posted November 28, 2022 Posted November 28, 2022 Some additional comments: Note the vPro reference. Quote Intel works with major endpoint security software ISVs, including ESET, Microsoft Defender, and CrowdStrike so that Intel vPro® advanced threat protection is built into their solutions with little configuration required. For example, CrowdStrike used the Intel® TDT Accelerated Memory Scanning capabilities to detect fileless attacks to memory that are now being used as an entry point in 72 percent of all attacks4. The 7x5 boost in performance delivers a broader scanning capability that uncovers early indicators of attack before an attack payload can execute. Also, Intel 11+ generation processors bring: Quote For advanced threat protections, bolster antivirus software to catch threats using techniques that are extremely difficult for security software alone to uncover. Intel® Control-Flow Enforcement Technology (Intel® CET) on 11th Gen systems forward is designed to help defend against return-oriented programming (ROP) attacks to system memory. Intel® Threat Detection Technology (Intel® TDT) defends against ransomware and malicious crypto mining with minimal impact on performance. https://community.connection.com/protect-pc-fleets-with-hardware-enabled-security-out-of-the-box/
czesetfan 29 Posted November 29, 2022 Posted November 29, 2022 On 11/28/2022 at 3:49 PM, itman said: Actually, it's Intel's Hardware Shield that performs this and it's only available on vPro supported processors. Again, refer to this: https://www.intel.com/content/www/us/en/architecture-and-technology/threat-detection-technology-brief.html for further details on Hardware Shield ransomware detection capabilities. The confusion comes from Intel referring to TDT and Hardware Shield in the same context. The Hardware Shield component only exists on 11th+ gen. processors with vPro capability. The outstanding question is how will Eset consumer versions, interfacing with Intel TDT supported processors that do not include Hardware Shield; i.e. non-vPro processors, be able to detect ransomware more effectively than currently exists? -EDIT- Answering my own question, below is the relevant extract from the above Intel linked article: As such, it will be Eset's full responsibility to properly deploy these "CPU-assisted capabilities" to detect ransomware behavior. On vPro platforms with Hardware Shield, it would be providing the initial telemetry that ransomware behavior has been detected to the EDR agent. Thank you for the information. I think I understand it more now. 🙂👍
itman 1,806 Posted November 29, 2022 Posted November 29, 2022 (edited) Since I made a lot of postings in this thread, a summary of those are needed. 1. Intel TDT has existed since the introduction of its 6th generation processors. I don't see any evidence this alone Intel TDT cryptojacking and ransomware detection was introduced with 10th gen and newer Intel Core and Intel vPro platforms.has made a significant impact on ransomware activity. 2. The most significant development in Intel TDT malware protection arrives with its 11th generation processors with the vPro line introducing Hardware Shield which can detect ransomware behavior. 3. Intel now actively working security vendors by providing them the ability to directly interface with TDT. The bottom line here its up to the security vendors to provide behavior algorithms that can properly detect malware behavior including ransomware from the data being provided by Intel TDT. The verdict is still out on this one. -EDIT- Per Microsoft: Quote Intel TDT cryptojacking and ransomware detection was introduced with 10th gen and newer Intel Core and Intel vPro platforms. Also, this disclaimer: Quote No Product or component can be absolutely secure https://www.intel.com/content/www/us/en/newsroom/news/intel-microsoft-scale-threat-detection-cryptojacking.html#gs.jh7emx This does bring into question the capability of security vendors via Intel TDT to detect cryptojacking and ransomware by behavior on pre-10th gen processors. Edited November 29, 2022 by itman
itman 1,806 Posted November 29, 2022 Posted November 29, 2022 (edited) Since CloudStrike was mentioned as an Intel TDT user, here's their write-up on that usage: https://www.crowdstrike.com/blog/falcon-enhances-fileless-attack-detection-with-accelerated-memory-scanning/ . Appears their emphasis has been on utilization of Intel TDT Accelerated Memory Scanner (AMS). -EDIT- Of note in the CloudStrike article is the following which I also noticed in related Intel articles: Quote Intel TDT AMS optimizes performance on Intel CPUs and offloads computation to the Intel integrated graphics processing unit (iGPU) when present. What Intel is silent on is what happens if a graphics card is installed? As rule, installation of a graphics card requires that integrated graphics be disabled. Edited November 29, 2022 by itman
Recommended Posts