Jump to content

Heuristic based alert


rotaru

Recommended Posts

Hello,

I never received a heuristic based alert; out of curiosity , can anyone post a screenshot of such alert?

 

Thanks!

Link to comment
Share on other sites

  • Administrators

If you have tested some malware, it was most likely already covered by some sort of smart detection.

This is an example of a HIPS / Deep Behavioral Monitor detection of newly seen malware:

image.png

Link to comment
Share on other sites

Thank you for your answer!

How anybody would know that this is a detection based on heuristic? Shouldn't have some sort of "confidence" level displayed?

Link to comment
Share on other sites

3 hours ago, rotaru said:

Shouldn't have some sort of "confidence" level displayed?

Confidence level display on a detection alert is appropriate when block/allow action is user dependent such as is the case for LiveGuard Advanced option which is available on Eset commercial products. Additionally, confidence level is usually displayed for detection's in the suspicious category.

It is established security software industry practice that in consumer security products, user's should not have the option to allow/block suspicious activity since they are not qualified to do so. Therefore, Eset's block action on suspicious activity.

BTW - the last time I checked, Eset's consumer product's confidence level is set to 90%. That is high confidence the detection is correct.

Edited by itman
Link to comment
Share on other sites

Also since the question was in regard to heuristic based detection, first note that it is pre-execution analysis of a binary used in conjunction with code isolation in the form of sandboxing.

Kaspersky has a good article on the subject here: https://usa.kaspersky.com/resource-center/definitions/heuristic-analysis .

Of note:

Quote

Heuristic analysis is a method of detecting viruses by examining code for suspicious properties.

Traditional methods of virus detection involve identifying malware by comparing code in a program to the code of known virus types that have already been encountered, analyzed and recorded in a database – known as signature detection.

While useful and still in use, signature detection method has also became more limited, due to the development of new threats which exploded around the turn of the century and are continuing to emerge all the time.

To counter this problem, the heuristic model was specifically designed to spot suspicious characteristics that can be found in unknown, new viruses and modified versions of existing threats as well as known malware samples.

Cybercriminals are constantly developing new threats, and heuristic analysis is one of the only methods used to deal with the huge volume of these new threats seen daily.

Heuristic analysis is also one of the few methods capable of combating polymorphic viruses — the term for malicious code that constantly changes and adapts.

To my best knowledge, Eset heuristic detection's are prefixed with "MSIL/" as shown by the following Eset detection:

Quote

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
3/28/2023 11:52:26 AM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\1abe11cf0a879b99c092a403e9efedf7ecda8e92c6708c31c799ce36c2da26a8.exe;a variant of MSIL/TrojanDownloader.Agent.PAC trojan;cleaned by deleting;xxxx\xxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (DF22612647E9404A515D48EBAD490349685250DE).;99EE353456DAAD13D299A3954ACAD8BE28E5A2C8;3/28/2023 11:52:15 AM

Edited by itman
Link to comment
Share on other sites

1 hour ago, itman said:

To my best knowledge, Eset heuristic detection's are prefixed with "MSIL/" as shown by the following Eset detection:

MSIL means Microsoft Intermediate Language. 

Detections such as “ML/Augur” and those with prefix “a variant of” may indicate it is a heuristic detection, imo.

Link to comment
Share on other sites

Thank you all!

In my opinion a heuristic/ machine learning/hips/ Deep behavior monitor detection should be clearly identified as such, at the moment the detection is displayed.

Personally , in years using ESET , I never had anything else than signature based detections,

I never seen a HIPS detection in more than 5 years and 3 PC , even though HIPS is set in "smart mode"

 

Link to comment
Share on other sites

1 hour ago, itman said:

Also since the question was in regard to heuristic based detection, first note that it is pre-execution analysis of a binary used in conjunction with code isolation in the form of sandboxing.

Kaspersky has a good article on the subject here: https://usa.kaspersky.com/resource-center/definitions/heuristic-analysis .

Of note:

To my best knowledge, Eset heuristic detection's are prefixed with "MSIL/" as shown by the following Eset detection:

Kaspersky top 🤌🫠🙃

Link to comment
Share on other sites

13 hours ago, AnthonyQ said:

Detections such as “ML/Augur”

Augur detections usually are given as a result of Eset LiveGrid, LiveGuard, and LiveGuard Advanced cloud scanning. Here's how effective Augur cloud scanning was against ransomware in 2017: https://www.eset.com/sg/about/newsroom/press-releases1/whitepapers/eset-machine-learning-engine-augur-vs-the-most-infamous-ransomware-families-of-2017-1/ .

Additional Augur reference: https://www.welivesecurity.com/2017/06/20/machine-learning-eset-road-augur/ .

Eset real-time heuristic scanning is local based. It can however be used for deployment of additional Eset detection mechanisms such as injection of deep behavior inspection .dlls into a suspect process to monitor it activities during execution.

Edited by itman
Link to comment
Share on other sites

  • ESET Insiders
15 hours ago, rotaru said:

Thank you all!

In my opinion a heuristic/ machine learning/hips/ Deep behavior monitor detection should be clearly identified as such, at the moment the detection is displayed.

Personally , in years using ESET , I never had anything else than signature based detections,

I never seen a HIPS detection in more than 5 years and 3 PC , even though HIPS is set in "smart mode"

 

I'm also using HIPS in smart mode and so far received notification only once. It was after a program update, but I can't remember which one it was. Unfortunately I also didn't take a screenshot.

Message was saying that HIPS detected some changes to updated application and it asked me to approve or deny them.

Link to comment
Share on other sites

9 hours ago, itman said:

Augur detections usually are given as a result of Eset LiveGrid, LiveGuard, and LiveGuard Advanced cloud scanning. Here's how effective Augur cloud scanning was against ransomware in 2017: https://www.eset.com/sg/about/newsroom/press-releases1/whitepapers/eset-machine-learning-engine-augur-vs-the-most-infamous-ransomware-families-of-2017-1/ .

Additional Augur reference: https://www.welivesecurity.com/2017/06/20/machine-learning-eset-road-augur/ .

Eset real-time heuristic scanning is local based. It can however be used for deployment of additional Eset detection mechanisms such as injection of deep behavior inspection .dlls into a suspect process to monitor it activities during execution.

I am not sure but I tend to believe ML/Augur detection is not cloud-based as this ML-based detection can be triggered offline. Suspicious Object detection is a cloud-based detection.

Link to comment
Share on other sites

18 minutes ago, AnthonyQ said:

I am not sure but I tend to believe ML/Augur detection is not cloud-based as this ML-based detection can be triggered offline.

Yes and no.

Let's use an example posted today in the forum: https://forum.eset.com/topic/36190-eset-deleted-anydesk-on-multiple-pcs-across-our-company/ .

What appears to have happened here is the .exe had been prior submitted to the Eset cloud from another source. Augur detected something it didn't like. It then added .exe to LiveGrid blacklist. Eset startup scan detected .exe as a result of either local based LiveGrid blacklist assuming the cloud based LiveGrid blacklist had been pushed to the device or, by accessing the current LiveGrid cloud blacklist.

Link to comment
Share on other sites

  • Administrators

ML/Augur detection is an offline detection based on the models from the Machine learning module that clients use even if they are offline. Cloud Augur has no effect on such detections. The above detection occurred as a result of the latest Machine learning module that was released on Tuesday.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...