PC Security Channel claims Ransomware Shield Doesn't work - Asks for Eset Comment

[MarcFL 28]

PC Security Channel claims Ransomware Shield does not work - Asks for Eset Comment...
The PC Security Channel: ESET Review 2024: Tested in depth vs Malware
https://youtu.be/mHtEcqP6q3A?si

The rest of his Eset malware test Passed!  "Eset did a very good job in proactively blocking malware..."

 

Edited May 26 by MarcFL

[MarcFL 28]

Also, Eset clearly states in the UI more info popup: "ESET Live Grid must be enabled for Ransomware Shield to function properly."
 

Edited May 26 by MarcFL

[itman 1,710]

Here we go again.

The only ransomware sample not blocked was BlackMatter with Eset real-time protection disabled. Of note was the test system was an Intel one and TDT protection was enabled.

Again, Leo's justification for disabling real-time protection was to ensure the sample wasn't detected by static signature and by behavior methods only.

The problem here as I see it is real-time protection is performing  initial analysis of the malware with heuristic analysis being the most important part. It is the "driver" protection to initiate other Eset protection methods. It is also entirely possible Eset Ransomware Shield and Intel TDT protection do interface with real-time protection although they are listed under the HIPS protection section. Finally, Eset doesn't just deploy static signature detection but also deploys "behavior" signature detection.

Edited May 26 by itman

[Marcos 5,146]

Correct, the user didn't test the ransomware execution with all protection modules enabled. Real-time protection was paused so neither HIPS nor Ransomware protection and Deep Behavior Inspection either didn't get crucial information about the file and file system events necessary to determine the ransomware behavior.

[MarcFL 28]

Thanks itman.  Also, 4 Years ago, Marcos stated:

"This test is completely wrong. First of all, you skip the very first layer of defense - Web access protection which is very strong in ESET and blocks download from malicious urls which could save users in many cases from new malware even entering the system. Secondly, by disabling real-time protection you prevent HIPS from receiving events on the file system level and thus make HIPS and all HIPS dependent components ineffective, such as: Ransomware shield, Exploit Blocker, Advanced Memory Scanner, Deep Behavior Inspection, Advanced Machine Learning, etc.

Disabling real-time protection is not just disabling the use of signatures which are, by the way, typically smart DNA signatures in case of ESET, ie. they only describe the malicious behavior to be detected. Disabling RTP prevents other modules from working effectively since they won't receive information about file system events which have nothing to do with signature detection whatsoever.

In real world users must not and do not disable particular protection modules. If they do, they must understand they do it at their own risk and expose the machine to malware attacks and infection."

See: https://www.youtube.com/watch?v=ps7XNo-DOmI&lc=UgwEAvyKZ7aQdd95vzp4AaABAg

[matte 4]

On a positive note, the results from the malware test was really good. Happy to see that.

[MarcFL 28]

Response from The PC Security Channel:

"I only disabled the module for one very short part of the test, and I wasn't aware of the previous comment you referenced, nobody from ESET ever reached out to make that known to me. Hopefully the Mal X tests will allow us to test products that do not work well with one or more components disabled before. However, I'd like to state that I have done several tests with ESET's HIPS and rarely seen it pop up, so that does not seem like a completely valid justification, nor is it clear in the UI. If HIPS & Ransomware shield is useless without real-time protection it should be grayed out when realtime protection is turned off. I love how people like to call tests "invalid" when they don't like the results, and not question if the way the product works makes sense? Like why is it a great idea to have an independent ransomware shield that is completely useless without the cloud component (which a user may not want to use for various reasons)? I'm just doing tests to show different scenarios to the users, if you are happy with how the HIPS works, it's your call, nothing invalid about the test."

See Comment: https://www.youtube.com/watch?v=mHtEcqP6q3A&lc=UgwgwiPvn4PwrGxjMlJ4AaABAg.A3up4pl9KsMA3vF_r4asoM

 

Edited May 26 by MarcFL

[itman 1,710]

There is a point being made here.

I have yet to see a bonafide test of Eset Intel TDT ransomware protection. S.E. Labs could do such a test since they performed the initial testing of Intel TDT ransomware protection. They did test CloudStrike which scored 100%. However, that test was performed on the Intel vPro platform.

Edited May 27 by itman

[MarcFL 28]

itman, The PC Security Channel just said they will be doing that test with all Eset modules on by using zero-day ransomware samples.  It will be interesting to see the results.
https://www.youtube.com/watch?v=mHtEcqP6q3A&lc=UgwgwiPvn4PwrGxjMlJ4AaABAg.A3up4pl9KsMA3w4Caqfe_f

 

Edited May 27 by MarcFL

[itman 1,710]

3 minutes ago, MarcFL said:

It will be interesting to see the results.

Yes, indeed it will be.

[itman 1,710]

I ran my own ransomware test using PICUS Threat Simulator: https://www.picussecurity.com/emerging-threat-simulator

Below are the tests;

The only malware Eset missed was AndroxGhOst Hacking Tool .

-EDIT- Forgot to mention how many malware detections did Eset detect for these 10 malware - 65 and they were all different hashes. In other words, multiple different variants were being deployed.

Edited May 27 by itman

[itman 1,710]

A "cut to the chase" comment.

What are the odds of a non-commercial user that is using an Eset consumer product will get hit with a 0-day ransomware? Zero odds. No attacker in his right mind is going to waste using a 0-day ransomware on this type of target.

If Leo wants to test 0-day ransomware, he should be doing so against Eset commercial products.

[itman 1,710]

Ransomware statistics. I highlighted the important points. Make sure you read the entire article;

Quote

Headline Ransomware Statistics

• The volume of ransomware attacks dropped 23% in 2022 compared to the previous year.
• In the first half of 2022, there were an estimated 236.1 million ransomware attacks globally.
• There were 623.3 million ransomware attacks globally in 2021.
• Ransomware accounted for around 20% of all cyber crimes in 2022.
• 20% of ransomware costs are attributed to reputation damage.
• 93% of ransomware is Windows-based executables.
• The most common entry point for ransomware is phishing.
• Organisations in the US are the businesses most likely to be affected by ransomware, accounting for 47% of attacks.
• Ransomware was the most common attack type for the manufacturing industry in 2021.
• 90% of ransomware attacks fail or result in zero losses for the victim.

 

https://aag-it.com/the-latest-ransomware-statistics/

Edited May 29 by itman

[itman 1,710]

I forgot to post the statistic relevant to this discussion from the above linked article. How many individuals were subjected to a ransomware attack?

Quote

Through 2021, there were 623.3 million ransomware attacks globally. This doesn’t mean every attack was successful, but it does highlight the prevalence of this cyber threat.

How many people are affected by ransomware?

71% of organisations worldwide were reportedly affected by ransomware attacks in 2022.

Data breaches through ransomware can affect anyone. While ransomware groups typically target organisations as more lucrative targets, around 3700 individuals reported falling victim to successful ransomware attacks .

I'll leave it you to do the math on your odds of becoming a victim of ransomware. I also assume most of these individuals weren't using any active AV protection or using a proven defective one; e.g. Indian based.

Edited May 30 by itman

[rotaru 10]

5 hours ago, itman said:

I'll leave it you to do the math on your odds of becoming a victim of ransomware.

This is a new low, defending ESET for poor HIPS performance because the odds of being hit by ransomware is low.....

[MarcFL 28]

40 minutes ago, rotaru said:

This is a new low, defending ESET for poor HIPS performance because the odds of being hit by ransomware is low.....

Alleged poor ransomware performance from a Youtube channel that turned off Eset modules but still concluded "Eset did a very good job in proactively blocking malware...".  Eset is top rated by both
AvTest https://www.av-test.org/en/antivirus/home-windows/windows-11/april-2024/eset-security-ultimate-17.0-241206/
and
AV-Comparatives https://www.av-comparatives.org/tests/malware-protection-test-march-2024/
 

Edited May 30 by MarcFL

[rotaru 10]

14 minutes ago, MarcFL said:

Eset is top rated by both

In AV Test  11 from 17 product tested are rated "Top product" including the free Windows Defender

IN AV Comparatives ESET has 99,93% detection rate , same like the free Windows Defender (99.94%)

 

So nothing to brag about......

side note: in over 7 years of using ESET on 3 PC with HIPS in "smart mode" I never got once an alert HIPS related.

[itman 1,710]

46 minutes ago, rotaru said:

In AV Test  11 from 17 product tested are rated "Top product" including the free Windows Defender

IN AV Comparatives ESET has 99,93% detection rate , same like the free Windows Defender (99.94%)

Do a Google search using this criteria."microsoft defender bypasses." As far as ransomware attacks go, the most used to date was excluding Controlled Folders from its real-time protection.

Edited May 30 by itman

[rotaru 10]

13 minutes ago, itman said:

Do a Google search

There are 2 official, well known, respectable, entities (AVTest and AV comparatives)  which perform these evaluations; no point of a "Google search"

Point remains that WD (free) performs at the same level or better than ESET (paid)

Is a fact, like it or not.

[Marcos 5,146]

35 minutes ago, rotaru said:

There are 2 official, well known, respectable, entities (AVTest and AV comparatives)  which perform these evaluations; no point of a "Google search"

Point remains that WD (free) performs at the same level or better than ESET (paid)

Is a fact, like it or not.

We kindly ask you to stop trolling, it won't be tolerated. Constructive criticism is welcome but trolling is not.

1. ESET has always been among top performers in independent tests you have mentioned.
2. There is no AV with 100% detection and zero FPs
3. Real-world scenarios are what matters. People here in this forum and elsewhere quite often says that we have a false positive but when we check their servers and systems, it turns out they were indeed infected. I take liberty to post an example of such comment from a user: ""Thank you very much, this malicious code was only detected by ESET and we have cleaned everything up now."
4. Use whatever AV you want. No one here says you must use ESET and not Defender (which is not free by the way and you pay for it in the price of the Windows OS)
5. It is Deep Behavior Inspection and not HIPS per se that monitors and reacts to suspicious behavior. It also triggers processes internally when suspicious operations are detected so it may not always loudly detect suspicious behavior.
6. If you come across an undetected suspicious piece of malware, we kindly ask you to submit it to ESET, e.g. through the internal submission form.

 

[rotaru 10]

26 minutes ago, Marcos said:

Real-world scenarios are what matters

Absolutely! See here: "Real-World Protection Test February-March 2024"

https://www.av-comparatives.org/tests/real-world-protection-test-feb-mar-2024-factsheet/

ESET 98.8%

Microsoft (free) 98.8%

Avast! (free) 100%

AVG (free) 100%

Kaspersky (free) 100%

So, who is trolling?????

[itman 1,710]

13 hours ago, Marcos said:

It is Deep Behavior Inspection and not HIPS per se that monitors and reacts to suspicious behavior. It also triggers processes internally when suspicious operations are detected so it may not always loudly detect suspicious behavior.

Glad you clarified this; it was my assumption also.

DBI by default monitors select known LOL Win binaries such as cmd.exe that are often used by attackers to stage malware attacks. DBI montoring can also be triggered by initial real-time hueristic scanning of observed abnormal behavior.

Edited May 31 by itman

[itman 1,710]

13 hours ago, rotaru said:

There are 2 official, well known, respectable, entities (AVTest and AV comparatives)  which perform these evaluations; no point of a "Google search"

AV labs operate under guidelines established by AMTSO: https://www.amtso.org/standards/ . One of those standards is for in-the-wild real-time tests, all malware must be downloaded from Internet; a practice violated by ad hoc testers such as PC Security Channel.

Additionally, AV labs do not perform AV integrity and breech capability testing. Security researchers do this type of testing; many times as a result of forensic analysis of a compromised system.

[itman 1,710]

Since our "antagonist" in this thread believes Microsoft Defender provides better protection than Eset, it so happens that PC Security Channel recently retested it here: https://www.youtube.com/watch?v=snImtCq-WBw . I will summarize the testing results.

At default settings, MD missed a 3 year old ransomware sample among other things.

Our friend Leo showing his bias, retested MD after applying its available optional advanced surface reduction (ASR) rules. The problem with ASR use is they can only be applied via PowerShell or Group Policy; something outside the expertise of the average consumer user. Actually what Leo deployed was a third party MD configuration utility, DefenderUI, that simplifies creation of ASR rules among other settings. Whether this use is advisable is questionable. Only after ASR rules were created did MD pass all his malware samples test. I also don't know what addition mitigations were deployed via DefenderUI.

Ref.: https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

Edited May 31 by itman

[itman 1,710]

Finally, I will point out that there is an AMTSO certfied AV lab, MRG Effitas, that includes 0-day ransomware samples in its ransomware certification testing;

Quote

Ransomware Simulator Test

To assess how the protection product manages ransomware, we created
ransomware samples in-house, ensuring the security product could only rely
on its behaviour scanning modules, without the help of possibly known
signatures or community verdicts. During Q4 2023 we tested 4 ransomware
simulator samples.

https://www.mrg-effitas.com/wp-content/uploads/2024/03/MRG_Effitas_360_Q4_2023.pdf

Unfortunately, they only test commercial AV products. However, Eset Endpoint Security was tested which includes the same default ransomware protection as does EIS and ESSP.

Edited May 31 by itman