ESET Home fails ransomware test

[QuickSilverST250 1]

 

[foxtigerjungle 3]

I was just about to post this. I'm shocked at how ESET performs.

[QuickSilverST250 1]

I have my own channel testing security solutions. I also follow Leo's work. He sent me a mail once regarding my channel.

[itman 1,765]

The question is if Eset Smart Security Premium with the LiveGuard component would have detected this ransomware sample.

Determining factors;

1. The sample would have to first be auto submitted to LiveGuard.

2. The sample does not perform sandbox evasion tactics.

3. LiveGuard actual detected the en-mass encryption activity. This one is questionable since EIS didn't detect the encryption activity.

Then there is the question if this sample was run on a device where Eset Intel TDT ransomware protection was activated.

Edited 23 hours ago by itman

[QuickSilverST250 1]

I think he would have everything setup correctly. I have seen LiveGuard does not always block until verdict but does allow to run and submit sample. This could be too late as we saw. Also, intel TDT is only for certain CPU's and they aren't for laptop CPU etc, this is a bit misleading with this as this is very limited to certain cpu's. I would like to get this sample and test again EES which has LiveGuard advanced

Edited 23 hours ago by QuickSilverST250

[itman 1,765]

3 minutes ago, QuickSilverST250 said:

This could be too late as we saw. Also, intel TDT is only for certain CPU's and they aren't for laptop CPU etc, this is a bit misleading with this as this is very limited to certain cpu's.

Perhaps @Marcos could "enlighten us" as to whether LiveGuard cloud processing employs Eset Intel TDT ransomware protection?

[QuickSilverST250 1]

3 minutes ago, itman said:

Perhaps @Marcos could "enlighten us" as to whether LiveGuard cloud processing employs Eset Intel TDT ransomware protection?

I would like to know what as well the Intel TDT section is in the profile; does it use the host CPU or the cloud server CPU.

[Marcos 5,317]

Regardless of this sample, it's a fact that there's nothing like 100% detection and protection with little FPs.

Making conclusions based on a sample that we don't have and cannot test to find out what exactly it does is impossible. I've searched for this file name but such file has not been submitted to LiveGrid which makes me deduce the user probably had the ESET LiveGrid feedback system turned off. As a result, not all detection/protection mechanisms in the ESET Ransomware shield would be employed. Unfortunately we don't have the SHA1/SHA256 of the file so we cannot analyze it and comment on it further unless we get the sample.

Last but not least, in a real-world scenario with ESET LiveGuard mentioned by itman, the sample would have been likely submitted for a cloud analysis upon download from the Internet and its execution would have been postponed until the result of the analysis was known.

[cofer123 14]

12 minutes ago, Marcos said:

I've searched for this file name but such file has not been submitted to LiveGrid which makes me deduce the user probably had the ESET LiveGrid feedback system turned off. As a result, not all detection/protection mechanisms in the ESET Ransomware shield would be employed.

At 3:04 you can see that it was enabled:

[Marcos 5,317]

I think I have found it, however, I had to pause protection in order to test it and avoid detection:

With protection enabled:

The detection was added on May 30 when it was blocked also in LiveGrid. The only explanation I can think of is that the user tested a different file or before the detection was added. So until we know its hash or get the sample, it's impossible to comment on it. I'd also point out that only files in the folder from which it was executed were encrypted, ie. it doesn't go through all folders like typical ransomware.

[czesetfan 29]

Here the question automatically arises, would it work in this case ESET Folder Guard deployed in v.18 ? ⚠️

[hellosky11 3]

I was also about to paste this link, and as far as I know, the user is a former employee of Emsisoft.

Also, in case LiveGuard is disabled, why didn’t HIPS come into action? Not everything can be dependent on cloud/LiveGuard or signatures.

Edited 15 hours ago by hellosky11

[AZ Tech 34]

Based on my previous experience and tests I conducted myself, I have found that ESET excels in signature detection and web protection.
However, in the area of behavior-based detection, it seems to lag behind other solutions, which is concerning.

I understand that the representatives in this forum, including ESET employees, may be limited in what they can acknowledge due to company policy.
Nevertheless, as a paying customer, it can be frustrating when the responses seem to sidestep valid concerns rather than address them directly.

I believe that if ESET were to focus on improving its behavior-based detection capabilities, rather than defending shortcomings, it would not only enhance the product but also strengthen trust with its customer base.
This shift in focus would benefit both the company and its users.

[f4ust 0]

6 hours ago, Marcos said:

I think I have found it, however, I had to pause protection in order to test it and avoid detection:

With protection enabled:

The detection was added on May 30 when it was blocked also in LiveGrid. The only explanation I can think of is that the user tested a different file or before the detection was added. So until we know its hash or get the sample, it's impossible to comment on it. I'd also point out that only files in the folder from which it was executed were encrypted, ie. it doesn't go through all folders like typical ransomware.

Now what you're saying is quite interesting for me. Does that mean ESET is detecting based on virus hashes?

It would be weird for an anti-virus to detect a virus from a hash, not to make detection deeper and see what it actually does.

[foxtigerjungle 3]

6 hours ago, cofer123 said:

At 3:04 you can see that it was enabled:

If so, why doesn't it appear here?

 

4 hours ago, czesetfan said:

Here the question automatically arises, would it work in this case ESET Folder Guard deployed in v.18 ? ⚠️

ESET Folder Guard?
Do you already know more about new features?

Edited 12 hours ago by foxtigerjungle

[czesetfan 29]

LiveGrid settings are only available in Advanced setup.

For those interested in learning more about v.18 ( and the new ESET Folder Guard ), an Online help is now available: 

https://help.eset.com/essp/18/en-US/idh_page_folder_guard.html 🌞

 

[Marcos 5,317]

57 minutes ago, f4ust said:

Now what you're saying is quite interesting for me. Does that mean ESET is detecting based on virus hashes?

It would be weird for an anti-virus to detect a virus from a hash, not to make detection deeper and see what it actually does.

Of course not, please read more about various ESET technologies that are employed: https://www.eset.com/int/about/technology/. Nowadays no AV depends on blocking hashes.

By the way, not sure if I overlooked it but I did not find the date and time when ESET was updated. With at least 2 other products it was clearly in October but with ESET we can only see that the file was created on May 29, ie. one day before the detection was added.

As I have already mentioned, this file encrypts files only in the current folder from which it was run. It  does not walk through other folders like other actual ransomware which might account for why it was not detected by the Ransomware shield prior to adding the detection.

For instance, you can use traditional compressors and packers to craft a trivial ransomware which will move existing files into password protected archives most likely without being detected by any AV.

[foxtigerjungle 3]

13 minutes ago, czesetfan said:

For those interested in learning more about v.18 ( and the new ESET Folder Guard ), an Online help is now available: 

https://help.eset.com/essp/18/en-US/idh_page_folder_guard.html 🌞

As far as I can see, unfortunately there isn't much new coming.

Thank you.

 

 

@Marcos

Is it possible for you to contact The PC Security Channel to get the file?

Edited 11 hours ago by foxtigerjungle

[cofer123 14]

3 hours ago, foxtigerjungle said:

If so, why doesn't it appear here?

LiveGrid (as Marcos mentioned) and LiveGuard are different features and the latter does not appear on that screen.

[ichkriegediekriese 0]

25 minutes ago, cofer123 said:

LiveGrid (as Marcos mentioned) and LiveGuard are different features and the latter does not appear on that screen.

If LifeGuard is the important feature here the elephant in the room is why it is not "on" by default? - I have sincere dounts that the PCSC turned it off manually.

[cofer123 14]

4 minutes ago, ichkriegediekriese said:

If LifeGuard is the important feature here the elephant in the room is why it is not "on" by default? - I have sincere dounts that the PCSC turned it off manually.

Because they have tested ESET Internet Security, which doesn't have LiveGuard, but still has (or should have) behavior detection, which didn't work on this sample.

[ichkriegediekriese 0]

2 minutes ago, cofer123 said:

Because they have tested ESET Internet Security, which doesn't have LiveGuard, but still has (or should have) behavior detection, which didn't work on this sample

ah - now I get it, thx

[itman 1,765]

4 hours ago, Marcos said:

By the way, not sure if I overlooked it but I did not find the date and time when ESET was updated. With at least 2 other products it was clearly in October but with ESET we can only see that the file was created on May 29, ie. one day before the detection was added.

Would not be surprised that PC Security Channel employed a bit of "trickery" here for the EIS test. Ensure Eset date of last signature update is prior to Eset adding a signature for the ransomware tested. Leo's objective is to test AV behavior only detection of ransomware.

4 hours ago, Marcos said:

As I have already mentioned, this file encrypts files only in the current folder from which it was run. It  does not walk through other folders like other actual ransomware which might account for why it was not detected by the Ransomware shield prior to adding the detection.

This is a significant observation.

Many "test" ransomware such as KnowBe4's Ransomware simulator: https://www.knowbe4.com/free-cybersecurity-tools/ransomware-simulator operate as noted above; encrypt files in a single designated test folder/directory. As has been discussed previously at length in the forum: https://forum.eset.com/topic/10792-ransomware-simulators-a-detailed-analysis/, Eset will not detect these test ransomware due to the fact they don't exhibit actual ransomware behavior. Encrypting files in a single folder/directory per se is not "real world" ransomware behavior. 

Edited 7 hours ago by itman

[QuickSilverST250 1]

This i would say is a weakness from eset. There are no "rules" when it comes to threat actors. Adversaries will find any way to avoid detections. Bitdefender and Kaspersky detected this and avoided the problem. To say this is not "real world" is no reason for eset not to detect this. What wasn't real world a year ago is real world today. Ever changing landscape. To be fair, it would submit the sample and hopefully get rated as malicious and shortly after protecting other endpoints.

Edited 7 hours ago by QuickSilverST250

[EAV8 3]

4 hours ago, Marcos said:

As I have already mentioned, this file encrypts files only in the current folder from which it was run. It  does not walk through other folders like other actual ransomware which might account for why it was not detected by the Ransomware shield prior to adding the detection.

For instance, you can use traditional compressors and packers to craft a trivial ransomware which will move existing files into password protected archives most likely without being detected by any AV.

To be 100% honest, this is probably the most important aspect here. It would be interesting to have seen a test with behavior more similar to real ransomware, rather than a test where only one folder is affected, which obviously shouldn't normally set off alarm bells at the anti-ransomware level.

1 hour ago, ichkriegediekriese said:

If LifeGuard is the important feature here the elephant in the room is why it is not "on" by default? - I have sincere dounts that the PCSC turned it off manually.

As another user pointed out, the test used the Internet Security version, which unfortunately (and I can't figure out how) doesn't have this functionality. Honestly, it disappoints me that after all these years ESET still hasn't introduced anything significant in this version and is still raising prices of it...

I've been using ESET for over 16 years, but this year I don't plan to renew my licenses (internet security) as the price has increased significantly again without the introduction of new effective features such as Live Guard. For the renewal price, there are better and more evolved offers on the market.

As someone who manages and implements EDR/XDR solutions in enterprise environments, and also looking at the rest of the “home user” market, I feel that EIS doesn't offer enough. I still maintain that Live Guard is a key component these days, and shouldn't be restricted to the premium version.

Edited 7 hours ago by EAV8