ESET Home fails ransomware test

[itman 1,765]

5 hours ago, czesetfan said:

For those interested in learning more about v.18 ( and the new ESET Folder Guard ), an Online help is now available: 

This is for all practical purposes identical in functionality to Microsoft Defender Controlled Folders feature.

The question is has Eset overcome its prior stated reason for not implementing this previously. That is malicious modification of an allowed Folder Guard app; e.g. ransomware injects .dll into explorer.exe, etc. to perform its encryption activities.

[Marcos 5,317]

1 hour ago, EAV8 said:

Honestly, it disappoints me that after all these years ESET still hasn't introduced anything significant in this version and is still raising prices of it...

Please be more specific as to what significant new features you are missing in ESET's products.

As for the price, I've compared prices of 2 competitive AV solutions; one essential plan (M) with the standard price 120$/year for 5 devices, another AV (A) with standard features for 80$/year for 3 devices. ESET with basically the same feature set costs 50e/year for 3 devices.  However, let’s not diverge into different subjects and keep the discussion focused on the ransomware.

[EAV8 4]

3 minutes ago, Marcos said:

Please be more specific as to what significant new features you are missing in ESET's products.

As for the price, I've compared prices of 2 competitive AV solutions; one essential plan (M) with the standard price 120$/year for 5 devices, another AV (A) with standard features for 80$/year for 3 devices. ESET with basically the same feature set costs 50e/year for 3 devices.  However, let’s not diverge into different subjects and keep the discussion focused on the ransomware.

I will PM you with more info on this, instead of writing it here.

[matte 4]

Wonder if the fact that the sample was encrypting files with a window open could affect things, I'd imagine a process encrypting files in the "background" would be more suspicious than a process with some sort of UI feedback, from an AV perspective. The ransomware only targeting files in the execution directory and probably being local only (as in not connecting to any C2, but I can't confirm that) doesn't really help things either.

Either way the only way to improve things is through testing, and there is no reason a malicious actor wouldn't employ these tactics if it can help to bypass the protection, exposing these flaws is always a good thing.

Also probably worth mentioning, judging an AV (or any product from any vendor for that matter) from a single sample is kind of ridiculous. This time ESET may have missed a sample, but another time some other vendor might miss a sample where ESET wouldn't instead, there is no silver bullet unfortunately.

[foxtigerjungle 3]

So with the LiveGuard Feature, the Ransomware would be recognized and blocked?

 

Then why doesn't The PC Security Channel test the Premium or Ultimate version?

[czesetfan 29]

3 hours ago, itman said:

This is for all practical purposes identical in functionality to Microsoft Defender Controlled Folders feature.

The question is has Eset overcome its prior stated reason for not implementing this previously. That is malicious modification of an allowed Folder Guard app; e.g. ransomware injects .dll into explorer.exe, etc. to perform its encryption activities.

I wonder if this will be respected in ransomware protection tests. That is, whether testers will set up a protected folder and test the effectiveness of the protection. 

[itman 1,765]

28 minutes ago, foxtigerjungle said:

So with the LiveGuard Feature, the Ransomware would be recognized and blocked?

Refer to my above posting: https://forum.eset.com/topic/42899-eset-home-fails-ransomware-test/?do=findComment&comment=191134 . This applies to any ransomware variant.

The important point to note is LiveGuard submission is conditioned upon Eset local hueristic scan analysis and if it detects anything suspicious upon file creation or execution.

This contrasts with Microsoft Defender "block-at-first-sight" processing which will submit the file to its Azure cloud scanner if the file has not been previously locally scanned. The problem with it is MD relies on the "Mark-of-the_Web" file ADS attribute which can be and has been previously bypassed by attackers.

Edited 8 hours ago by itman

[itman 1,765]

I have posted this previously and I will again in regards to Eset consumer products ransomware detection.

1. If there was a problem with Eset detecting ransomware, the forum would be full of postings in this regard.

2. The odds of a Windows home user getting hit by ransomware is slim to none. Ransomware developers direct their attacks against concerns with the financial resources to pay the high ransom payments demanded. There is zip financial incentive to attack a non-high valued consumer since paying the ransom is not an option. They don't have the financial resources to do so.

Bottom line - it's a risk versus reward net sum game. The small payout afforded by a consumer is not worth the risk to the attacker of having his ransomware or his identity detected.

Edited 7 hours ago by itman

[itman 1,765]

As far as BitDefender's effectiveness against ransomware, their consumer Total Security product didn't fare well in this latest AV-Test ransomware test;

Quote

It was not a good test day for Bitdefender. At first, an info stealer was not recognized and was not thwarted over the course of the test. Data was stolen accordingly and the first 4 points were lost. Moreover, in two cases, the attackers with ransomware were detected but not completely stopped. Although other defense mechanisms took effect, individual files were ultimately encrypted in 2 scenarios. This means that an additional two points were lost and the protection score was only 29 out of 35 points.

Ditto for their commercial Endpoint Security product;

Quote

While Bitdefender Endpoint Security "Ultra" received the full 35 points without any errors, the Endpoint Security version only received 30.5 out of 35 points. In the test, the version was able to detect two ransomware attackers, but could not block them completely. As a result, individual files were encrypted and a total of 2 points were lost. Bitdefender had a similar problem with an info stealer: although it was detected, it could not be completely stopped. This allowed the attacker to begin collecting data and stealing data. In this case, only 1.5 points of 4 remained – an additional 2.5 points were lost.

https://www.av-test.org/en/news/ransomware-and-info-stealers-17-security-solutions-in-the-atp-test/

-EDIT- I forgot to mention in this same test Microsoft Defender consumer version received a perfect score against ransomware whereas Microsoft Defender ATP commercial version did not. Microsoft Defender ATP exhibited the same behavior as above BitDefender; ranssomware was detected but files still got encrypted.

All this raises serious questions if "ransomware behavior" blocking is nothing more than a myth.

Edited 4 hours ago by itman

[QuickSilverST250 3]

53 minutes ago, itman said:

I have posted this previously and I will again in regards to Eset consumer products ransomware detection.

1. If there was a problem with Eset detecting ransomware, the forum would be full of postings in this regard.

2. The odds of a Windows home user getting hit by ransomware is slim to none. Ransomware developers direct their attacks against concerns with the financial resources to pay the high ransom payments demanded. There is zip financial incentive to attack a non-high valued consumer since paying the ransom is not an option. They don't have the financial resources to do so.

Bottom line - it's a risk versus reward net sum game. The small payout afforded by a consumer is not worth the risk to the attacker of having his ransomware or his identity detected.

@itman You know i have posted a couple times ransomware infection with our business products in testing environments and reported this on the forum and too our region support. I had again the other day twice but didn't report it as it was once off infections and could replicate it a second time. Not alot of people would come to a forum to report this, let's be honest it will only be tech/IT people that will do this. I cannot see my dad coming to a forum and reporting ransomware problems. This will only be answered by eset regarding tickets logged.

I do however agree with you when it comes to home users, they should benefit regarding protection from LiveGrid when it comes to business users being exposed. Also, home products till now does not have LiveGuard advanced.

As a side note, I do fairly feel confident eset will protect our clients as eset does a really good job to protect us and our customers. I'm aware in in testing environments there might be changes this might happen. Hence reporting it will help improve the product.

[MarcFL 29]

17 hours ago, AZ Tech said:

Based on my previous experience and tests I conducted myself, I have found that ESET excels in signature detection and web protection.
However, in the area of behavior-based detection, it seems to lag behind other solutions, which is concerning.

I understand that the representatives in this forum, including ESET employees, may be limited in what they can acknowledge due to company policy.
Nevertheless, as a paying customer, it can be frustrating when the responses seem to sidestep valid concerns rather than address them directly.

I believe that if ESET were to focus on improving its behavior-based detection capabilities, rather than defending shortcomings, it would not only enhance the product but also strengthen trust with its customer base.
This shift in focus would benefit both the company and its users.

I agree. Zero-Day Ransomware is statistically the #1 threat after Phishing which Eset handles well. Eset MUST improve malicious behavior detection.

Edited 55 minutes ago by MarcFL