ESET Insiders cutting_edgetech 25 Posted July 1, 2015 ESET Insiders Share Posted July 1, 2015 Does Eset Smart Security, or NOD 32 have a behavior blocker? I know Eset has great Heuristics, but I have never heard any mention of a BB. I think it would be a great feature to have that could report back to the cloud to help identify new threats. Link to comment Share on other sites More sharing options...
SweX 871 Posted July 1, 2015 Share Posted July 1, 2015 (edited) I guess you could say that AMS (Advanced Memory Scanner) is a kind of behavior blocker/monitor/inspector.... I no longer test against malware, but when I did, I saw that AMS was successful at detecting malware shortly after execution that had not been detected by one of the earlier layers in the product. Advanced Memory Scanner complements Exploit Blocker, as it is also designed to strengthen protection against modern malware. In an effort to evade detection, malware writers extensively use file obfuscation and/or encryption. This causes problems with unpacking and can pose a challenge for common anti-malware techniques, such as emulation or heuristics. To tackle this problem, the Advanced Memory Scanner monitors the behavior of malicious processes and scans them once they decloaks in the memory. This allows for effective detection of even heavily obfuscated malware. Unlike Exploit Blocker, this is a post-execution method, which means that there is a risk that some malicious activity could have been performed already. However, it steps into the protection chain when everything else fails. hxxp://www.eset.com/int/about/technology/#advanced-memory-scanner Edited July 1, 2015 by SweX Link to comment Share on other sites More sharing options...
ESET Insiders cutting_edgetech 25 Posted July 2, 2015 Author ESET Insiders Share Posted July 2, 2015 Thank you for the response! I wonder exactly what behavior AMS looks for. Maybe it could be turned into a more comprehensive BB. It's hard to say without knowing what it looks for to identify threats. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,909 Posted July 2, 2015 Administrators Share Posted July 2, 2015 AMS merely triggers a memory scan when a suspicious process activity has been detected. Link to comment Share on other sites More sharing options...
ESET Moderators Aryeh Goretsky 366 Posted July 29, 2015 ESET Moderators Share Posted July 29, 2015 Hello, Are you thinking of HIPS, perhaps? Regards, Aryeh Goretsky Link to comment Share on other sites More sharing options...
ESET Insiders cutting_edgetech 25 Posted February 12, 2016 Author ESET Insiders Share Posted February 12, 2016 No, I am not thinking of Eset's HIPS. I see how Eset's HIPS aids in blocking exploits, but I was thinking of something more like Emsisoft's BB. Link to comment Share on other sites More sharing options...
chrcoluk 2 Posted May 13, 2016 Share Posted May 13, 2016 I too would like more information on this, the description from eset on AMS is extremely vague and whilst marcos has offered a bit more insight he still hasnt clarified how nod32 determines a process to be suspicious. The post above mine is proof customers of eset are looking at the competition the fact they researched what emsisoft are doing, and I too can confirm I was doing the same, yesterday I spent about 3-4 hours mulling whether to buy nod32 licenses or emsisoft licenses for my laptop and w10 testing machine. I came very close to emsisoft due to the behaviour blocker (of which their documents and staff explains what it looks for as well as been configurable) but in the end stayed loyal to eset because I have used it for so long, and I have made some developed HIPS rules for use in nod32. Maybe eset think its not wise to reveal how this stuff works as then a bad guy reading this forum knows how to work round it, but it also makes your customers not trust your product so much as they cannot be sure they are protected from certain types of malware. I run hitman pro alert alongside nod32, and disabled nod32's EB and AMS because I fear it conflicts with HMPA, and I use HMPA for exploit blocking because they have gone into detail what they do to block exploits, whilst eset's description is very vague. I used to run EMET alongside nod32 before using HMPA, and things EMET protected against such as bypassing OS level DEP, nod32 never blocked, so I am honestly very confused specifically what exploit blocker does and what behaviour AMS looks for. Link to comment Share on other sites More sharing options...
ESET Insiders toxinon12345 32 Posted May 13, 2016 ESET Insiders Share Posted May 13, 2016 (edited) Advanced Memory Scanner does a dynamic DNA scan without the need of emulation. AMS is propietary technology and extends proactive longevity, reaching high (>90%) detection rates. Edited May 13, 2016 by toxinon12345 Link to comment Share on other sites More sharing options...
itman 1,627 Posted May 19, 2016 Share Posted May 19, 2016 (edited) More and more malware these days is being downloaded packed and obfuscated. This type of malware is designed to only unpacked and un-obfuscate after it has been loaded into memory i.e. started execution. Since the malware is packed on download, conventional signature based methods cannot detect it in that state. What Eset's AMS does is detect the unpacking activity and then scans the malware in memory using its DNA signatures. As is explained in Eset's write up on AMS, it is post-execution detection. As such, there is a chance that partial infection has occurred. HMP-A is first and foremost anti-exploit software that over time has expanded its scope to include other protections such as for ransomware and the like. Exploits attack allocated process memory by heapspraying and the like. They also attack kennel table areas and the like. Note that malware packing is not an exploit technique. Exploits need a vulnerability. Edited May 19, 2016 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 4,909 Posted May 21, 2016 Administrators Share Posted May 21, 2016 As is explained in Eset's write up on AMS, it is post-execution detection. As such, there is a chance that partial infection has occurred. The good news is that this normally doesn't happen I've seen cases when a trojan was detected by AMS upon execution but it was not terminated due to a reason. We've recently made some improvements in this regard and those who have LiveGrid enabled and working can benefit from it even more. Currently these improvements are in modules on pre-release update servers and will be released for general public soon. Link to comment Share on other sites More sharing options...
Recommended Posts