Feedback from Corporate Customer

[Staj 5]

We've been using ESET security products (v5) as part of our IT security strategy for about a year now and I thought I would provide some feedback to other users and ESET itself.

 

I'm in the charge IT Security for a civil-oriented subsidiary of a large defense conglomerate, I'm also formally trained in IT Security and digital forensics. We operate dozens of sites all over the country the subsidiary operates within. We are also a particular target of APTs and have developed policies and systems to accomodate such threats. Our main priorities are confidentiality and availability of services as we operate mission-critical systems, some relating to safety and compliance. We utilise ESET Endpoint products on all of our systems and servers, excluding certain digital forensic setups.

 

I think that false negative rates of the engine for serious malware threats has been acceptable for most of our environments but the false negative rates for "unwanted applications" has been quite poor, we have noticed this especially with our portable systems which do not operate in high security environments. I've also found the ability for the software to clean an infection to be poor (~10% success rate), that said, all enterprises should have a policy of reimaging compromised systems but occassionally availability of a mission-critical system takes priority over confidentiality, such as certain safety or legal compliance enforcement systems.

We also constantly receive feedback from users that the new removable media scanning functionalty of v5 has inconsistent performance and access issues to the extent that support calls need to be raised because their media becomes completely inaccessible for long periods of time whilst the engine performs it's scanning.

 

I think the managability aspects of the products are designed with managing large number of systems in mind but it too has some issues. Performance and footprint has been a particularl problem regarding ERAS, we are constantly hitting configured limits and performance of ERAC remotely is so poor we've had to abandon that all together and use it locally within a remote desktop session on the ERAS servers themselves.

Unfortunately, we've also found the Reports functionality to be fairly useless and disappointing, to the extent that we found it was easier to integrate our existing reporting solutions into ESET rather than dealing with the HTML output and converting it to a presentable format. More report output formats would be useful such as PDF.

I must admit, I'm a bit of a fan of the Remote Administrator web dashboard even if it is a gimmick. It's useful to have during audits and  inspections but it would be nice to see more tools for responding to incidents and alerts integrated into it.

 

We had an incident by an APT recently which involved using compromised code signing certificate, we would love to have more tools which would allow us to respond better and faster to identified breaches. We've found that certificate handling functionality within Windows, and other platforms, isn't always enough and CAs are too slow to revoke compromised certificates. In this case, it would have been great to add in the compromised certificate details into a Policy, pushed it out to clients and have the engine deal with files which were signed with any rogue certificates.

 

I also think more functionality to allow for integration of external components would be great, especially on the managability side of things. APIs and more command-line utilities would appreciated and allow us to automate certain management workflows and reactions. In a world where security solutions are becoming flexible, scriptable and even open source, this inability to customise the software to our specific security, workflow and integration requirements is a major disadvantage.

 

One thing worth mentioning is the sales process we undertook was horrific. The ESET partners we dealt with were completely unprofessional, unorganised and unresponsive. We shouldn't have to elevate issues to ESET country managers to migrate and expand licenses. Although this has been resolved, it will be one of the things raised in our next renewal and purchse review as a negative against ESET as the professionality of partners is not of an acceptable standard and definitely not comparable with the partners/vendors of other competing products.

Overall, we're satisfied with the product but it's important to understand it's limitations and scope. I think it's critical to have a strong network based IDS and IPS alongside these host-based products, we even use additional host-based solutions in certain cases.

[foneil 342]

Thank you @Staj for your well-written and thoughtful feedback. I can't speak for all of ESET (and am probably only the first to reply to thank you because of the time difference) but I'm sure many others will appreciate your comments as well.

 

All of your feedback concerns development/sales/product management, so I will be sure that they are forwarded this post. From the Knowledgebase perspective (my purview), I don't think there's much for me to offer you (you obviously know your way around our software), but any documentation or support (how-tos, videos, etc.) you would like to see for yourself or your users, let us know any time.  

[Aryeh Goretsky 378]

Hello,

Writing disinfectors for malware is prioritized based on a variety of factors, including the number of reports ESET is seeing through its LiveGrid system, the threat the malware poses, how problematic it is for a customer to manually remove the malware and so forth. In some cases, ESET makes standalone disinfectors available, and in the next version of the software these will be more tightly integrated. In some cases it is not possible to repair the damage caused by malware; for example, a computer virus which has overwritten part of a file and, as a result, that original code is gone. If you are seeing malware which you feel ESET should be removing and is not, submit it to ESET's threat researchers for examination. For information on how to do so, see ESET Knowledgebase Article 141, "How do I submit a virus, website or potential false positive sample to ESET's lab?."

As a defense contractor, your definition of potentially unwanted applications may be a little stricter than ESET's. Each time a program is classified as a PUA, one of ESET's senior researchers is involved, because determining what is and is not potentially unwanted behavior takes experience and judgment in order to make the decision. If there is something you are seeing which is not detected as a PUA and think should be, let us know. You can use the same mechanism listed to report a PUA to ESET's threat researchers.

I'm not sure why you are having issues with ESET Remote Administrator, but this sounds like something ESET's business support engineers or sales engineers could help investigate. You can contact your regional ESET office to arrange that.

ESET does offer a SDK for its API, but that's largely geared to companies that want to include anti-malware functionality in another product. It is not something I have personally worked with, but the business development department in your regional ESET office would be a good starting point to get more information about that. For command line-utilities, please see the Utilities page of ESET's web site, and the list of parameters for the ESET Command Line Scanner (ecls.exe) can be found here in ESET's knowledgebase.

Thank you for the detailed feedback.

Regards,

Aryeh Goretsky

[Staj 5]

Hello Aryeh,

Thank you for your response, all of our issues we have about detection and removal are regarding PUAs as opposed to more serious variants of malware, I should make that clarification as we've been quite impressed with ESET's heuristical detection, especially with new variants and even targeted malware. Unfortunately, due to security policy, submission of samples from incidents is difficult for a company like ours, limiting our ability to collaborate with the security community in that regard. When I provided my feedback, it was a comparison of ESET's PUA functionality with other functionality present in competing products, which seem to be able to hand these lower-level threats better.

 

Regarding APIs and command-line utility, I should clarify this too, I was referring to the management of clients themselves. ERAC is useful but being able to integrate it, via APIs or via the command-line, into our other IDS and IPS solutions and push out new policies in reaction to incidents would allow for better automation.

 

Regarding our ESET region office, I'm not sure that would be possible/desirable given the experience we've had before with even basic sales issues but I may be confusing one of ESET's partners with the it's regional office for my area.

 

I appreciate the time you took to respond to my feedback, thank you again.

[Marcos 5,070]

From my personal experience, ESET detects much more PUAs than any other competing products. Even if they start detecting a certain PUA, they remove detection after receiving a complaint from the application's vendor, most likely because further disputes with vendors always require a lot of investigation which is time and resource consuming.

 

Also I'd like to emphasize that unlike some other vendors, ESET only detects files that actually pose a risk, ie. configuration files, images, text files, etc. are not detected and removed. They files are often installed with potentially unwanted applications. Therefore, in order to remove PUAs completely, we always recommend running uninstall via the Control panel -> Add/remove programs rather than deleting exe and dll files only.

[Aryeh Goretsky 378]

Hello,

 

I understand the issues you have with sample submission due to your industry sector.  Potentially Unwanted Applications are, by their nature, not malicious software, just software that is potentially unwanted.  That is why ESET (and other security software vendors) display different types of dialogs than those displayed for malware, have options to toggle detection, options to exclude them from detection and so forth.  Also, they are, by definition, not going to be Advanced Persistent Threats or targeted malware, nor are they going to be the kind of things that a determined adversary employs.  Because PUAs are publicly available and commonly bundled as sponsoring software with another application, actually all ESET's threat researchers would need to know is the name and version of the PUA, or at least the application it was bundled with.  Perhaps this is something you could speak with your legal/compliance/risk/internal security folks with and get permission to share, since it has no real-world effect on your employer's security posture.  I know it's a lot of work to get sign off on something as simple as "FreeSuperAppPlatinumDeluxe Version 2013 contains a copy of SuperAwesomeToolbar 3.0 you aren't detecting with virus signature database 1234" but it is something to consider.

 

Thank you for clarifying the API question:  That's a little different than what I initially thought, however, bizdev should still be able help you out with that.  It sounds similar in nature to the managed service provider offering they created.

 

Regards,

 

Aryeh Goretsky

[cpagee 0]

We've been using ESET security products (v5) as part of our IT security strategy for about a year now and I thought I would provide some feedback to other users and ESET itself.

...

 

One thing worth mentioning is the sales process we undertook was horrific. The ESET partners we dealt with were completely unprofessional, unorganised and unresponsive. We shouldn't have to elevate issues to ESET country managers to migrate and expand licenses. Although this has been resolved, it will be one of the things raised in our next renewal and purchse review as a negative against ESET as the professionality of partners is not of an acceptable standard and definitely not comparable with the partners/vendors of other competing products.

Overall, we're satisfied with the product but it's important to understand it's limitations and scope. I think it's critical to have a strong network based IDS and IPS alongside these host-based products, we even use additional host-based solutions in certain cases.

 

I would like to second the input of Staj regarding the local sales process.

 

In our own office (5 users) we have happily paid for direct downloads of small numbers of antivirus licenses for several years without issue. Recently a client requested a needs assessment for an office of 25+ computers and users. We recommended ESET and assisted them with the sales process. Sadly, when it comes to groups of this size, the client is forced to make the purchase via a local reseller.

 

The reseller took ages to respond by phone, eventually sending a quote by e-mail, and then sent a batch of licenses without invoicing. We kept chasing them to issue an invoice, so as not to risk installing licenses that could at any time be revoked by ESET for non-payment.

 

Eight weeks since being referred to the (Trinidad and Tobago) reseller, the client still has not been invoiced. Yes, they sent a file containing license keys and we installed for the client. We reminded them to issue the invoice so the client can pay. They first interpreted the reminder as a request to invoice US (how can you not know who you gave 25 license keys to??). We clarified but are still not able to get anyone by phone. E-mails take days or weeks to be noticed. How long till the client loses protection?

 

I have to question the value of having a local representative when all the end user needs is to send payment online and receive a batch of licenses! We have taken care of the individual installs, keeping track of who is issued which key, etc, so it seems all the reseller does is collect a commission for our recommendation, and create extra steps to issuing keys. I now regret making this recommendation, even though I know from experience that the product is good. How do I sign up to replace the local rep? It's partly a joke, but I would be very willing for the sake of my own clients' experience! And if ESET ever tells me that because I am in Trinidad and Tobago I have to go through a local firm to buy my own 5 licenses.... that will be the last day I use an otherwise excellent product! :-(

[Aryeh Goretsky 378]

Hello,

If you can send me a private message with your name, email address and the username portion of the twenty-five license keys (the part that begins with EAV-##########) I will see what I can do to assist in getting the licensing and invoicing straightened out.

Regards,

Aryeh Goretsky