Desperately Need HIPS File Wildcard Support!

[itman 1,659]

I have waited long enough for Eset to add DOS file wildcard e.g. "*" and "?" to the HIPS. With MS constantly creating new telemetry methods with each new upgrade, Eset HIPS file wildcard support is needed now!

 

This is not rocket science, Eset, and should have been added long ago. You added the feature to your Endpoint products and you should show the same curtesy  to your retail customers.

Edited October 16, 2016 by itman

[TomasP 316]

Hi,

We have not forgotten this feature and I can assure you there is an ongoing process regarding this - we are evaluating the use-cases and situations for its usage, so that once launched, it can provide more flexible rules.

Thanks for your patience.

[itman 1,659]

Hi,

We have not forgotten this feature and I can assure you there is an ongoing process regarding this - we are evaluating the use-cases and situations for its usage, so that once launched, it can provide more flexible rules.

Thanks for your patience.

Tom please correct me if I am wrong, but I believe that Endpoint and Smart Security use the same basic HIPS engine. I suspect the wildcard feature in Endpoint is purposely disabled in the retail products. If this is true, would greatly appreciate you PM me on how to enable it in Smart Security

[Pankaj 2]

Hi,

No progress on this matter so far. Is this feature ever going to come out in Internet Security or Smart Security? Have been waiting for a long time for this feature. Considering how weak the Ransomware protection is and looking at the rate at which ransomware are coming out, creating HIPS rules to protect certain file types is the only line of Defence until they are included in the signatures.

This should be one of the "at the top of the list" features for ESET Windows consumer based products and should be implemented as soon as possible.

Thanks. 

[Marcos 5,070]

30 minutes ago, Pankaj said:

Considering how weak the Ransomware protection is and looking at the rate at which ransomware are coming out...

Based on what you are stating this? It is absolutely not true that ESET's protection against ransomware is weak. Quite the contrary, ESET excels in protection against zero-day threats, including ransomware.

[Pankaj 2]

7 minutes ago, Marcos said:

Based on what you are stating this? It is absolutely not true that ESET's protection against ransomware is weak. Quite the contrary, ESET excels in protection against zero-day threats, including ransomware.

Can you prove that? I would really love to see some proof that ESET excels protection against zero day threats. Out of my whole comment you only took away "weak protection against ransomware"!!

[Marcos 5,070]

Just now, Pankaj said:

Can you prove that? I would really love to see some proof that ESET excels protection against zero day threats. Out of my whole comment you only took away "weak protection against ransomware"!!

Actually you were the first to state that ESET's protection is weak when it comes to ransomware so I will be glad if this statement is backed up by a proof. As for ESET's effectiveness in terms of protection against zero-day threats, I can tell from my personal experience that when checking detections by ESET and other vendors as soon as new threats are reported to us through LiveGrid, ESET is very often the only or one of 2-3 famous vendors to detect it. Next, we receive very few tickets related to infection from users who use a current version and have all protection features enabled and the product regularly updated and configured properly which is probably the best proof of effectiveness. Last but not least, ESET is tested by prestigious testing organizations and they have never presented results where ESET's protection was weak.

[Pankaj 2]

2 minutes ago, Marcos said:

Actually you were the first to state that ESET's protection is weak when it comes to ransomware so I will be glad if this statement is backed up by a proof. As for ESET's effectiveness in terms of protection against zero-day threats, I can tell from my personal experience that when checking detections by ESET and other vendors as soon as new threats are reported to us through LiveGrid, ESET is very often the only or one of 2-3 famous vendors to detect it. Next, we receive very few tickets related to infection from users who use a current version and have all protection features enabled and the product regularly updated and configured properly which is probably the best proof of effectiveness. Last but not least, ESET is tested by prestigious testing organizations and they have never presented results where ESET's protection was weak.

As much as I respect ESET Windows products (version 10 being the best), I would like to say that NO product is actually bullet proof against true zero day threats. Regarding those Testing organisations, we can not just blindly trust those results, the same way we cannot just blindly agree that RanSim can never be a real case scenario. All those tests are done in labs behind closed doors and we can only take there word for it. I am not saying that these Testing organisations cannot be trusted, far from it. But I do want to say that having some kind of backup defence if the AV suite is not totally ready for a zero day threat cannot be taken lightly.

There are many youtube channels and videos where Internet Security 10 just fails badly against certain new variants of ransomware while it also manages a completely awesome performance against some other new/zero day threats in some other videos.

Let me be clear, I love ESET products specially windows versions. I love it so much that after trying ALMOST all of the other AV suites I always come back to ESET because of how customisable its HIPS are and the way I can tweak it to my liking. But I want to help improve it even further, therefore its annoying when some features which have been requested for so long just don't come to fruition.

[itman 1,659]

2 hours ago, Pankaj said:

Can you prove that? I would really love to see some proof that ESET excels protection against zero day threats.

Check out this AV Lab test: http://www.av-comparatives.org/wp-content/uploads/2016/11/avc_sp_pcpitstop_2016_en.pdf

They used 1000 ransomware samples; none of which had been detected by VirusTotal at the time of testing. Eset Smart Security scored 100% detection rate. Eset also scored 100% against 4000 non-ransomware 0-day malware samples in this test.

[Pankaj 2]

I in no way doubt that ESET is more than capable of attaining these results. But also have a look at these results:

https://www.mrg-effitas.com/wp-content/uploads/2016/11/MRG-Effitas-360-Assessment-Q3-2016.pdf

and there are many "see for yourself" tests done on youtube that show the weakness of many AV suites (including ESET) against zero-day threats including ransomware.

Kindly note that I do not doubt the efficacy of ESET Live Grid. But nothing is perfect.

[itman 1,659]

Note that the MRG test was performed using Smart Security ver. 9. There have been notable security improvements added with ver. 10.

Of note, ver. 9 does not have ver. 10 ransomware detection improvements. However, Eset was still able to detect 96% of samples initially with the remaining 4% detected within 24 hours which is considered by MRG to be a passing grade for this test.

Pertaining to the non-ransomware portion of the test, MRG does not state how the malicious binaries were downloaded by Edge. It is safe to assume that a number were done using malicious web page scripts. Eset ver. 9 does not have script protection but ver. 10 does.

[Pankaj 2]

What do you think about these videos from youtube:

1.) 

2.) 

 

In link No. 2, please have a look at 10:00 min. where he gets hit by a ransomware. I know that no one would be clicking away at links blindly like that but just adding additional HIPS rules will definitely make it difficult for such things to happen. I mean we can add HIPS rule to protect files in select Folders and make it more secure but what if a ransomware was trying to attack only a given file type. Using a Wildcard (*.jpg etc) might be helpful for example.

And I believe that the true power of ESET HIPS is its Interactive or Policy driven modes. Automatic mode is a little bit too permissive in my opinion.

[itman 1,659]

On ‎1‎/‎28‎/‎2017 at 0:20 PM, Pankaj said:

What do you think about these videos from youtube:

There are two types of utube videos:

1. Those made by amateur security enthusiasts in regards to third part security products.

2. Those made by security concerns explaining the features and workings of their specific products.

What I am posting applies to type 1.

I personally ignore these videos and so do gainfully employed security professionals and penetration testers.

The primary reasons for ignoring these videos is that the methodology and results cannot be verified. Certified AV Labs utilize dedicated hardware in a closely controlled test environment to test malware. Most amateur testers use a VM on their personal PC. It is a well documented fact that today's malware is both sandbox and VM aware and will alter its behavior when either are detected. This results in behavior being observed and recorded that does not occur in normal attack scenarios.

Additionally malware will alter its deliver methods over time and also by intended target hardware and end user. Professional certified AV Labs employ honeypot servers and endpoints which allow them to observe malware behavior over an extended period of time on different hardware and OS configurations. In contrast amateur security testers manually download malware samples from sources such at VirusTotal and directly run these samples. This ignores and invalidates the normal payload deliver methods various malware employ.

I can go on and on but I believe I touched on the major points that these individual reviews should be ignored.

      

[Pankaj 2]

I am in no way an expert on these things but I do know that modern malware may or may not be sandbox or VM aware. So if a malware is aware of a virtualised environment then how would it alter its behaviour? Would it try to evade detection by not showing any malicious behaviour? If that is the case then it should not do any harm to the virtual machine and therefore not be detected by the AV. But that is not what is observed in the videos whereby the malware not only encrypts the data but is also not detected by the AV.

Let's assume that the ransomware in the 2nd video was delivered via a USB drive and copied over to the host machine after the USB 's contents were scanned with ESET. If the user then intentionally or unintentionally executed this file and since this sample is not in the signatures (and a normal user is using the 'automatic' or 'smart' mode for the HIPS and firewall), what do you think would have happened?

An advanced user could have been using the HIPS in interactive mode and if he was observant enough could (maybe) detect the suspicious behaviour of the malware and block it. But an average user would have had the same fate as that AMATEUR youtube tester.

With no disrespect for these reputed AV-testing labs who most certainly know what and how to do their thing, these youtube videos can't be just ignored like that. Many of them are trying to do these tests to help the AV companies make their products better. Just because they don't have the resources like the av-testing labs their effort should not be disregarded. Also some of the AV COMPANIES do respond to these videos and co-ordinate with these testers so as to VERIFY these results and fix the issues in their products.

[Marcos 5,070]

@Pankaj You wrote that ESET's ransomware protection is weak. However, you seem to also understand that there's no 100% malware protection and that every AV misses threats, including ransomware. You have pointed out some videos where files got encrypted despite having ESET installed. This only confirms that no AV protects from 100% of threats. So according to your evaluation you should call any AV without 100% detection an AV with weak protection.

I reckon those videos were made before Christmas, ie. before we substantially extended the replicator farm for automatic replication and signature generation and also before adding a new Filecoder detection mechanism that is now part of Ransomware protection in v10. I would say it will be much harder now to find a Filecoder that would not be detected. For instance, here are the results of the latest Filecoders that are currently a few minutes or 1-2 hours old:

with2901_4b76ad8a_cr246.exe (Locky)
Symantec     clean
AVG          clean
ESET   Suspicious object
McAfee       clean
DrWeb        clean
Bitdefender  clean
Microsoft    clean
Avira        clean
Kaspersky    clean

with2901_4b76ad8a_cr42.exe (Locky)
Symantec     clean
AVG          clean
ESET   Win32/Filecoder.Locky.C trojan
McAfee       clean
DrWeb        clean
Bitdefender  clean
Microsoft    clean
Avira        clean
Kaspersky    clean

system32_2017-01-29_20-01.exe (Filecoder.FS)
ESET  Win32/Filecoder.FS trojan
Bitdefender  clean
Symantec     clean
McAfee       clean
AVG          clean
Kaspersky    clean
DrWeb        clean
Microsoft    clean
Avira        clean
Avast        clean

 

All I want to say is that ESET's protection against ransomware and zero-day threats is excellent and in no way can it be called weak.

[itman 1,659]

1 hour ago, Pankaj said:

Let's assume that the ransomware in the 2nd video was delivered via a USB drive and copied over to the host machine after the USB 's contents were scanned with ESET. If the user then intentionally or unintentionally executed this file and since this sample is not in the signatures (and a normal user is using the 'automatic' or 'smart' mode for the HIPS and firewall), what do you think would have happened?

Personally, I have never heard of a ransomware being delivered via a USB drive. Theoretically it is possible, I guess. BTW - Eset has external device protection that will prevent auto play -or- such native Window's like protections can be enabled.

The vast majority of ransomware have been and currently are delivered via e-mail as noted below. And the overwhelming majority were Locky during the monitoring period noted:

According to the 2016 Verizon DBIR, email is the #1 delivery channel for malware. And what percentage of that malware delivered over email is ransomware? According to Proofpoint, over 96 percent.

To quote an old truism, "If you look under enough rocks, sooner or later you will find a snake." If you are looking for security protection that will guarantee you 100% detection for 100% of all malware threats, you will never find it. Neither will you find a security vendor that will give you such a guarantee.

Edited January 29, 2017 by itman

[Pankaj 2]

That is so very true that NO AV is 100%. That is the reason why I don't just believe any AV testing lab when they say that a particular AV product scored 100% in zero day samples.

Regarding the replicator farm, that is really exciting and I am pretty sure that ESET will do what ever is required to BEST protect its users. As far as the new samples of various filecoders that you mentioned are concerned, that is what I always have loved about ESET. ESET is one of the quickest to add signatures for brand new malware.

And Marcos, when I said that ransomware protection is weak, I never said that it is weak compared to some other AV suite. None of the AV suites can proactively deflect each and every ransomware or zero day attack. Having one of the best signatures is not the only way to prevent a successful ransomware attack in my opinion. That is the reason I don't like highly automated AV suites and why ESET (being so configurable as far as HIPS and Firewall are concerned) is more prepared to offer better protection against ZERO day threats by creating more HIPS generated hurdles for such threats thus giving the end user more chance to realise the threat.

[Pankaj 2]

16 minutes ago, itman said:

Personally, I have never heard of a ransomware being delivered via a USB drive. Theoretically it is possible, I guess. BTW - Eset has external device protection that will prevent auto play -or- such native Window's like protections can be enabled.

The vast majority of ransomware have been and currently are delivered via e-mail as noted below. And the overwhelming majority were Locky during the monitoring period noted:

According to the 2016 Verizon DBIR, email is the #1 delivery channel for malware. And what percentage of that malware delivered over email is ransomware? According to Proofpoint, over 96 percent.

To quote an old truism, "If you look under enough rocks, sooner or later you will find a snake." If you are looking for security protection that will guarantee you 100% detection for 100% of all malware threats, you will never find it. Neither will you find a security vendor that will give you such a guarantee.

As I have said multiple times before, no AV is or can be 100%. And I am not looking for one either. Why does it matter if the malware is received via USB or e-mail? The scenario that I gave earlier was an example and not exhaustive use case scenario. If it is not in the signature, the malware WILL most probably NOT be detected (unless there is some kind of behavioural detection or a cautious USER is driving the system using the Interactive HIPS). And if the ransomware/zero day threat is using some kind of brand new behaviour then even the behavioural blocker will not be able to protect. Eventually its the USER who can take the most reasonable action in this case and therefore the USER must be given more control of his system (in this case HIPS and Firewall) if he so chooses.

[itman 1,659]

Hopefully this commentary posting I made will alleviate your concerns about behavior analysis in regards to ransomware detection: https://forum.eset.com/topic/10792-ransomware-simulators-a-detailed-analysis/ . Make sure you click on the link posted toward the bottom of my first posting in that topic where the author clearly states where behavior detection is not the solution to ransomware detection.