ESET IS - April 2021 Report

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
784
I have felt a slight impact especially when launching a program with these more aggressive settings :)
Yeah ESET's advanced techniques (more static heuristics, possibly sandbox emulation on-device) do tend to be heavy. Both involve more analysis before the program is even allowed to run, which I think most users perceive as a slowdown. A behavior blocker traps and evaluates API calls which happen less often and most apps when they are doing CPU-intensive things are not calling out to Windows APIs constantly.

It seems scripts detections did not improve even hardening the settings...
That's too bad. Once again, "SM25.vbs" seems to have identically duplicated itself and then put that script into AutoRuns.... I can't imagine a behavior blocker would miss that. From the Huorong test:
SM25.vbs triggers wscript.exe and mshta.exe. Last named tries calling out, triggers Huorong Network Access Control (=Firewall) appears, default action is to auto-block after 45 seconds, so I chose "Deny". wscript.exe tries setting an AutoRun, flashing red Huorong HIPS alert (File protection) appears, whose default action is to auto-block after 45 seconds, so I chose "Deny". Next is a Huorong HIPS alert (Sensitive action) on Hidden PowerShell script executions. Default action is to auto-block after 45 seconds, so I chose "Deny". All services but mshta.exe autoterminate, broken mshta.exe window closed personally. No further malicious traces, no AutoRuns. Untouched source file deleted before firing off 2nd_opinion scans. HIT.

I think for most people, ESET should be left at the default settings. Maybe turning on advanced DNA signatures would be interesting because we have seen some impressive ML detections from ESET before. The aggressive settings and their performance impacts don't justify the marginal improvement in protection.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
784
I already turned on that DNA hehe... see the pics in my previous post...
Nice!

Yeah against scriptors especially, signatures are a losing game. When ESET was actively adding signatures for my PoCs, I found a meaningless Python syntax change was enough to break detection: #45 and Malware analysis - "pyrate", Behavior Blocker Bypass POC #3 ... and that's not even really trying. There's just way too many ways in a script to obfuscate your intentions from static inspection. With compiled executables, the way the compiler organizes and optimizes code leaves behind a lot more unique signatures you can latch on to.
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,866

Zorro

Level 9
Verified
Well-known
Jun 11, 2019
408
Привет, ребята, до конца месяца я только что реализовал эту программу.:

[KB6119] Настройка правил HIPS для продуктов ESET business для защиты от вымогателей

[KB6132] Настройка правил брандмауэра для ESET Endpoint Security для защиты от программ-вымогателей

Также сохраняя прежние агрессивные ухищрения...
Why didn't you add my suggestions for rules to hips in addition to the settings recommended by the antivirus developers? :) ;)
 
Last edited:

harlan4096

Super Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,897
The surprising thing is that at this point, We still have to add manually those entries in HIPS to stop/block scripts, java rats and others threats creating their entries and infect the system...

In recent tests, ESET was able to detect/remove only 2 entries in Windows AutoRuns sections (in 2 different tests), but still remained other additional ones, and those 2 detections took place after the system restart, when the system was already infected... 🤷‍♂️🤦‍♂️🙄

Where is ESET BB...?
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
784
A very good question, it must take a really long time to download and it just isn't there yet...
1619028600513.png

What drives me nuts is that ESET advertises that their product does have a behavior blocker for ransomware behavior at least. Also "Deep Behavioral Inspection" since 2019:

1619028741757.png


This is describing a behavior blocker, specifically calling out "Registry Events". To date I've never seen any of these features activate, either personally or in a Malware Hub test. The only dynamic detections I've seen are the "<signature> was found in a file downloaded/opened by <process>" which is basically just signature scanning during execution.

If you have a behavior blocker, it's really unlikely that it'd let a file copy itself then add to AutoRuns. I tested this against several AV software earlier: Homebrewed Zero Day behavior blocker test
1619028981314.png
 

mlnevese

Level 28
Verified
Top Poster
Well-known
May 3, 2015
1,739
ESET could have many preset HIPS rules with a simple on/off switch. The rules could be even automatically turned on/off according to how paranoid you set it. As it is, the HIPS is basically useless for a basic user and demand some work for advanced users.
 

F 4 E

Level 3
Verified
Jan 27, 2019
103
ESET could have many preset HIPS rules with a simple on/off switch. The rules could be even automatically turned on/off according to how paranoid you set it. As it is, the HIPS is basically useless for a basic user and demand some work for advanced users.
I still can't get my head around having to fiddle with HIPS settings in Eset.

Beyond my level of expertise, and I wish Eset would come up with some preset rules rather than the Auto option ?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top