- Apr 13, 2013
- 3,150
Of LoLBins, 0 Days, and ESET (Part 2)
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
I knew the best practical response 
would be you proving your point in a follow up video and I had to laugh about the tongue in cheek music beneath this video
would be you proving your point in a follow up video and I had to laugh about the tongue in cheek music beneath this video
Last edited:
Practical Response
Level 8
- Mar 10, 2024
- 392
Again please refer to this post. The point is to test the products according to design, using something actually malicious. There was more effort here. If done according to design and your modified file does make it past, so be it, at least it was done properly.
malwaretips.com
@LennyFox aka Kees I do believe a thank you is in order for allowing me to "live rent free" in your mind.
App Review - Norton AntiVirus Plus 2024
Norton is a well-known American antivirus. In the past, Norton was pre-installed on many commercially available computers. It had a reputation for being cumbersome, inefficient and rather annoying. Since 2010, the publisher has completely redesigned its software. For 2024, Norton (renamed...
malwaretips.com
@LennyFox aka Kees I do believe a thank you is in order for allowing me to "live rent free" in your mind.
Last edited:
Practical Response
Level 8
- Mar 10, 2024
- 392
Again the object is initiated from desktop. It lacks the MOTW embedded via being downloaded from the browser or other internet clients like email and chat. The files download this way contain identifiers.
Can you bypass the MOTW using zip files "especially password protected' sure you can.
Can a file bypass MOTW other ways, yes, when its downloaded via cmd or PowerShell "initiated by the user"
Using heuristic based scans, signature based scans/ filters that are hardened for "points of entry" allows for the product to be tested as designed and the ability to look for the realistic indicators, in real world scenarios and with in the wild real samples, not modified samples it takes days to find to bypass a product with unrealistic route of infection.
Last edited:
- Mar 2, 2023
- 813
Like a normal user would experience downloading a file, or of the process of opening an email etc? So these test, including on YouTube where the file is already on the desktop are only 1/2 the equation, of the malware (sample) already being on the desktop, on the PC?
Last edited:
- Apr 5, 2021
- 576
Further proof there's no need for a home user to pay for a security suite.
- Sep 2, 2021
- 2,327
This clearly confirms what I saw in my test: ESET has a lot of trouble with malware using LOLBins (whether in EXE or JS/VBS).
Thanks for your video
Thanks for your video
Practical Response
Level 8
- Mar 10, 2024
- 392
Just hide your keyboard when not in use, as some admin might sneak in there, modify a sample and launch it from the desktop on a non standard account and infect your system.
When following real world procedures (like AV-test and AV-comparatives) most AV's have near perfect scores. The point Cruel Sister was making in her first video is that allowing a dropper through a LoLbin is a considerable risk factor (you don't know whether the downloaded file is good or bad). Her (in my opinion correct) warning that ESET could do better, triggered a bombardment of critisism that the file dropped was not really malicious. That is why she posted the second video (which dropped something harmefull and bricked user files).
Now they are critising @cruelsister 's video again with the arrgument that it did not come through the "front door". That argument in itself is valid. People can't be infected out of nowhere. But for average PC users the most common routes of infection through the 'front door" are responding to an email with either a prize or an tax invoice. The trick is to trigger an emotion (greed, anger and fear work the best). Another often used rout eof infection is an average home users being redirected to websites looking like an antivirus telling you are infected (using the fear emotion) and you need to download something.
So getting through the front door is trival, but even using the front door approach ESET has its limitations (and CS video shows why they probably missed the 1.8 percent of tthe "in the wild samples, using real world scenario's" in the picture below).
But as @Showdara posted, it just confiorms his experience.
Last edited:
- Mar 2, 2023
- 813
Thank you for the explanation, Lenny, I appreciate it. From a member who is still learning about these things
- Dec 23, 2014
- 8,170
It is a convincing video. The attack is not fully real-world but could be if the phishing was a starting point, or the attack was done from the infected flash drive.
Anyway, some points should be noted:
Anyway, some points should be noted:
- This video (and the previous one) does not show in any way that Eset's overall protection is worse compared to Microsoft Defender.
- The video tests can be misunderstood by many people who think that a failure on the example can prove some minority of the overall protection.
- Eset's detection was presented from the bright side. The malware undetected in the pre-execution stage, was detected in the post-execution stage. The detection was triggered soon after recognizing malicious actions.
- Microsoft Defender currently blocks that method , so it will be probably rarely used in the wild. It is not clear if Eset can have a sufficient advantage by blocking that method (this could increase the number of false positives). Furthermore, the attack can be blocked by a simple firewall rule for Certutil.
- That method is not malicious, so the decision to block it can be considered by the AV vendor if the attack can bypass other protection features.
- Blocking that method is probably uncommon among AVs on default settings (more examples needed).
- That method can be potentially dangerous when the payload is undetected by the AV.
Last edited:
- Mar 2, 2023
- 813
Good point, I forgot about that route.
- Apr 5, 2021
- 576
Last edited:
- Jun 22, 2020
- 165
Eset is very bad, I never felt protected when I used it.
Greetings.
Greetings.
Practical Response
Level 8
- Mar 10, 2024
- 392
It is not real world. The file needs to be download as stated above for the products to scan for indicators, unless it was as you just suggested from an inserted flashdrive of which again habits like disabling autoruns of those type devices and scans of files on them before using once inserted can negate.
A Lot of trivial "could be's" inserted in this thread when all the "professionals" should be fully aware this tests is not accurately testing the "design," of products. Phishing requires user interaction but still comes from some point.
Lottery odds of infection do not mean the product is incapable either as none are guaranteed 100 detection at all times, I'm aware.
If users intend to "test" products capabilities then these half way attempts are not enough, it needs to be done again according to design, as stated before if it misses then, it's not from inaccurate testing, but the product.
I am not following you, are you posting in the correct thread? There is no Microsoft Defender in this videoIt is a convincing video. The attack is not fully real-world but could be if the phishing was a starting point, or the attack was done from the infected flash drive.
Anyway, some points should be noted:
If we assume that points 1 and 2 are true, we can focus on what information can follow from the video.
- This video (and the previous one) does not show in any way that Eset's overall protection is worse compared to Microsoft Defender.
- The video tests can be misunderstood by many people who think that a failure on the example can prove some minority of the overall protection.
- Eset's detection was presented from the bright side. The malware undetected in the pre-execution stage, was detected in the post-execution stage. The detection was triggered soon after recognizing malicious actions.
- Microsoft Defender currently blocks that method
- That method is not malicious, so the decision to block it can be considered by the AV vendor if the attack can bypass other protection features.
- Blocking that method is probably uncommon among AVs on default settings (more examples needed).
- That method can be potentially dangerous when the payload is undetected by the AV.
and the user files were bricked. Let's not repeat the discussion of part 1 video.
Last edited:
- Sep 2, 2021
- 2,327
I am not following you, are you posting in the correct thread? There is no Microsoft Defender in this video
Let's not repeat the discussion of part 1 video.
In part 1, MD succeeded in intercepting the attack, not Eset.
That's why he cites Microsoft Defender.
Yes I know, that is why I asked are you posting in the correct thread
I also don't understand Andy's "Microsoft Defender currently blocks that method, so it will be probably rarely used in the wild". Microsoft is the champion of big data and compatibility (low FP-rate), when they are blocking something it is most likely for a reason (which IMO adds credit to Cruel Sister's statement in video 1 that it is a risk factor to allow droppers through unusual LoLBin actions).
Last edited:
- Dec 23, 2014
- 8,170
The attack will be blocked on nearly 1/2 of all computers. The attackers do not like the attack methods that can decrease the chances by 50% when there are several more promising methods (like some other LOLBins, etc.).
Last edited:
Similar threads
