Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
Of LoLBins, 0 Days, and ESET (Part 2)
Message
<blockquote data-quote="Andy Ful" data-source="post: 1084046" data-attributes="member: 32260"><p>It is a convincing video. The attack is not fully real-world but could be if the phishing was a starting point, or the attack was done from the infected flash drive.</p><p>Anyway, some points should be noted:</p><ol> <li data-xf-list-type="ol">This video (and the previous one) does not show in any way that Eset's overall protection is worse compared to Microsoft Defender.</li> <li data-xf-list-type="ol">The video tests can be misunderstood by many people who think that a failure on the example can prove some minority of the overall protection.</li> <li data-xf-list-type="ol">Eset's detection was presented from the bright side. The malware undetected in the pre-execution stage, was detected in the post-execution stage. The detection was triggered soon after recognizing malicious actions.</li> </ol><p>If we assume that points 1 and 2 are true, we can focus on what information can follow from the video.</p><ol> <li data-xf-list-type="ol">Microsoft Defender currently blocks that method <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /><img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite130" alt="(y)" title="Thumbs up (y)" loading="lazy" data-shortname="(y)" />, so it will be probably rarely used in the wild. It is not clear if Eset can have a sufficient advantage by blocking that method (this could increase the number of false positives). Furthermore, the attack can be blocked by a simple firewall rule for Certutil.</li> <li data-xf-list-type="ol">That method is not malicious, so the decision to block it can be considered by the AV vendor if the attack can bypass other protection features.</li> <li data-xf-list-type="ol">Blocking that method is probably uncommon among AVs on default settings (more examples needed).</li> <li data-xf-list-type="ol">That method can be potentially dangerous when the payload is undetected by the AV.</li> </ol></blockquote><p></p>
[QUOTE="Andy Ful, post: 1084046, member: 32260"] It is a convincing video. The attack is not fully real-world but could be if the phishing was a starting point, or the attack was done from the infected flash drive. Anyway, some points should be noted: [LIST=1] [*]This video (and the previous one) does not show in any way that Eset's overall protection is worse compared to Microsoft Defender. [*]The video tests can be misunderstood by many people who think that a failure on the example can prove some minority of the overall protection. [*]Eset's detection was presented from the bright side. The malware undetected in the pre-execution stage, was detected in the post-execution stage. The detection was triggered soon after recognizing malicious actions. [/LIST] If we assume that points 1 and 2 are true, we can focus on what information can follow from the video. [LIST=1] [*]Microsoft Defender currently blocks that method :)(y), so it will be probably rarely used in the wild. It is not clear if Eset can have a sufficient advantage by blocking that method (this could increase the number of false positives). Furthermore, the attack can be blocked by a simple firewall rule for Certutil. [*]That method is not malicious, so the decision to block it can be considered by the AV vendor if the attack can bypass other protection features. [*]Blocking that method is probably uncommon among AVs on default settings (more examples needed). [*]That method can be potentially dangerous when the payload is undetected by the AV. [/LIST] [/QUOTE]
Insert quotes…
Verification
Post reply
Top