Eset 13.0.22.0 Final

Burrito

Level 24
Verified
Top Poster
Well-known
May 16, 2018
1,363
Try this for safe mode in Windows 10:

That looks like a good answer.

Thanks Nightwalker.

1572189374133.png


Me and my buddy @beavisviruses were the two inaugural members of the "I love ESET" Club.

I miss that guy...
 

davisd

Level 3
Verified
Jan 27, 2019
108
my computer will not go into safe mode!!!!!!!!!!!!!!

your link says as follows
In Safe Mode, double-click the installer file you saved to your Desktop in step 1 to run ESET Uninstaller tool. If you want to use the Advanced user commands below, open an Administrative command prompt first and then change to the Desktop directory.
Hold "Shift" whilst clicking on "Restart"
1.PNG

Choose "Troubleshoot"
20191027_165914.jpg

"Advanced options"
20191027_165923.jpg

"Startup settings"
20191027_165943.jpg

Click "Restart"
20191027_170000.jpg

Choose the appropriate number, in your case, 4,5, or 6, then you'll be booted in Safe Mode.
20191027_170019.jpg
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
784
Back to talking about ESET: the signatures seem to be pretty decent. @Huchim ’s malware hub testing shows ESET catching more than average via static scan. This morning I encountered some malvertising and submitted it to VT, and it had a 2 or 3 engine detection ratio (not Symantec, Avira, or BitDefender) and NOD32 was one that detected it.
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
Back to talking about ESET: the signatures seem to be pretty decent. @Huchim ’s malware hub testing shows ESET catching more than average via static scan. This morning I encountered some malvertising and submitted it to VT, and it had a 2 or 3 engine detection ratio (not Symantec, Avira, or BitDefender) and NOD32 was one that detected it.

This is a common misconception of ESET, most of those detections are not via signatures, they are heuristics + generic detections, so by definition a zero day kind of protection.

Many security forum users think that ESET has a poor zero day protection because until recently it lacked a properly behavior blocker and most users confused the heuristic detection (proactive) with a signature (reactive) one.

Take those tests from @Huchim as an example:


 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
784
This is a common misconception of ESET, most of those detections are not via signatures, they are heuristics + generic detections, so by definition a zero day kind of protection.

Many security forum users think that ESET has a poor zero day protection because until recently it lacked a properly behavior blocker and most users confused the heuristic detection (proactive) with a signature (reactive) one.

This is a really good point. Heuristic analysis is still a great way to protect against zero days. Note that some AV's like Norton's engine do also invest in heuristics (see their Heur.AdvML.x detections, Heur.AdvML.B | Symantec). And F-Secure's DeepGuard also contains some set of heuristic signatures (ironically often times when I execute zero days I find, it is DeepGuard that catches it before the payload even gets to executing, indicating it's static analysis and not runtime behavior blocking based)

The nice thing about static analysis heuristics and generics is that you don't risk the payload executing at all, which substantially lowers the risk of advanced malware learning how to counteract the way that behavior blockers inject themselves into the running binary.

The downside I'd be concerned about is FP's. Like I won't say whose engine it is, but I can compile a C program with some string constants defined like "vmware-vmx.exe" and "vmtools" and if I include 2 or 3 of those terms in the binary it will flag it as generic malware VM detection. How's the FP rate for ESET?
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,873
Extremely low. For example, in the September False Alarm test, by AV-Comparatives, ESET and Kasperksy were the only products with no false positives. In March, there was only one false positive, beating all other antiviruses tested.
This is correct. Also what I've learnt from the ESET forum is that they are extremely sensitive about false positives and performance impact. Sometimes way too much. For example, a month ago in the hub a ransomware sample was missed by ESET as well as bypassed other popular AVs behavior blocker. I posted that sample on ESET forum and a day later upon analyzing they found out, ESET's ransomware shield initially detected that as a potential ransomware but another false positive mechanism triggered in so to avoid false positive ESET let that ransomware run. This is just one example. I've seen other discussion where they even said that they sometimes prioritize avoiding false positives over detection and their defense to this statement was that if an user run something malicious on their PC, soon their cloud protection which is named Live grid would be able to protect other users from executing that malware. They also said their enterprise customers care more about not having any false positives. But no matter what, to prioritize false positives avoiding over detection kind of sounds wrong. But this is how they are and one of the reason they focus a lot on signatures more than most other AVs. They have similar mindset for performance impact. They won't implement any feature that affects its performance hence it's extremely light.
 
F

ForgottenSeer 72227

This is a common misconception of ESET, most of those detections are not via signatures, they are heuristics + generic detections, so by definition a zero day kind of protection.

Many security forum users think that ESET has a poor zero day protection because until recently it lacked a properly behavior blocker and most users confused the heuristic detection (proactive) with a signature (reactive) one.

Take those tests from @Huchim as an example:



Good post!

Personally I think there's a big misconception that in order to deal with Zero Day malware you have to have a "BB", or something along those lines. While they are good, like with many things in life, there's always more than one way to deal with things. If you think about it, heuristics was the first way to deal with zero day malware. While some newer things have come out (ie:BB), heuristics are still a very good way to catch zero day malware.

To further your point despite what some say, Eset has more tech built in to deal with zero day. They have their cloud (Live Grid), HIPS and more recently they have expanded what their "ML" can do. Furthermore, BB and such still miss things, so even they aren't perfect either. While good zero day protection is a good thing to have, I still think that people stress about it way to much IMHO. Personally I feel like the chances of home users running into a true zero day (malware) is extremely low. Doesn't mean it doesn't happen, but I don't think it's as high, compared to if you were a business/enterprise, government body, etc...(y)
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
This is correct. Also what I've learnt from the ESET forum is that they are extremely sensitive about false positives and performance impact. Sometimes way too much. For example, a month ago in the hub a ransomware sample was missed by ESET as well as bypassed other popular AVs behavior blocker. I posted that sample on ESET forum and a day later upon analyzing they found out, ESET's ransomware shield initially detected that as a potential ransomware but another false positive mechanism triggered in so to avoid false positive ESET let that ransomware run. This is just one example. I've seen other discussion where they even said that they sometimes prioritize avoiding false positives over detection and their defense to this statement was that if an user run something malicious on their PC, soon their cloud protection which is named Live grid would be able to protect other users from executing that malware. They also said their enterprise customers care more about not having any false positives. But no matter what, to prioritize false positives avoiding over detection kind of sounds wrong. But this is how they are and one of the reason they focus a lot on signatures more than most other AVs. They have similar mindset for performance impact. They won't implement any feature that affects its performance hence it's extremely light.
That’s interesting and rather concerning. However with non-risky habits and a good web extension probably pretty unlikely you would run across the type of zero day samples seen in the hub. Still it gives me pause.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,873
That’s interesting and rather concerning. However with non-risky habits and a good web extension probably pretty unlikely you would run across the type of zero day samples seen in the hub. Still it gives me pause.
I agree. ESET is still great though. It's also one of the best in web protection. In my personal brief testing over the last few months it performed better than Kaspersky, Bitdefender, Avira, SmartScreen in most cases. I don't use any security extension on my browser when I use ESET as I feel it's enough.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
784
. While good zero day protection is a good thing to have, I still think that people stress about it way to much IMHO. Personally I feel like the chances of home users running into a true zero day (malware) is extremely low. Doesn't mean it doesn't happen, but I don't think it's as high, compared to if you were a business/enterprise, government body, etc...(y)

That’s interesting and rather concerning. However with non-risky habits and a good web extension probably pretty unlikely you would run across the type of zero day samples seen in the hub. Still it gives me pause.

Yeah I'd say the last time I got surprised by malware (and needed to be saved by an AV) was 3+ years ago, when I was being stupid and thought I found a trustworthy Windows Loader (activation bypass) that was actually a rootkit. That wasn't even a zero day.

With that said, zero days are still a thing, albeit rare. Just yesterday when browsing 9to5mac I got redirected by a rogue advertisement to a "your Norton has expired" scam hosted on a .XYZ domain. The domain was fresh and had zero detection on VT. The payload it delivered was Mac malware but it was a zero day with a 2/59 detection ratio (up to 4/59 if I unpack various scripts and submit them separately, which more simulates what a runtime scanner would find). I checked again today and the detection ratio is much higher.

Sure it's Mac malware and that's different than Windows malware, but average Joes can still encounter these kinds of zero days.

(BTW ESET was one of 2 engines that actually caught it though, so I'd say your zero day protection is just fine on ESET)
 

artek

Level 5
Verified
May 23, 2014
236
Yeah I'd say the last time I got surprised by malware (and needed to be saved by an AV) was 3+ years ago, when I was being stupid and thought I found a trustworthy Windows Loader (activation bypass) that was actually a rootkit. That wasn't even a zero day.

With that said, zero days are still a thing, albeit rare. Just yesterday when browsing 9to5mac I got redirected by a rogue advertisement to a "your Norton has expired" scam hosted on a .XYZ domain. The domain was fresh and had zero detection on VT. The payload it delivered was Mac malware but it was a zero day with a 2/59 detection ratio (up to 4/59 if I unpack various scripts and submit them separately, which more simulates what a runtime scanner would find). I checked again today and the detection ratio is much higher.

Sure it's Mac malware and that's different than Windows malware, but average Joes can still encounter these kinds of zero days.

(BTW ESET was one of 2 engines that actually caught it though, so I'd say your zero day protection is just fine on ESET)

I've seen a few of those too. But when I send them to the vendors they tell me that they do detect the actual malware, just not the .DMG file itself.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
784
I've seen a few of those too. But when I send them to the vendors they tell me that they do detect the actual malware, just not the .DMG file itself.
It’s funny because that is sometimes true but not always. It is true that sometimes engines will detect the malware once the payload is actually delivered (the bogus installer or fake .app bundle is usually obfuscated and uses shell scripts or Python combined with the openssl command to decrypt a command for fetching the real malware, and the real malware itself tends to be more widely detected.
But this particular one seemed so new that even the final payload isn’t detectable. I submitted it to a few vendors. Hilariously Symantec responded with the sample “is an archive” and then explains what a zip file is. Sigh.
 

notabot

Level 15
Verified
Oct 31, 2018
703
Back to talking about ESET: the signatures seem to be pretty decent. @Huchim ’s malware hub testing shows ESET catching more than average via static scan. This morning I encountered some malvertising and submitted it to VT, and it had a 2 or 3 engine detection ratio (not Symantec, Avira, or BitDefender) and NOD32 was one that detected it.

out of curiosity, how did you isolate the malvertising ? if you just send them the page, they will load it likely with a different ad
 

artek

Level 5
Verified
May 23, 2014
236
It’s funny because that is sometimes true but not always. It is true that sometimes engines will detect the malware once the payload is actually delivered (the bogus installer or fake .app bundle is usually obfuscated and uses shell scripts or Python combined with the openssl command to decrypt a command for fetching the real malware, and the real malware itself tends to be more widely detected.
But this particular one seemed so new that even the final payload isn’t detectable. I submitted it to a few vendors. Hilariously Symantec responded with the sample “is an archive” and then explains what a zip file is. Sigh.

Sophos was particularly good with this. They'd tell me what the pay load was, if it was detected and all that. Their client caused me other technical problems but their labs were very responsive.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top