SeriousHoax

Level 29
Verified
Malware Tester
German magazine PC-Welt hands out trial licenses to its readers:
Code: PCWESET2019
120 day keys
The license expires from the moment of activation.
Does it have any restrictions like, needs to be activated from Germany or something?
 

MacDefender

Level 11
Verified
It's been interesting watching @SeriousHoax run a few months of tests in the malware hub for ESET. It seems to consistently perform strongly but basically all signature based.

I've dug through the dynamic hits and it seems like they mostly fall into 2 categories:
  1. Opening a network connection to a known bad destination or downloading a payload that triggers a signature
  2. Unpacking/deobfuscating a payload that is then picked up by signatures.

That's not a bad thing, to be clear. It goes back to my takeaway point about ESET: Best signatures ever, but if it gets past signatures you are toast. Luckily most real world malware is a variant of something already known but for a true zero day I do not expect ESET to do well.

Also, I am concerned that turning off network protection will result in more misses compared to a AV suite that leans on a behavior blocker component. That could be an interesting test -- take one of the dynamic hits where the network component fired, disable it, and see if another component protects you.
 

SeriousHoax

Level 29
Verified
Malware Tester
It's been interesting watching @SeriousHoax run a few months of tests in the malware hub for ESET. It seems to consistently perform strongly but basically all signature based.

I've dug through the dynamic hits and it seems like they mostly fall into 2 categories:
  1. Opening a network connection to a known bad destination or downloading a payload that triggers a signature
  2. Unpacking/deobfuscating a payload that is then picked up by signatures.

That's not a bad thing, to be clear. It goes back to my takeaway point about ESET: Best signatures ever, but if it gets past signatures you are toast. Luckily most real world malware is a variant of something already known but for a true zero day I do not expect ESET to do well.

Also, I am concerned that turning off network protection will result in more misses compared to a AV suite that leans on a behavior blocker component. That could be an interesting test -- take one of the dynamic hits where the network component fired, disable it, and see if another component protects you.
You're right. Signatures including advanced heuristics, network and web protection usually get the job done. For the particular sample in the last test, I tested turning off network protection and nothing was detected but the malware seemingly didn't do anything malicious anyway. Maybe the website it tries to connect is already dead. In general I think it would not be fare to test ESET by turning off one of its protection. ESET counters their not having a proper behavior blocker with fantastic signatures, heuristics and network protection and according to ESET some components of their HIPS including ransomware shield is tied to Real Time Protection that's why I never do any bonus dynamic test for ESET for ransomwares already detected by signatures.

Few days ago I shared one example in our malware hub group of ESET's advanced heuristics and machine learning in action.
Here at first a malware was detected by ESET by its advanced heuristics component then few hours later they created a new signature for the same sample even though ESET was already detecting it.
s2.PNG

Many people think that ESET is all about its raw signatures but it's a combination of good signatures and heuristics. Like you said, it's probably the best at detecting new variants of malware using already available signatures.
Here's one example of its machine learning ML/Augur in action. Here I tested these samples with few days old signatures.
s1.PNG

The machine learning components is still very immature though. I was just lucky maybe to see it in action. Maybe ESET still hasn't unlocked its full potential to reduce the number of false positives.
Last year on ESET forum one of the administrator even said ESET may introduce Application Control into their product something similar to Kaspersky but not anytime soon.
 

AYIZEB

Level 1
eset is the best antivirus in signatures, the only thing that I think is missing is a real behavior analyzer, but the problem is that eset is very light and it is where they always focus, since they have their market, because when one think of a lightweight antivirus, the first thing they think is eset, and a behavior analyzer, would lead to a higher consumption, then a large percentage of the market would leave eset for not having an antivirus as light as before, because I think and think that eset has the money and professionals to make a perfect analyzer, but as everything depends on the impact of the market and the quality of the product.
 

SeriousHoax

Level 29
Verified
Malware Tester
eset is the best antivirus in signatures, the only thing that I think is missing is a real behavior analyzer, but the problem is that eset is very light and it is where they always focus, since they have their market, because when one think of a lightweight antivirus, the first thing they think is eset, and a behavior analyzer, would lead to a higher consumption, then a large percentage of the market would leave eset for not having an antivirus as light as before, because I think and think that eset has the money and professionals to make a perfect analyzer, but as everything depends on the impact of the market and the quality of the product.
Couldn't say any better. This is exactly how they think. One thing I would like to add is false positives. Lightness and less false positives are their main priority.
 

AYIZEB

Level 1
Couldn't say any better. This is exactly how they think. One thing I would like to add is false positives. Lightness and less false positives are their main priority.
correct, eset has first-class signatures and false positives are low because of the excellent signatures it has, which is clear that then there are other layers that protect together, and the behavior analyzer is not perfect, but some mistake can save, and eset if you do not have a signature for that particular malware, you are sold, but eset is a well made and perfect product for most people.
 

MacDefender

Level 11
Verified
Many people think that ESET is all about its raw signatures but it's a combination of good signatures and heuristics. Like you said, it's probably the best at detecting new variants of malware using already available signatures.
Yes! This is spot on and better than how I said it. When I say "signatures" in the context of ESET I really mean static scanning analysis. Unlike how most signature engines tend to work, the ESET one seems to be extremely good at identifying variants of existing malware without being prone to false positives.

A lot of other AV engines have some sort of machine learning component and so does ESET with the ML/ detections. . Symantec's "AdvML" detections seem to trigger on new malware once in a while too. But ESET's standout feature is how often its "Variant of XXXXXX" detections are spot on and match the names that other AV engines eventually assign to the malware.

When I first heard about this I suspected they would have a lot of false positives but that's not true at all. In fact a lot of other engines that don't do a good job in the real world of statically identifying new malware variants actually have more false positives to harmless things. I've seen a few cases where unpacking or repacking a VMWare piracy tool would generate "VM detection" heuristic detections simply because the crack contains snippets of the VMWare binary. I've yet to see ESET tricked by situations like this.


And yes you are definitely right it's not fair to turn off ESET'S protection layers. A lot of folks (myself) are tempted because we don't like SSL inspection or we have seen performance degradation due to this kind of network stack protocol filter, but while other AVs tend to carry a dynamic behavior blocker as a last line of defense, the same doesn't hold for ESET and it might be a really bad idea and a more significant loss of protection with ESET.
 

SeriousHoax

Level 29
Verified
Malware Tester
MacDefender Well said. I'm not much of a fan of SSL inspection either but AVs who has this would argue that it provides even better protection because they can inspect the whole flow of data between your browser, PC and the website thus making you more secure. In terms of performance degradation I'm kind of unsure about ESET because I've checked two other AVs who does this and for them I could notice slight slowdowns but in case of ESET I noticed from extremely low slowdowns to no slowdown at all in page loading.
It would definitely be nice if ESET had a better last line of defense but I think ESET will evolve in this section. In the meantime we may say, their fine ability to detect new variants of malwares kind of works like a behavior blocker for them.
 

MacDefender

Level 11
Verified
MacDefender Well said. I'm not much of a fan of SSL inspection either but AVs who has this would argue that it provides even better protection because they can inspect the whole flow of data between your browser, PC and the website thus making you more secure. In terms of performance degradation I'm kind of unsure about ESET because I've checked two other AVs who does this and for them I could notice slight slowdowns but in case of ESET I noticed from extremely low slowdowns to no slowdown at all in page loading.
It would definitely be nice if ESET had a better last line of defense but I think ESET will evolve in this section. In the meantime we may say, their fine ability to detect new variants of malwares kind of works like a behavior blocker for them.
Yep the only machines where I've seen slowdowns with network filtering are the Ultrabook class devices like the Surface Pro -- their battery modes rely heavily on throttling in order to give excellent battery life and they spend most of their times running at under 1GHz single core otherwise battery life becomes awful. That's just a physical limitation of such machines, and one has to carefully balance protection with loss of functionality.
 
B

BVLon

Tried it yesterday as a paid user of Eset, but the new Norton 360 is so much lighter and a whole lot of better protection.
The firewall from Norton compared to Esets one is so much more robust. Deinstalled Eset and reinstalled Norton 360 again.
The one thing i really dislike of Eset is the kinda sissy robot when you open Eset :sick:
I agree with you, Norton is better than eset but why Symantec has removed the trail versions? :O
Not only it is fast and light, but it also comes with backup. The reason for me not to swich to anything else for ages is that only Norton (and Webroot with it's horrible GUI) offer online backup functionality. It's extremely simple and automated and if I remove Norton, I am not gonna install one of those hefty and complicated programs like Comodo or Acronis. And disk failure has happened to me twice.
Norton is also the only program to have a non-underdeveloped IPS/IDS based on signatures and behaviour. I love Eset's flexibility and the way the whole app has been designed... But they are not ready to dethrone Norton quite yet.
 
B

BVLon

I will try that next. I wrote another relocate-and-add-to-startup variant and Emsi and F-Secure both block it. So far those two are tied in my testing. Norton actually isn't doing a great job at behavior blocking. SONAR sometimes flags these binaries when delivered via a web browser (simply as low reputation under Aggressive) and deleting user documents triggers it, but the other sketchy behavior like downloading+executing a secondary payload or moving itself to a randomly generated temp file name and then registering as startup item is less likely to trigger Norton.


EDIT: Honestly I'm okay with ESET's response. They have their reasons of not making a general behavior blocker. Just customers need to understand that despite their advertising about "deep behavior" blocking and HIPS being automatic, in reality those components don't really react to zero days quite the same way that other BB's do.
And a home-baked ransomware should trigger Eset, Norton, AV x, y, z beacause?
A real-world ransomware
1. Steps on a solid foundation of previous successful attacks.
2. Is written for money by fully-dedicated TEAMS.
3. Takes a lot of time + trial and error.
4. Rarely just pops up; ransomware is not just one executable modifying and encrypting files, it's a complete attack vector.
5. Together with file encryption algorithms, also contains mutliple logics to be stealthy, hidden and fast. Did you program those? I doubt you did.

Your executable looks like some freebie that encrypts files for user's security & on-demand. I would actually be very concerned if it triggers detection.
ML-based solution will trigger an alarm when it has to trigger it. You can't make it squeal with 50 lines of code. :)

I've tested many BB with a lot of ransomware and they always seem to be great at blocking that, with the exception of McAfee. Ransomware detection should not be anyone's concern in 2020.
 
Last edited by a moderator:

MacDefender

Level 11
Verified
And a home-baked ransomware should trigger Eset, Norton, AV x, y, z beacause?
A real-world ransomware
1. Steps on a solid foundation of previous successful attacks.
2. Is written for money by fully-dedicated TEAMS.
3. Takes a lot of time + trial and error.
4. Rarely just pops up; ransomware is not just one executable modifying and encrypting files, it's a complete attack vector.
5. Together with file encryption algorithms, also contains mutliple logics to be stealthy, hidden and fast. Did you program those? I doubt you did.

Your executable looks like some freebie that encrypts files for user's security & on-demand. I would actually be very concerned if it triggers detection.
ML-based solution will trigger an alarm when it has to trigger it. You can't make it squeal with 50 lines of code. :)

I've tested many BB with a lot of ransomware and they always seem to be great at blocking that, with the exception of McAfee. Ransomware detection should not be anyone's concern in 2020.
It is only meant as a test of one component of overall bad behavior. Fundamentally ransom behavior is difficult to distinguish from something that password protects user documents on their command. It is really hard to distinguish the difference of whether or not the user consented to this action from the perspective of AV software.

This test, as I explained in my original post, was inspired by a real piece of ransomware that defeated multiple AV software. The only difference between what it did and what mine does is just the lack of calling back to a control center for key escrow. It did not have any other attack vector other than it was a double extension file masquerading as a PDF, delivered via email phishing.

I do agree that most ransomware exhibits other behaviors which makes it easy to detect but at that point it's not at all clear what specific behavior is triggering detections.

And to your point about whether or not you expect homebrew ransomware to trigger detections, my first test on this forum did the exact same thing except it used a built in .NET API to encrypt files and every AV software except ESET detected and blocked it, and Kaspersky went as far as to capture a sample of it automatically and add it as malicious in its signatures.

The difference here, as several AV vendors have responded regarding this sample, is that the act of using 7zip to do the dirty work is harder to block without false positives and that makes it not worth attempting to detect, which I agree with. In fact, if I had 7zip encrypt the documents and instead of having it delete them, I deleted them through my exploit binary, more behavior blockers start flagging it as malware.

Bottom line is, I'm not saying that AV software not responding to these proof of concept exploits are not doing a good job. These tests are simply meant to look into specific ways software responds to attacks extremely similar to what I have seen in the wild.


P.S. By the way, Norton and Emsisoft and others have balked at a few other behaviors in under 50 lines of code. For example, I isolated a piece of code from Rufus that asks for UAC elevation and then uses group policy objects to disable AutoRun for removable drivws, which is just close enough to the same CLSID group as disabling Windows Defender. That triggers a lot of behavior blockers. Norton in particular will complain about 5 lines of code for a binary to copy itself and then register the copy as an AutoRun key if it's being done by a zero reputation binary. So actually there are many cases where a seemingly simple snippet of a larger complex of suspicious behaviors will trigger AV software. Whether that's correct or not, I totally agree is up for debate.
 
Last edited:

Cortex

Level 22
Verified
Not only it is fast and light, but it also comes with backup. The reason for me not to swich to anything else for ages is that only Norton (and Webroot with it's horrible GUI) offer online backup functionality. It's extremely simple and automated and if I remove Norton, I am not gonna install one of those hefty and complicated programs like Comodo or Acronis. And disk failure has happened to me twice.
Norton is also the only program to have a non-underdeveloped IPS/IDS based on signatures and behaviour. I love Eset's flexibility and the way the whole app has been designed... But they are not ready to dethrone Norton quite yet.
I like Norton, my recent issue with 360 is that installs all the files including the Symantec TAP but doesn't execute the VPN but one click away (for the masses I feel) This really upset my VPN IVPN which I have no intention of ever changing :) Norton Support wasn't able to sort it, though tried greatly - As I have licences for ESET & Norton I'm with ESET on this my main PC - And for reasons unclear runs as having no AV at all, most impressive, though used ESET for donkeys years on & off - Unlikely to to use Norton again & will end up on friends & families PCs.
 
B

BVLon

I like Norton, my recent issue with 360 is that installs all the files including the Symantec TAP but doesn't execute the VPN but one click away (for the masses I feel) This really upset my VPN IVPN which I have no intention of ever changing :) Norton Support wasn't able to sort it, though tried greatly - As I have licences for ESET & Norton I'm with ESET on this my main PC - And for reasons unclear runs as having no AV at all, most impressive, though used ESET for donkeys years on & off - Unlikely to to use Norton again & will end up on friends & families PCs.
Yes, VPN is problematic, also it is limited. For good VPN, I suggest F-Secure with it's Finnish Freedome. Norton's VPN is just to secure yourself while banking on open networks and stuff.
Norton Support is awful as well. Don't rely on them too much. That goes for pretty much any software lol... You don't wanna deal with Panda support... they will make you cry.
Eset's got their quality and I love them tbh... They kinda designed it the way I would design security software... I got only 2 issues with them.
1. It's quite expensive and you can find Norton a lot cheaper.
2. Norton's got online backup, Eset doesn't.
 

Cortex

Level 22
Verified
Yes, VPN is problematic, also it is limited. For good VPN, I suggest F-Secure with it's Finnish Freedome. Norton's VPN is just to secure yourself while banking on open networks and stuff.
Norton Support is awful as well. Don't rely on them too much. That goes for pretty much any software lol... You don't wanna deal with Panda support... they will make you cry.
Eset's got their quality and I love them tbh... They kinda designed it the way I would design security software... I got only 2 issues with them.
1. It's quite expensive and you can find Norton a lot cheaper.
2. Norton's got online backup, Eset doesn't.
Agree with you: ESET is very expensive, there are few if any deals - Norton can be found very cheaply, has backup & a VPN, with excellent protection good reasons to use it.
 
B

BVLon

Agree with you: ESET is very expensive, there are few if any deals - Norton can be found very cheaply, has backup & a VPN, with excellent protection good reasons to use it.
I tried eBay, I got scammed. I obviously disputed the transaction and got my money back. All of the Eset sellers on eBay are in Sri Lanka (I have a reason to believe it's actually one group of few individuals who have registered hundreds of accounts and they also stand behinfd tech-support scam). I am trying to get eBay to unlist them. Beware Eset sellers on eBay.
 

Cortex

Level 22
Verified
I tried eBay, I got scammed. I obviously disputed the transaction and got my money back. All of the Eset sellers on eBay are in Sri Lanka (I have a reason to believe it's actually one group of few individuals who have registered hundreds of accounts and they also stand behinfd tech-support scam). I am trying to get eBay to unlist them. Beware Eset sellers on eBay.
I have had similar issues including a seller with good feedback who ended getting licences they though were genuine (they said) - I will never buy ESET from Ebay again - You live & learn I suppose :rolleyes: If anyone is thinking of buying ESET of eBay it will fail in a month or so.
 
Top