Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
ESET
Eset 13.0.22.0 Final
Message
<blockquote data-quote="MacDefender" data-source="post: 843751" data-attributes="member: 83059"><p>Testing ESET 13.0.22.0's HIPS with my sample of suspicious things:</p><p></p><p>(1) (written myself) Simulated ransomware: Zips up the contents of My Documents (password set to today's date) and then deletes all the files one by one.</p><p>(2) (written myself) Simulated PUA: Copies itself as C:\Program.exe and then registers itself as a startup item</p><p>(3) Modified Rufus.exe repacked myself: Rufus edits the system's group policy to disable Autorun and escalates itself to admin in order to drop in GPO registry keys.</p><p>(4) Modified Universal Watermark Disabler repatched myself (patches BootMgr and the EFI Windows loader similar to a rootkit)</p><p>(5) Stock HWIDGen (Windows piracy tool, MITM's the connection to a Windows activation server. Considered suspicious by most heuristic analyzers)</p><p>(6) Stock VMWare Workstation crack (false alarm test. Attempts to patch VMWare binaries sets off a lot of heuristic engines as malware attempting to detect a VM)</p><p></p><p>Emisisoft AM alerts on: 1, 2, 3, 6</p><p>F-Secure SAFE alerts on: 1, 2, 3, 4</p><p>ESET alerts on: None</p><p></p><p></p><p>In terms of results, I expect 1, 2, and 4 to be flagged by a behavior blocker or even a static analyzer. I expect 6 to not be flagged by anything.</p><p></p><p>I was surprised that the default settings for ESET didn't alert to anything.... (1) actually deleted my data despite the "ransomware blocker" module being turned on. And I'm literally just using stock .NET APIs with no attempt to obfuscate the fact that I'm deleting stuff from My Documents after encrypting it. (2) is meant to be a double whammy where locating yourself to Program.exe is a common exploit attempt (unquoted service path) and a zero reputation binary immediately setting itself to run at startup is suspicious too.</p><p></p><p>Are there fancier settings to use for ESET?</p><p></p><p></p><p>On the bright side, the static scanner is quite good. It's picking up a lot of live-generated Mac malware that is intentionally randomized every download.</p><p></p><p></p><p>EDIT: I will say that while testing most Of these binaries there was about a 5-10 second stall at various points in execution. It seemed like ESET was somehow inspecting what the binaries tried to do but just wasn't suspicious enough. Note too that this was more heavyweight than the other mentioned BBs. ESET is overall light and fast but it does seem to be heavy if the behavior blocker is inspecting a process.</p></blockquote><p></p>
[QUOTE="MacDefender, post: 843751, member: 83059"] Testing ESET 13.0.22.0's HIPS with my sample of suspicious things: (1) (written myself) Simulated ransomware: Zips up the contents of My Documents (password set to today's date) and then deletes all the files one by one. (2) (written myself) Simulated PUA: Copies itself as C:\Program.exe and then registers itself as a startup item (3) Modified Rufus.exe repacked myself: Rufus edits the system's group policy to disable Autorun and escalates itself to admin in order to drop in GPO registry keys. (4) Modified Universal Watermark Disabler repatched myself (patches BootMgr and the EFI Windows loader similar to a rootkit) (5) Stock HWIDGen (Windows piracy tool, MITM's the connection to a Windows activation server. Considered suspicious by most heuristic analyzers) (6) Stock VMWare Workstation crack (false alarm test. Attempts to patch VMWare binaries sets off a lot of heuristic engines as malware attempting to detect a VM) Emisisoft AM alerts on: 1, 2, 3, 6 F-Secure SAFE alerts on: 1, 2, 3, 4 ESET alerts on: None In terms of results, I expect 1, 2, and 4 to be flagged by a behavior blocker or even a static analyzer. I expect 6 to not be flagged by anything. I was surprised that the default settings for ESET didn't alert to anything.... (1) actually deleted my data despite the "ransomware blocker" module being turned on. And I'm literally just using stock .NET APIs with no attempt to obfuscate the fact that I'm deleting stuff from My Documents after encrypting it. (2) is meant to be a double whammy where locating yourself to Program.exe is a common exploit attempt (unquoted service path) and a zero reputation binary immediately setting itself to run at startup is suspicious too. Are there fancier settings to use for ESET? On the bright side, the static scanner is quite good. It's picking up a lot of live-generated Mac malware that is intentionally randomized every download. EDIT: I will say that while testing most Of these binaries there was about a 5-10 second stall at various points in execution. It seemed like ESET was somehow inspecting what the binaries tried to do but just wasn't suspicious enough. Note too that this was more heavyweight than the other mentioned BBs. ESET is overall light and fast but it does seem to be heavy if the behavior blocker is inspecting a process. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
