ESET 13.1.16.0

[Parsh]

View attachment 237841
Never thought I would see deep behavioral inspection in action.

From what I can make of the alert text, it reports that a potentially suspicious application has been detected, not that a suspicious behavior is identified.
If that is true, I doubt if it's Deep Behavioral Inspection that triggered the alert. DBI as they say is an extension of HIPS.
In the Detection Engine tab, you have adjustable levels of 'suspicious applications' to be detected. And this is also present in the 'On-demand scans' parameters. So I believe that these two are different in the view that

1. Detection Engine >> Suspicious Applications uses static/dynamic analysis of code to see if the file is suspicious (your case)
2. HIPS >> DBI monitors activity of actually run apps to see if actions are suspicious

Since the detected file is a setup, I guess it was detected on static scan/when trying to run it. Alright, your new post says it alerts on download too. So it should not be the DBI.

 

[fabiobr]

From what I can make of the alert text, it reports that a potentially suspicious application has been detected, not that a suspicious behavior is identified.
If that is true, I doubt if it's Deep Behavioral Inspection that triggered the alert. DBI as they say is an extension of HIPS.
In the Detection Engine tab, you have adjustable levels of 'suspicious applications' to be detected. And this is also present in the 'On-demand scans' parameters. So I believe that these two are different in the view that

1. Detection Engine >> Suspicious Applications uses static/dynamic analysis of code to see if the file is suspicious (your case)
2. HIPS >> DBI monitors activity of actually run apps to see if actions are suspicious

Since the detected file is a setup, I guess it was detected on static scan/when trying to run it. Alright, your new post says it alerts on download too. So it should not be the DBI.

Statistics says it was deep behavioral inspection, since I ran the executable and it begun to download things.

 

[SeriousHoax]

Hmm that BH part in the detection means it's related to Deep behavioral inspection.

Steam game Medal of Honor being flagged as PUA

Not sure if this is an actual PUA or a false positive. Recently downloaded Medal of Honor a 2010 EA game via Steam. I'd played it years ago but re-downloaded it to play the other day and launching it I got an eset warning, possibly augur, stating something got blocked. Eset has warned me it is po...

forum.eset.com

 

[Parsh]

Statistics says it was deep behavioral inspection, since I ran the executable and it begun to download things.

Alright. Looks like the terms are used in an overlapping way. By statistics you mean logs?

 

[fabiobr]

Alright. Looks like the terms are used in an overlapping way. By statistics you mean logs?

Yeap

 

[fabiobr]

Hmm that BH part in the detection means it's related to Deep behavioral inspection.

Steam game Medal of Honor being flagged as PUA

Not sure if this is an actual PUA or a false positive. Recently downloaded Medal of Honor a 2010 EA game via Steam. I'd played it years ago but re-downloaded it to play the other day and launching it I got an eset warning, possibly augur, stating something got blocked. Eset has warned me it is po...

forum.eset.com

My impression is that they are FINALLY investing in something proactive, later after a lot of critics.

Now it has granular configs of real time modules and seems to be catching apps based on pre-config behavioral settings made by ESET.

That "BH" detection is new for me too, looks like a shortcut for BeHavioral.

 

[MacDefender]

I wonder if it's actually intercepting the behavior at runtime, or just scanning the binary for Windows API calls that seem suspicious. Both techniques have their place and most AVs use a combination of both.

 

[SeriousHoax]

My impression is that they are FINALLY investing in something proactive, later after a lot of critics.

Now it has granular configs of real time modules and seems to be catching apps based on pre-config behavioral settings made by ESET.

That "BH" detection is new for me too, looks like a shortcut for BeHavioral.

I would say don't get too excited because it's still mostly the same as before and not much has changed it even after the implemented detection engine sensitivity. I'm yet to see it in action. The deep behavioral blocker inspection is nothing too impressive also because..........⬇

I wonder if it's actually intercepting the behavior at runtime, or just scanning the binary for Windows API calls that seem suspicious. Both techniques have their place and most AVs use a combination of both.

You're exactly right. A long time and experienced ESET user told me this. All the deep behavioral inspection does is, it scans binary for Windows API calls that seem suspicious. So it's nothing new and many AVs does this.

 

[MacDefender]

You're exactly right. A long time and experienced ESET user told me this. All the deep behavioral inspection does is, it scans binary for Windows API calls that seem suspicious. So it's nothing new and many AVs does this.

Ugh I really wish ESET wouldn't use behavior blocker like terms to describe a static feature. That's what sets us up for these sort of "disappointments". Good static inspection and sandboxed strategies are great, but let's use the same terms the rest of the industry uses to describe it.

 

[fabiobr]

Ugh I really wish ESET wouldn't use behavior blocker like terms to describe a static feature. That's what sets us up for these sort of "disappointments". Good static inspection and sandboxed strategies are great, but let's use the same terms the rest of the industry uses to describe it.

At the end of the day, what matters is the detection ratio.

And ESET does well code emulation/sandboxed. By default, it's enabled only with new/changed files, I guess that's why they have great and fast signatures, plus ESET Livegrid has a huge database too.

 

[MacDefender]

At the end of the day, what matters is the detection ratio.

And ESET does well code emulation/sandboxed. By default, it's enabled only with new/changed files, I guess that's why they have great and fast signatures, plus ESET Livegrid has a huge database too.

Absolutely! Techniques are fun to talk about but their results and track record speaks for themselves!

 

[Parsh]

I wonder if it's actually intercepting the behavior at runtime, or just scanning the binary for Windows API calls that seem suspicious. Both techniques have their place and most AVs use a combination of both.

Exactly what I meant earlier Looked more like it was a result of code analysis (of system calls for expected behavior) rather than flagging actual behavior.
Though the tooltip info of DBI says that it monitors the activities of all running programs. Suspicious characteristics of code being executed like suspicious API call behavior could have led to the flagging.

Edit: Just had a look into their new whitepaper that says

DBI includes new detection heuristics and enables an even deeper user-mode monitoring of unknown, suspicious processes. This is accomplished via hooks created by DBI within unknown, potentially harmful processes and monitoring of their activity and requests to the operating system. If malicious behavior is detected, DBI mitigates the activity and informs the user. If the process is suspicious, but does not show clear signs of malicious behavior, HIPS can also use the data gathered by DBI to run further analysis via its other modules.

Spoiler: Process monitoring

Turns out that it's indeed the system API calls being checked. Not in the binary, but dynamically. DBI monitors the behavior of unknown processes in real-time by hooking into them to monitor the message traffic - and analyze the API calls before they're executed on the system. If it cannot give a verdict, it may pass on to HIPS.

 

[SeriousHoax]

ESET Livegrid has a huge database too.

Btw, ESET's LiveGrid can only analyze executable files. Their cloud sandbox can't analyze scripts like Microsoft, Kaspersky's cloud. Unknown scripts malwares are only detected after manual analysis.

 

[fabiobr]

Btw, ESET's LiveGrid can only analyze executable files. Their cloud sandbox can't analyze scripts like Microsoft, Kaspersky's cloud. Unknown scripts malwares are only detected after manual analysis.

Why? Choice? Avoid FPs?

 

[SeriousHoax]

Why? Choice? Avoid FPs?

No, not that. I heard some things about it ESET but I'm not fully sure about it. The first thing is, unlike Microsoft, Kaspersky, Norton, McAfee and few other big players, ESET don't have their own cloud infrastructure for threat processing. They use Microsoft's Azure AI which I heard is also used by the likes of Voodoshield and some other Antiviruses. I don't think Azure AI servers are limited to executable files only but probably the more types of files you want to analyze the more costly it is. Whatever the cost is, it's definitely cheaper than investing in building your own cloud infrastructure and maintaining it. So, if this is true then I must say ESET is being cheap here. A company with the size of them can easily invest some money in this area. ESET is already a great product but they could be a lot better. Anyway once again, I'm not fully sure about this info but I believe this to be true.

 

[fabiobr]

A company with the size of them can easily invest some money in this area. ESET is already a great product but they could be a lot better.

Definitely yes, this define ESET. They are really old in the security industry and can't invest on own servers?

 

[SeriousHoax]

Definitely yes, this define ESET. They are really old in the security industry and can't invest on own servers?

I also heard, HIPS was developed by a third party for them. The reason they don't add any more features for it is, they don't want to invest any resources here. So the most requested feature for HIPS which is wildcard support hasn't arrived yet after years of asking.
Anyway, at least they're investing in in product AI which with proper training should get a lot better.

 

[Wraith2020]

I also heard, HIPS was developed by a third party for them. The reason they don't add any more features for it is, they don't want to invest any resources here. So the most requested feature for HIPS which is wildcard support hasn't arrived yet after years of asking.
Anyway, at least they're investing in in product AI which with proper training should get a lot better.

To be honest, ESET can ditch the HIPS. It's useless at Automatic Mode. Instead they should focus on their Argur and Anti-Ransomware Shield. If ESET can make these two top-notch, it'll be right on par with the best like Kaspersky.

 

[SeriousHoax]

To be honest, ESET can ditch the HIPS. It's useless at Automatic Mode. Instead they should focus on their Argur and Anti-Ransomware Shield. If ESET can make these two top-notch, it'll be right on par with the best like Kaspersky.

I was talking about custom HIPS rules. It's very useful for advanced users so wildcard support will be highly appreciated. Automatic mode is definitely useless I agree, even Smart mode is just a fancy term. Ransomware shield is probably the most useless feature ESET has. They probably put it there just to please some users. They say Ransomware shield requires LiveGrid to work properly. How funny is that! Never ever seen it working which you also know very well.

 

[Wraith2020]

I was talking about custom HIPS rules. It's very useful for advanced users so wildcard support will be highly appreciated. Automatic mode is definitely useless I agree, even Smart mode is just a fancy term. Ransomware shield is probably the most useless feature ESET has. They probably put it there just to please some users. They say Ransomware shield requires LiveGrid to work properly. How funny is that! Never ever seen it working which you also know very well.

Yeah the Anti-Ransomware Shield and Anti-Exploit Shield are non-existent. I highly doubt if they're included at all. Maybe just for marketing. ESET should really improve on these two. If these two work properly ESET protection will improve a lot, even if they ditch the HIPS.