ESET 13.1.16.0

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
View attachment 237841
Never thought I would see deep behavioral inspection in action.
From what I can make of the alert text, it reports that a potentially suspicious application has been detected, not that a suspicious behavior is identified.
If that is true, I doubt if it's Deep Behavioral Inspection that triggered the alert. DBI as they say is an extension of HIPS.
In the Detection Engine tab, you have adjustable levels of 'suspicious applications' to be detected. And this is also present in the 'On-demand scans' parameters. So I believe that these two are different in the view that
  1. Detection Engine >> Suspicious Applications uses static/dynamic analysis of code to see if the file is suspicious (your case)
  2. HIPS >> DBI monitors activity of actually run apps to see if actions are suspicious
Since the detected file is a setup, I guess it was detected on static scan/when trying to run it. Alright, your new post says it alerts on download too. So it should not be the DBI.
 

fabiobr

Level 12
Verified
Top Poster
Well-known
Mar 28, 2019
569
From what I can make of the alert text, it reports that a potentially suspicious application has been detected, not that a suspicious behavior is identified.
If that is true, I doubt if it's Deep Behavioral Inspection that triggered the alert. DBI as they say is an extension of HIPS.
In the Detection Engine tab, you have adjustable levels of 'suspicious applications' to be detected. And this is also present in the 'On-demand scans' parameters. So I believe that these two are different in the view that
  1. Detection Engine >> Suspicious Applications uses static/dynamic analysis of code to see if the file is suspicious (your case)
  2. HIPS >> DBI monitors activity of actually run apps to see if actions are suspicious
Since the detected file is a setup, I guess it was detected on static scan/when trying to run it. Alright, your new post says it alerts on download too. So it should not be the DBI.
Statistics says it was deep behavioral inspection, since I ran the executable and it begun to download things.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,863
Hmm that BH part in the detection means it's related to Deep behavioral inspection.
 

fabiobr

Level 12
Verified
Top Poster
Well-known
Mar 28, 2019
569
Hmm that BH part in the detection means it's related to Deep behavioral inspection.
My impression is that they are FINALLY investing in something proactive, later after a lot of critics.

Now it has granular configs of real time modules and seems to be catching apps based on pre-config behavioral settings made by ESET.

That "BH" detection is new for me too, looks like a shortcut for BeHavioral.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,863
My impression is that they are FINALLY investing in something proactive, later after a lot of critics.

Now it has granular configs of real time modules and seems to be catching apps based on pre-config behavioral settings made by ESET.

That "BH" detection is new for me too, looks like a shortcut for BeHavioral.
I would say don't get too excited because it's still mostly the same as before and not much has changed it even after the implemented detection engine sensitivity. I'm yet to see it in action. The deep behavioral blocker inspection is nothing too impressive also because..........⬇
I wonder if it's actually intercepting the behavior at runtime, or just scanning the binary for Windows API calls that seem suspicious. Both techniques have their place and most AVs use a combination of both.
You're exactly right. A long time and experienced ESET user told me this. All the deep behavioral inspection does is, it scans binary for Windows API calls that seem suspicious. So it's nothing new and many AVs does this.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
784
You're exactly right. A long time and experienced ESET user told me this. All the deep behavioral inspection does is, it scans binary for Windows API calls that seem suspicious. So it's nothing new and many AVs does this.

Ugh I really wish ESET wouldn't use behavior blocker like terms to describe a static feature. That's what sets us up for these sort of "disappointments". Good static inspection and sandboxed strategies are great, but let's use the same terms the rest of the industry uses to describe it.
 

fabiobr

Level 12
Verified
Top Poster
Well-known
Mar 28, 2019
569
Ugh I really wish ESET wouldn't use behavior blocker like terms to describe a static feature. That's what sets us up for these sort of "disappointments". Good static inspection and sandboxed strategies are great, but let's use the same terms the rest of the industry uses to describe it.
At the end of the day, what matters is the detection ratio.

And ESET does well code emulation/sandboxed. By default, it's enabled only with new/changed files, I guess that's why they have great and fast signatures, plus ESET Livegrid has a huge database too.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
784
At the end of the day, what matters is the detection ratio.

And ESET does well code emulation/sandboxed. By default, it's enabled only with new/changed files, I guess that's why they have great and fast signatures, plus ESET Livegrid has a huge database too.
Absolutely! Techniques are fun to talk about but their results and track record speaks for themselves!
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
I wonder if it's actually intercepting the behavior at runtime, or just scanning the binary for Windows API calls that seem suspicious. Both techniques have their place and most AVs use a combination of both.
Exactly what I meant earlier :) Looked more like it was a result of code analysis (of system calls for expected behavior) rather than flagging actual behavior.
Though the tooltip info of DBI says that it monitors the activities of all running programs. Suspicious characteristics of code being executed like suspicious API call behavior could have led to the flagging.

Edit: Just had a look into their new whitepaper that says
DBI includes new detection heuristics and enables an even deeper user-mode monitoring of unknown, suspicious processes. This is accomplished via hooks created by DBI within unknown, potentially harmful processes and monitoring of their activity and requests to the operating system. If malicious behavior is detected, DBI mitigates the activity and informs the user. If the process is suspicious, but does not show clear signs of malicious behavior, HIPS can also use the data gathered by DBI to run further analysis via its other modules.
csm_dbi_in_hips_whitepaper_1c8b311659.png
Turns out that it's indeed the system API calls being checked. Not in the binary, but dynamically. DBI monitors the behavior of unknown processes in real-time by hooking into them to monitor the message traffic - and analyze the API calls before they're executed on the system. If it cannot give a verdict, it may pass on to HIPS.
 
Last edited:

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,863
Why? Choice? Avoid FPs?
No, not that. I heard some things about it ESET but I'm not fully sure about it. The first thing is, unlike Microsoft, Kaspersky, Norton, McAfee and few other big players, ESET don't have their own cloud infrastructure for threat processing. They use Microsoft's Azure AI which I heard is also used by the likes of Voodoshield and some other Antiviruses. I don't think Azure AI servers are limited to executable files only but probably the more types of files you want to analyze the more costly it is. Whatever the cost is, it's definitely cheaper than investing in building your own cloud infrastructure and maintaining it. So, if this is true then I must say ESET is being cheap here. A company with the size of them can easily invest some money in this area. ESET is already a great product but they could be a lot better. Anyway once again, I'm not fully sure about this info but I believe this to be true.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,863
Definitely yes, this define ESET. They are really old in the security industry and can't invest on own servers?
I also heard, HIPS was developed by a third party for them. The reason they don't add any more features for it is, they don't want to invest any resources here. So the most requested feature for HIPS which is wildcard support hasn't arrived yet after years of asking.
Anyway, at least they're investing in in product AI which with proper training should get a lot better.
 

Wraith2020

Level 2
Mar 19, 2020
89
I also heard, HIPS was developed by a third party for them. The reason they don't add any more features for it is, they don't want to invest any resources here. So the most requested feature for HIPS which is wildcard support hasn't arrived yet after years of asking.
Anyway, at least they're investing in in product AI which with proper training should get a lot better.
To be honest, ESET can ditch the HIPS. It's useless at Automatic Mode. Instead they should focus on their Argur and Anti-Ransomware Shield. If ESET can make these two top-notch, it'll be right on par with the best like Kaspersky.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,863
To be honest, ESET can ditch the HIPS. It's useless at Automatic Mode. Instead they should focus on their Argur and Anti-Ransomware Shield. If ESET can make these two top-notch, it'll be right on par with the best like Kaspersky.
I was talking about custom HIPS rules. It's very useful for advanced users so wildcard support will be highly appreciated. Automatic mode is definitely useless I agree, even Smart mode is just a fancy term. Ransomware shield is probably the most useless feature ESET has. They probably put it there just to please some users. They say Ransomware shield requires LiveGrid to work properly. How funny is that! Never ever seen it working which you also know very well.
 

Wraith2020

Level 2
Mar 19, 2020
89
I was talking about custom HIPS rules. It's very useful for advanced users so wildcard support will be highly appreciated. Automatic mode is definitely useless I agree, even Smart mode is just a fancy term. Ransomware shield is probably the most useless feature ESET has. They probably put it there just to please some users. They say Ransomware shield requires LiveGrid to work properly. How funny is that! Never ever seen it working which you also know very well.
Yeah the Anti-Ransomware Shield and Anti-Exploit Shield are non-existent. I highly doubt if they're included at all. Maybe just for marketing. ESET should really improve on these two. If these two work properly ESET protection will improve a lot, even if they ditch the HIPS.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top