ESET 14.0.x released

[SeriousHoax]

(Pinging @McMcbrad)

So I just grabbed ESET IS 14 and tested it against my trivial MSIL battery (encrypting My Documents\test recursively), using RIPlace techniques, going through the front door, etc. Other than one sample that ESET wrote a signature for due to an earlier test (which was bypassed by renaming some functions and compiling in a new project), 14 isn't detecting any of these samples at runtime either. I tried increasing the scope to all of My Documents, same results.

On the bright side, as I expected, ESET fantastically detected two of my most recent Emotet samples that have 2/69 VT detection.

Maybe they significantly improved the anti-exploit engine but I'm not seeing any general behavior blocker improvements (these kinds of samples are easily flagged by Kaspersky and F-Secure and others).

I'm more trying to learn specifically what was changed in 14.x. This is a highly artificial behavior blocker test so I'm happy to change it to more reflect "real" malware, though it would help to know what needs to change to get ESET's behavior blocker to care.

I don't think they changed much in terms of behavior blocking. They are still mainly statistical analysis dependent. I do see the machine learning component gets update quite frequently. Which means their ML/Augur isn't properly trained yet and requires updates regularly.
The filless powershell Tesla @McMcbrad talked about here was also getting detect by ESET the day he posted when it had 0 detection on VT even though VT is not showing it.

Malware analysis - Fileless Tesla Abuses .Net Framework Processes

Last night in my usual malware hunting habits, I came across something very interesting. This is malware behaviour I have not observed before. The domain 111().90().149().229 serves three *.txt files. Upon inspection, I noticed two of them are obfuscated PowerShell code. The tool used for...

malwaretips.com

But as you know, ESET's signature based detection has always been spot on but behavior blocking wise there don't seem to be any change.
But they have performed excellent in every AV lab tests this year, so maybe they have done something internally. Maybe @McMcbrad can test.

 

[ForgottenSeer 89360]

(Pinging @McMcbrad)

So I just grabbed ESET IS 14 and tested it against my trivial MSIL battery (encrypting My Documents\test recursively), using RIPlace techniques, going through the front door, etc. Other than one sample that ESET wrote a signature for due to an earlier test (which was bypassed by renaming some functions and compiling in a new project), 14 isn't detecting any of these samples at runtime either. I tried increasing the scope to all of My Documents, same results.

On the bright side, as I expected, ESET fantastically detected two of my most recent Emotet samples that have 2/69 VT detection.

Maybe they significantly improved the anti-exploit engine but I'm not seeing any general behavior blocker improvements (these kinds of samples are easily flagged by Kaspersky and F-Secure and others).

I'm more trying to learn specifically what was changed in 14.x. This is a highly artificial behavior blocker test so I'm happy to change it to more reflect "real" malware, though it would help to know what needs to change to get ESET's behavior blocker to care.

Eset has implemented heuristics against certain types of obfuscated scripts, detecting them as MSIL.Kryptik or something of this sort. This explains both the fileless Tesla implementation, as well as Emotet identification (since you are saying 2/69 on VT I understand it's trojanized document). I am saying *some* as there are types of obfuscation such as compression that weren't covered when I tested it.

I have also seen it many times detecting various 0-days I have discovered, together with Kaspersky and I have seen it miss some. More frequently the former.

You can't call their protection weak or abysmal and it is definitely boosted from before, but there is no behavioural blocking. Although it exists as a component in settings + ransomware protection "extension" I don't believe anyone ever saw these in action. Pre-execution analyses detects most ransomware(s) and even their notes, bit it's not impossible to evade. There are unfortunately many ways to evade static and dynamic analyses. My C++ ransomware that iterates through folders via the boost library and not the Windows APIs was a miss. They only utilise reputation as a minor indicator (unlike Kaspersky's Application Control, Norton Insight or Avast hardened mode against executables) so they lose a point there as well. I believe they will look to improve these areas in the next version.

 

[fabiobr]

We can't forget that ESET has a good web filter too, which is the first line of defense.

 

[Divine_Barakah]

We can't forget that ESET has a good web filter too, which is the first line of defense.

And which prevent most malware from reaching the system in first place.

 

[MacDefender]

Eset has implemented heuristics against certain types of obfuscated scripts, detecting them as MSIL.Kryptik or something of this sort. This explains both the fileless Tesla implementation, as well as Emotet identification (since you are saying 2/69 on VT I understand it's trojanized document). I am saying *some* as there are types of obfuscation such as compression that weren't covered when I tested it.

I have also seen it many times detecting various 0-days I have discovered, together with Kaspersky and I have seen it miss some. More frequently the former.

You can't call their protection weak or abysmal and it is definitely boosted from before, but there is no behavioural blocking. Although it exists as a component in settings + ransomware protection "extension" I don't believe anyone ever saw these in action. Pre-execution analyses detects most ransomware(s) and even their notes, bit it's not impossible to evade. There are unfortunately many ways to evade static and dynamic analyses. My C++ ransomware that iterates through folders via the boost library and not the Windows APIs was a miss. They only utilise reputation as a minor indicator (unlike Kaspersky's Application Control, Norton Insight or Avast hardened mode against executables) so they lose a point there as well. I believe they will look to improve these areas in the next version.

Thanks this matches my understanding and observations too. Their static heuristics and signature writing are as excellent as ever but so far my tests of behavior blocking shows no general behavior blocking. I expanded my tests to add persistence/evasion too (tries to move itself to the Windows directory under the name NvCpl.exe and register as a startup item in the registry), nothing. Usually this behavior triggers Kaspersky and Emsisoft and F-Secure.

I strongly believe that ESET’s protection is top class especially against variants of in the wild malware. And I also believe that detecting via static scanning and web filtering is always more comforting than relying on the BB to make up for spotty signatures. But yeah based off their description of what changed I was hoping to see a behavior blocker, but that isn’t what I’m finding. My most optimistic theory is that their behavior blocker is just looking for very specific actions of malware families that they have trouble writing signatures for.

 

[MacDefender]

When I plugged my laptop in, it decided to start the initial scan. Then I closed the lid, which caused it to go to sleep. Now even though it's awake and unplugged, it's doing the rest of the initial scan on battery power

 

[SeriousHoax]

View attachment 251945

When I plugged my laptop in, it decided to start the initial scan. Then I closed the lid, which caused it to go to sleep. Now even though it's awake and unplugged, it's doing the rest of the initial scan on battery power

This initial scan only happens right after the first update after installation. It didn't do that?

 

[MacDefender]

This initial scan only happens right after the first update after installation. It didn't do that?

It didn’t, seemingly because I installed on battery. This is the first time I plugged in since installing (it’s an ultra book with 10-15hrs battery if nothing drains it)

Given that it’s the initial scan I’m willing to forgive it since it’s a one time thing.

 

[Divine_Barakah]

It didn’t, seemingly because I installed on battery. This is the first time I plugged in since installing (it’s an ultra book with 10-15hrs battery if nothing drains it)

Given that it’s the initial scan I’m willing to forgive it since it’s a one time thing.

Yes the same happened to me and I contacted support and they confirmed that the initial scan did not run because Eset was installed while on battery power, but in my case the initial scan did not run when I plugged my laptop.

 

[MacDefender]

Yes the same happened to me and I contacted support and they confirmed that the initial scan did not run because Eset was installed while on battery power, but in my case the initial scan did not run when I plugged my laptop.

Yeah my main gripe here is that though ESET in general is light, if I didn't catch the runaway initial scan after taking my laptop off the charger I could've been left with less than half the battery life I was expecting. Kaspersky was really good about immediately pausing these kinds of background scans as soon as the power is disconnected, and I generally feel that ESET is less buggy than other big suites.

 

[ForgottenSeer 89360]

I generally feel that ESET is less buggy than other big suites.

This might be due to ESET making far less changes in terms of new features, etc.

 

[fabiobr]

I generally feel that ESET is less buggy than other big suites.

I felt the same when using ESET!

The software seems well written and polished than many others, stable and light, that's the feeling.

 

[mlnevese]

All security suits are buggy to a certain degree. Up to version 12, ESET would disable the networking subsystem of many computers when uninstalling. It happened with me to at least two different computers. The only real problem with bugs is when the affect the core functions of security software.

 

[amirr]

@SeriousHoax
Again it happened after clean installation of Windows 10 and then isntalling Eset Nod32:

I remember that disabling these below, prevented it from happening again. Is that right?



Thank you.

 

[SeriousHoax]

@SeriousHoax
Again it happened after clean installation of Windows 10 and then isntalling Eset Nod32:

View attachment 254514

I remember that disabling these below, prevented it from happening again. Is that right?

View attachment 254515

Thank you.

The error is not related to startup scans. Re-enable that.
After you installed ESET on your clean Windows, it ran the initial scan, right? The initial scan scans the WMI, so that's why you have this error. Other static scans/startup scans don't do that.
Quoting Marcos from the ESET foum,

The code means it takes the system too long to respond to scanner's query so it times out and the error record is logged. We cannot wait too long for the system to respond in case of WMI scans.

So the error is not anything serious. The system is alright but definitely annoying. This may not get fixed anytime soon.
To clear the log, quoting itman from ESET forum,

In Event Viewer, open Applications and Services Logs -> Microsoft -> Windows and scroll down to WMI - Activity log and expand the entry. Right mouse click on the Operational log and select - Clear Log. Alternatively, you can select Properties and mouse click on the Clear Log button displayed there.

 

[amirr]

@SeriousHoax Yes, Eset did ran the initial scan. Also, upon running scan myself, "Scan your computer," I noticed "WmiPrvSE.exe" stopped working in the reliability monitor.

Both WMI Provider host stopped working, and WmiPrvSE.exe is the same; it seems they are the same, right?
Again thanks.

 

[SeriousHoax]

@SeriousHoax Yes, Eset did ran the initial scan. Also, upon running scan myself, "Scan your computer," I noticed "WmiPrvSE.exe" stopped working in the reliability monitor.

Both WMI Provider host stopped working, and WmiPrvSE.exe is the same; it seems they are the same, right?
Again thanks.

Yes, the same. If you want to scan the whole computer then choose the Custom scan option and uncheck WMI.

 

[SeriousHoax]

BTW, ESET received an update in February 25 which further lightened the product in terms of module size and ram usage.

Today (February 25) we plan to release a Detection engine update with expected size around 12,2 - 12,4 MB.

We expect that the update will be available on the update servers for the clients to download at around 14:00 CET (+/- 30 minutes).

This change will optimize the way how we store the data and will reduce the Detection engine size, it's memory footprint and also will make further updates smaller.

The Micro updates scheduled on February 26 will have the weekly update package around 13 MB in size and the monthly update package up to 15 MB.

 

[amirr]

Interesting! Do you know when the next major version will come out?