Updates ESET 14.0.x released

SeriousHoax

Level 35
Verified
Mar 16, 2019
2,437
(Pinging @McMcbrad)

So I just grabbed ESET IS 14 and tested it against my trivial MSIL battery (encrypting My Documents\test recursively), using RIPlace techniques, going through the front door, etc. Other than one sample that ESET wrote a signature for due to an earlier test (which was bypassed by renaming some functions and compiling in a new project), 14 isn't detecting any of these samples at runtime either. I tried increasing the scope to all of My Documents, same results.

On the bright side, as I expected, ESET fantastically detected two of my most recent Emotet samples that have 2/69 VT detection.

Maybe they significantly improved the anti-exploit engine but I'm not seeing any general behavior blocker improvements (these kinds of samples are easily flagged by Kaspersky and F-Secure and others).

I'm more trying to learn specifically what was changed in 14.x. This is a highly artificial behavior blocker test so I'm happy to change it to more reflect "real" malware, though it would help to know what needs to change to get ESET's behavior blocker to care.
I don't think they changed much in terms of behavior blocking. They are still mainly statistical analysis dependent. I do see the machine learning component gets update quite frequently. Which means their ML/Augur isn't properly trained yet and requires updates regularly.
The filless powershell Tesla @McMcbrad talked about here was also getting detect by ESET the day he posted when it had 0 detection on VT even though VT is not showing it.
But as you know, ESET's signature based detection has always been spot on but behavior blocking wise there don't seem to be any change.
But they have performed excellent in every AV lab tests this year, so maybe they have done something internally. Maybe @McMcbrad can test.
 
F

ForgottenSeer 89360

(Pinging @McMcbrad)

So I just grabbed ESET IS 14 and tested it against my trivial MSIL battery (encrypting My Documents\test recursively), using RIPlace techniques, going through the front door, etc. Other than one sample that ESET wrote a signature for due to an earlier test (which was bypassed by renaming some functions and compiling in a new project), 14 isn't detecting any of these samples at runtime either. I tried increasing the scope to all of My Documents, same results.

On the bright side, as I expected, ESET fantastically detected two of my most recent Emotet samples that have 2/69 VT detection.

Maybe they significantly improved the anti-exploit engine but I'm not seeing any general behavior blocker improvements (these kinds of samples are easily flagged by Kaspersky and F-Secure and others).

I'm more trying to learn specifically what was changed in 14.x. This is a highly artificial behavior blocker test so I'm happy to change it to more reflect "real" malware, though it would help to know what needs to change to get ESET's behavior blocker to care.
Eset has implemented heuristics against certain types of obfuscated scripts, detecting them as MSIL.Kryptik or something of this sort. This explains both the fileless Tesla implementation, as well as Emotet identification (since you are saying 2/69 on VT I understand it's trojanized document). I am saying *some* as there are types of obfuscation such as compression that weren't covered when I tested it.

I have also seen it many times detecting various 0-days I have discovered, together with Kaspersky and I have seen it miss some. More frequently the former.

You can't call their protection weak or abysmal and it is definitely boosted from before, but there is no behavioural blocking. Although it exists as a component in settings + ransomware protection "extension" I don't believe anyone ever saw these in action. Pre-execution analyses detects most ransomware(s) and even their notes, bit it's not impossible to evade. There are unfortunately many ways to evade static and dynamic analyses. My C++ ransomware that iterates through folders via the boost library and not the Windows APIs was a miss. They only utilise reputation as a minor indicator (unlike Kaspersky's Application Control, Norton Insight or Avast hardened mode against executables) so they lose a point there as well. I believe they will look to improve these areas in the next version.
 
Last edited by a moderator:

MacDefender

Level 14
Verified
Oct 13, 2019
659
Eset has implemented heuristics against certain types of obfuscated scripts, detecting them as MSIL.Kryptik or something of this sort. This explains both the fileless Tesla implementation, as well as Emotet identification (since you are saying 2/69 on VT I understand it's trojanized document). I am saying *some* as there are types of obfuscation such as compression that weren't covered when I tested it.

I have also seen it many times detecting various 0-days I have discovered, together with Kaspersky and I have seen it miss some. More frequently the former.

You can't call their protection weak or abysmal and it is definitely boosted from before, but there is no behavioural blocking. Although it exists as a component in settings + ransomware protection "extension" I don't believe anyone ever saw these in action. Pre-execution analyses detects most ransomware(s) and even their notes, bit it's not impossible to evade. There are unfortunately many ways to evade static and dynamic analyses. My C++ ransomware that iterates through folders via the boost library and not the Windows APIs was a miss. They only utilise reputation as a minor indicator (unlike Kaspersky's Application Control, Norton Insight or Avast hardened mode against executables) so they lose a point there as well. I believe they will look to improve these areas in the next version.
Thanks this matches my understanding and observations too. Their static heuristics and signature writing are as excellent as ever but so far my tests of behavior blocking shows no general behavior blocking. I expanded my tests to add persistence/evasion too (tries to move itself to the Windows directory under the name NvCpl.exe and register as a startup item in the registry), nothing. Usually this behavior triggers Kaspersky and Emsisoft and F-Secure.

I strongly believe that ESET’s protection is top class especially against variants of in the wild malware. And I also believe that detecting via static scanning and web filtering is always more comforting than relying on the BB to make up for spotty signatures. But yeah based off their description of what changed I was hoping to see a behavior blocker, but that isn’t what I’m finding. My most optimistic theory is that their behavior blocker is just looking for very specific actions of malware families that they have trouble writing signatures for.
 
Last edited:

MacDefender

Level 14
Verified
Oct 13, 2019
659
1609020018039.png


When I plugged my laptop in, it decided to start the initial scan. Then I closed the lid, which caused it to go to sleep. Now even though it's awake and unplugged, it's doing the rest of the initial scan on battery power :(
 

SeriousHoax

Level 35
Verified
Mar 16, 2019
2,437
View attachment 251945

When I plugged my laptop in, it decided to start the initial scan. Then I closed the lid, which caused it to go to sleep. Now even though it's awake and unplugged, it's doing the rest of the initial scan on battery power :(
This initial scan only happens right after the first update after installation. It didn't do that?
 

MacDefender

Level 14
Verified
Oct 13, 2019
659
This initial scan only happens right after the first update after installation. It didn't do that?
It didn’t, seemingly because I installed on battery. This is the first time I plugged in since installing (it’s an ultra book with 10-15hrs battery if nothing drains it)

Given that it’s the initial scan I’m willing to forgive it since it’s a one time thing.
 

Divine_Barakah

Level 27
Verified
May 10, 2019
1,621
It didn’t, seemingly because I installed on battery. This is the first time I plugged in since installing (it’s an ultra book with 10-15hrs battery if nothing drains it)

Given that it’s the initial scan I’m willing to forgive it since it’s a one time thing.
Yes the same happened to me and I contacted support and they confirmed that the initial scan did not run because Eset was installed while on battery power, but in my case the initial scan did not run when I plugged my laptop.
 

MacDefender

Level 14
Verified
Oct 13, 2019
659
Yes the same happened to me and I contacted support and they confirmed that the initial scan did not run because Eset was installed while on battery power, but in my case the initial scan did not run when I plugged my laptop.
Yeah my main gripe here is that though ESET in general is light, if I didn't catch the runaway initial scan after taking my laptop off the charger I could've been left with less than half the battery life I was expecting. Kaspersky was really good about immediately pausing these kinds of background scans as soon as the power is disconnected, and I generally feel that ESET is less buggy than other big suites.
 

mlnevese

Level 23
Verified
May 3, 2015
1,272
All security suits are buggy to a certain degree. Up to version 12, ESET would disable the networking subsystem of many computers when uninstalling. It happened with me to at least two different computers. The only real problem with bugs is when the affect the core functions of security software.
 

amirr

Level 14
Jan 26, 2020
676
@SeriousHoax
Again it happened after clean installation of Windows 10 and then isntalling Eset Nod32:

2021-02-23_16-18-43.png


I remember that disabling these below, prevented it from happening again. Is that right?

1614093540915.png

Thank you.
 
Last edited by a moderator:

SeriousHoax

Level 35
Verified
Mar 16, 2019
2,437
@SeriousHoax
Again it happened after clean installation of Windows 10 and then isntalling Eset Nod32:

View attachment 254514

I remember that disabling these below, prevented it from happening again. Is that right?

View attachment 254515

Thank you.
The error is not related to startup scans. Re-enable that.
After you installed ESET on your clean Windows, it ran the initial scan, right? The initial scan scans the WMI, so that's why you have this error. Other static scans/startup scans don't do that.
Quoting Marcos from the ESET foum,
The code means it takes the system too long to respond to scanner's query so it times out and the error record is logged. We cannot wait too long for the system to respond in case of WMI scans.
So the error is not anything serious. The system is alright but definitely annoying. This may not get fixed anytime soon.
To clear the log, quoting itman from ESET forum,
In Event Viewer, open Applications and Services Logs -> Microsoft -> Windows and scroll down to WMI - Activity log and expand the entry. Right mouse click on the Operational log and select - Clear Log. Alternatively, you can select Properties and mouse click on the Clear Log button displayed there.
 

amirr

Level 14
Jan 26, 2020
676
@SeriousHoax Yes, Eset did ran the initial scan. Also, upon running scan myself, "Scan your computer," I noticed "WmiPrvSE.exe" stopped working in the reliability monitor.

Both WMI Provider host stopped working, and WmiPrvSE.exe is the same; it seems they are the same, right?
Again thanks.
 

SeriousHoax

Level 35
Verified
Mar 16, 2019
2,437
@SeriousHoax Yes, Eset did ran the initial scan. Also, upon running scan myself, "Scan your computer," I noticed "WmiPrvSE.exe" stopped working in the reliability monitor.

Both WMI Provider host stopped working, and WmiPrvSE.exe is the same; it seems they are the same, right?
Again thanks.
Yes, the same. If you want to scan the whole computer then choose the Custom scan option and uncheck WMI.
 

SeriousHoax

Level 35
Verified
Mar 16, 2019
2,437
BTW, ESET received an update in February 25 which further lightened the product in terms of module size and ram usage.
Today (February 25) we plan to release a Detection engine update with expected size around 12,2 - 12,4 MB.

We expect that the update will be available on the update servers for the clients to download at around 14:00 CET (+/- 30 minutes).

This change will optimize the way how we store the data and will reduce the Detection engine size, it's memory footprint and also will make further updates smaller.

The Micro updates scheduled on February 26 will have the weekly update package around 13 MB in size and the monthly update package up to 15 MB.
 
Top