- Mar 16, 2019
I don't think they changed much in terms of behavior blocking. They are still mainly statistical analysis dependent. I do see the machine learning component gets update quite frequently. Which means their ML/Augur isn't properly trained yet and requires updates regularly.(Pinging @McMcbrad)
So I just grabbed ESET IS 14 and tested it against my trivial MSIL battery (encrypting My Documents\test recursively), using RIPlace techniques, going through the front door, etc. Other than one sample that ESET wrote a signature for due to an earlier test (which was bypassed by renaming some functions and compiling in a new project), 14 isn't detecting any of these samples at runtime either. I tried increasing the scope to all of My Documents, same results.
On the bright side, as I expected, ESET fantastically detected two of my most recent Emotet samples that have 2/69 VT detection.
Maybe they significantly improved the anti-exploit engine but I'm not seeing any general behavior blocker improvements (these kinds of samples are easily flagged by Kaspersky and F-Secure and others).
I'm more trying to learn specifically what was changed in 14.x. This is a highly artificial behavior blocker test so I'm happy to change it to more reflect "real" malware, though it would help to know what needs to change to get ESET's behavior blocker to care.
The filless powershell Tesla @McMcbrad talked about here was also getting detect by ESET the day he posted when it had 0 detection on VT even though VT is not showing it.
Last night in my usual malware hunting habits, I came across something very interesting. This is malware behaviour I have not observed before. The domain 111().90().149().229 serves three *.txt files. Upon inspection, I noticed two of them are obfuscated PowerShell code. The tool used for...
But they have performed excellent in every AV lab tests this year, so maybe they have done something internally. Maybe @McMcbrad can test.