ESET and zero - day threats

[Cats-4_Owners-2]

well you should if you have eset IS on your pc you better get a sandbox fast before cryptorlocker gets you

www.sandboxie.com

ESET has a mature malware lab infrastructure that enables it to detect most zeroday threats within hours. Personally, when I submit undetected malware files to vendors, I realise that ESET is the fastest vendor to respond with new detections. However, before that, ESET already has good features (e.g. HIPS) that enable you to stop most zeroday threats. They are not configured to be activated on default though, because of the risks of false positives.

To get a good zeroday protection out of ESET, you need to do quite some manual configuration. This is a guide written by Umbra on configuring ESET: http://malwaretips.com/threads/how-to-set-eset-smart-security-for-max-protection.14466/
Also, here are some HIPS rules from Manzai: http://malwaretips.com/threads/eset-smart-security-7-manzaitest.27720/

A well configured ESET HIPS and firewall is very powerful. Personally, I once tested ESET with HIPS rules that I created myself and firewall on interactive mode in a VM. Even with its scanner disabled, it blocked almost all malicious samples. Testing with live exploits (including the memory only payload from angler exploit kit), it could block most too. If you need more help with HIPS, there are many people here on this forum that can help

Thanks.
This reinforced my confidence level as ESET NOD 32 is the AV on our Windows 7. In fact, this gave me such a boost that I'm on my way to enter the ESET Giveaway now!!

 

[Petrovic]

ESET Live Grid provides collecting statistics from computers of users if they give on this permission. As besides collecting statistics this service realizes cloudy detection of threats, most of users activate this technology, thereby increasing the protection. By means of Live Grid we collect statistics about distribution of threats worldwide and number of penetrations of this or that threat in a certain region that allows to model on a global scale the card of threats and to predict penetration into nearby regions. If distribution of threat with functionality of a worm went, it is possible to understand according to this card, to what region it is necessary urgently to start delivering utilities of treatment.
The main tasks solved by such "clouds":

• Decrease in the size of system of protection and volume of updatings that is especially actual for mobile devices.
• Automation of process of protection against continuously growing number of threats which thus also constantly become complicated.
• Decrease in time of reaction to new threats.

&
please read:
http://securelist.com/analysis/36321/the-antivirus-weather-forecast-cloudy/

 

[Cch123]

but you see most users are set it and forget type and besides no one can't keep with malware anymore that's why zero day protection is very important and you fanboys should know that eset hips are turn off by default which why is it off as well

I'm not ESET fanboy and I don't even use it. I simply respect them for their good malware analysis team, and yes, I do agree they are pretty backwards when it comes to newer technologies. The thread starter is asking about HOW ESET blocks zeroday threats, and I explained it.

Unlike you who contributed nothing to this discussion other than scaring people away from a decent AV product.

 

[Tani]

Eset is my favourite security suite, it's a pain for blackhat cyber criminals.

 

[nsm0220]

Eset is my favourite security suite, it's a pain for blackhat cyber criminals.

not really

 

[darko999]

but you see most users are set it and forget type and besides no one can't keep with malware anymore that's why zero day protection is very important and you fanboys should know that eset hips are turn off by default which why is it off as well

Maybe because most users of eset got a brain and don't need annoying pop's up to protect ourselfs from the marketing of "zero day threats" I've been using ESET for years and Haven't got any infections yet. You talk a lot of zero day threats but reality is people executing donotopenmeimavirus.exe or adobeflashplayerfakereal2014fastinstall.exe. ESET gives you the options, you pick what you want, want extra security at the cost of usability, then play with the HIPS. ESET Heuristics are quite strong and enough for me.

 

[nissimezra]

Maybe because most users of eset got a brain and don't need annoying pop's up

wrong wrong wrong
most of the users just buy AV to protect them, i know alot of users that dont even know how to install it. they might have brain but not knowledge in viruses or operating system
people who has knowledge of viruses do not need to pay for AV not even if they have ESET install on the system

 

[darko999]

wrong wrong wrong
most of the users just buy AV to protect them, i know alot of users that dont even know how to install it. they might have brain but not knowledge in viruses or operating system
people who has knowledge of viruses do not need to pay for AV not even if they have ESET install on the system

I have ESET for free, never payed for it, got free keys from my boss at work. The thing is most proactive AV's like emsisoft won't do better at regular users with extra interaciton and pop's up. If a user is clueless about viruses / malware, so he is at clicking on the damn pop's up. "Zero day threats" is the best marketing move to make people think they will be better protected when they are not.

 

[FleischmannTV]

eset is useless when it comes to protecting system 32 and other important windows files

You seem to post this particular sentence quite often.

 

[nissimezra]

I have ESET for free, never payed for it, got free keys from my boss at work. The thing is most proactive AV's like emsisoft won't do better at regular users with extra interaciton and pop's up. If a user is clueless about viruses / malware, so he is at clicking on the damn pop's up. "Zero day threats" is the best marketing move to make people think they will be better protected when they are not.

as i said we do not need to pay for AV coz most of the users here have enough knowlage to get alone with any AV and some even without AV. yeh maybe zero day is good for marketing but most of the users do not know what is zero day.
it just like camera marketing when they sell megapixel, more pixel better, but as a mater of fact sometimes its the opposite.

 

[nsm0220]

You seem to post this particular sentence quite often.

where you need it to boot to windows and a lot of malware anyways put their files into system 32 and other windows files and folders to put at risk of having a unbootable pc and trust me have an unbootable pc is not fun to have besides beginner users will picnic over that.so that why having zero day protection is need to protection those files and their files like pic,doc,and software as well

 

[FleischmannTV]

It is not a job of an AV to particularly protect System32.

When you execute a piece of malware you will get an UAC prompt. If you click on yes, then the malware will be able to write to System32, just as every program with admin privileges. Do you wish to be alerted every time something tries to write to System32?

Benign programs need to write to System32 as well for successful installation. Just because something tries to write to System32 doesn't make it automatically malicious and it's not an AV's job to bother the user every time. That's classic HIPS material and if an AV doesn't bother you in that regard, this doesn't inevitably conclude there is no zero day protection.

ESET's main zero day component is the Advanced Memory Scanner. Marcos of ESET said it blocks about 90% of all new-born malware he throws at it. In AV-C's latest heuristics/behavioral only test, ESET blocked about 90% of the samples as well, with absolutely zero user interaction required (big plus).

IMHO ESET is one of the best choices for average home users in terms of zero day protection and it achieves this without handing the burden of responsibility over to the customer by throwing up a pop-up asking them what to do next.

 

[Arakasi]

This is because of extremely strict and awesome coding practices, and coordination with team efforts. Good logging, support, research.
Hands down ESET is in a class of its own, running a marathon with not too many others keeping up.

 

[Deleted member 21043]

@nsm0220 You're right, to an extent... No Antivirus product can have full proof protection against zero day malware. Security companies can only take drastic measures to try and make the best Behavioural Blocker and HIPS as possible to detect them at runtime and to try and make them prevent the execution of malicious activity.

No doubt, if you configure ESET correctly the zero day protection is better and some can say it is considered good. Better than Emsisofts' Zero Day protection? Not in my opinion. But, I think it's good.

but you see most users are set it and forget type and besides no one can't keep with malware anymore that's why zero day protection is very important and you fanboys should know that eset hips are turn off by default which why is it off as well

I wouldn't say they are "fanboys" for expressing their opinions. What's your favourite Antivirus? They could say you are a fan boy towards your favourite Antivirus for saying ESET zero day protection needs improved. What Antivirus do you currently use? I'm sure many reviewers could easily say which one out of the one you use and ESET would be better.

Whether you think it has good or bad zero day protection, a good majority of it's users seem to stay clean from becoming infected. Maybe because of their great signatures? Maybe because of the well-configured HIPS. It counts.

Spoiler

Previously, maybe a few weeks back, you were on another thread related to ESET mentioning how they have bad zero day protection. I must check your config to see what Antivirus you use. The reason was related to files being dropped in System32/protecting that area, and I have just seen another user comment on that from you. What other reasons apart from this make them have bad zero day protection? I'm just curious...

Thanks.

 

[jamescv7]

To sum it up, any improved enhancement technology provided by ESET and others AV cannot be 100% fully since first, many viruses/malware undergone on more polymorphic/crypted.

Speaking on handling system32 and windows files well the purpose of AV is prevention to happen and those will be deal in cleaners cause its a critical sources as purpose to avoid them for spread/drop.

Cleaners from built in AV are very different design to be fully one.

 

[nissimezra]

I've tested Eset on three different tests. all unknown to eset all are ransomeware. ESET let them run free without even a warning.
ESET has one of the best web filter and one of the best signature (maybe the best) but when it comes to unknown file it seems that there is nothing to protect you.

 

[nissimezra]

It is not a job of an AV to particularly protect System32.

When you execute a piece of malware you will get an UAC prompt.
.

not always.

 

[nsm0220]

It is not a job of an AV to particularly protect System32.

When you execute a piece of malware you will get an UAC prompt. If you click on yes, then the malware will be able to write to System32, just as every program with admin privileges. Do you wish to be alerted every time something tries to write to System32?

Benign programs need to write to System32 as well for successful installation. Just because something tries to write to System32 doesn't make it automatically malicious and it's not an AV's job to bother the user every time. That's classic HIPS material and if an AV doesn't bother you in that regard, this doesn't inevitably conclude there is no zero day protection.

ESET's main zero day component is the Advanced Memory Scanner. Marcos of ESET said it blocks about 90% of all new-born malware he throws at it. In AV-C's latest heuristics/behavioral only test, ESET blocked about 90% of the samples as well, with absolutely zero user interaction required (big plus).

IMHO ESET is one of the best choices for average home users in terms of zero day protection and it achieves this without handing the burden of responsibility over to the customer by throwing up a pop-up asking them what to do next.

you don't get what im trying to say what am say is there areas of windows which malware doesn't belong in, system 32 is one of them

 

[FleischmannTV]

I get exactly what you are saying, but when malware is not detected and it gets admin priviliges, it has access to system32. That's it. If the AV detects the malware it will be removed before it can do anything and if it doesn't it's game over. Of course malware shouldn't be allowed to establish itself in System32. I've never said it should, but for an AV to prevent that, it has to detect the malware.

Though I see we are starting to talk in circles and if it's ok with you, we can end our debate here.

 

[Deleted member 21043]

I get exactly what you are saying, but when malware is not detected and it gets admin priviliges, it has access to system32. That's it. If the AV detects the malware it will be removed before it can do anything and if it doesn't it's game over. Of course malware shouldn't be allowed to establish itself in System32. I've never said it should, but for an AV to prevent that, it has to detect the malware.

Though I see we are starting to talk in circles and if it's ok with you, we can end our debate here.

It doesn't have to detect the malware to detect a file being dropped in System32. They could use DLL injection and API hooking to monitor what the process does and prevent it from copying files etc to System32. Or, with the real-time protection (filesystem driver) they could watch for when files are added to the directory...