ESET Internet Security 13 - a technology revisit to the Nod legacy

[Parsh]

Call it "Essential Security against Evolving Threats", "Nemocnica na Okraji Disku" or just "ESET", a theophoric name derived from an Egyptian goddess. ESET Nod has been a favorite of many users worldwide since 1992.
A month back, I gave ESET a revisit after a long time. And it has been my Kaspersky alternative for a while now.

Spoiler: TL;DR | RATINGS

It's a self-taught warrior. Mind you, a very intelligent one. However, it might need an additional push from the master (experienced user) to unleash the beast on the battlefield!
Generalized as below

	novice / users wanting automated simplicity	novice with ^ learning appetite / advanced users wanting control
Experience	9.5/10	9/10
Security fulfillment	9.5/10	9.5/10
Security protection	8.5/10	9/10
Security tools	9/10	9.5/10

Before we plunge into the the review, let's talk about the multi-layered ESET Technology for a bit. Shall we?

Spoiler: ESET for the curious

Amazing facts? Nah. But a good read about some technical jargons and wizardry.

What are some benefits of ESET's core technology?
ESET had been using interpreted assembly code that would execute on emulated resources like the CPU.
To further improve the performance, sandboxing now uses "binary translation" together with "interpreted emulation" that can be done on the real CPU.
What exactly is DNA Detection in ESET?
DNA detection carry genes - complex definitions of malicious behavior and malware characteristics, extracted by performing deep analysis of code. This arguably carries more valuable data compared to IOCs some next-gen solutions boast of using. You could call it advanced heuristics.
The scanning engine also extracts many discriminator genes used for anomaly detection - anything which does not look legitimate is potentially malicious.
Thus, DNA can detect known & unknown malware families that contain characteristics matching these "extracted" genes.
New malicious genes/patterns are also extracted using cloud ML analysis, and are matched with a whitelist to not generate FPs.
DNA detection can use ML models both online and offline.
So is DNA Detection "the" dynamic protection?
There are primarily 2 types of "code analysis" - static and dynamic.
Static analysis mainly uses traditional hashes and pattern matching without execution.
Dynamic analysis uses an in-product sandbox/emulator to emulate files or parts of them. Emulator unpacks files and monitors behavior (compares with DNA genes) using DNA detections. Thus, polymorphic and obfuscated malware can be analysed by DNA detection.
Nowadays, static analysis is used in combination with dynamic analysis. The idea is to emulate the execution of an application in a secure virtual environment before it actually runs on the machine.
Does that mean DNA is different than the Deep Behavioral Inspection?
According to ESET, yes. Their Behavioral Inspection is said to be an extension of HIPS that monitors the behavior of running programs and alerts of any suspicious "activity".
Recently added, the DBI includes new detection heuristics and enables deep user-mode monitoring of unknown, suspicious processes. This is done via hooks created within unknown, potentially harmful processes and monitoring of their activity and requests to the OS. If malicious behavior is detected, DBI mitigates the activity and informs the user. If the process is suspicious, but does not show clear signs of malice, HIPS can also use the data gathered by DBI to run further analysis via its other modules.
We've read about the memory scanners in such AVs. That's some more cream?
Highly obfuscated and encrypted malware may be difficult to detect through even emulators or sandboxing, or they may not exhibit malicious behavior due to their preventive - timing and technical sophistication. Advanced Memory Scanning monitors in-memory app behavior using DNA analysis. It works in conjunction with the Exploit Blocker. AMS thus detects malicious code as it unveils its true colors (only) in memory.
So the exploit protection ...?
The scanning engine covers exploits in malformed document files, Network Attack Protection in FW targets the communication level, and finally the Exploit Blocker blocks the exploitation process itself.
Heard it got HIPS?
HIPS is a detection technology specifically created to monitor and scan behavioral events from running processes, files and registry keys, looking for suspicious activity. Self-defense mechanism uses pre-defined rules to analyse and stop potentially malicious activities.
The members include

• Advanced Memory Scanner (AMS)
• Exploit Blocker (EB)
• Ransomware Shield (RS)
• Deep Behavioral Inspection (DBI)

And it provides highly configurable bricks to build a fortress of rules.
Ransomware are greeted with ...?
A Ransomware Shield behavior monitor that works in conjunction with Cloud Malware Protection System, Network Attack Protection and DNA Detections.
Can we expect Network Protection from these suites, over standalone alternatives or their AV versions?
Industry standard signatures like Snort or Bro allow detection of many attacks, but ESET Network Detections are specifically designed to target network vulnerabilities, exploit kits, and communication by advanced malware in particular, including encrypted communication sometimes. Firewall integration with the AV also helps detect the bandit process.
And the Cloud thing?
The LiveGrid Reputation System uses behavior gene hashing instead of traditional data hashing to detect new malware. It contains info about analysed files, their origins, similarities, certificates, URLs and IPs.
ESET Cloud based on LiveGrid, takes suspicious/unknown samples --> subjects them to auto-sandboxing (physical & virtual) and behavioral analysis in cloud --> automated detection (~ 20mins). These automated detections are usable via LiveGrid w/o needing to wait for the next detection engine update.
What about that fancy ML stuff?
ESET has been using ML since before 2000. The newly integrated Augur uses neural networks and 6 classification algorithms.
Classification is done using attributes extracted during execution according to static/dynamic code analysis, changes to OS, network communication patterns, similarity to other malware, DNA features, structural information and anomaly detection. However, every such automation comes with a hoard of drawbacks due to factors like lack of human input, diverse/imbalanced class of data fed into the system, snowballing... Here, detection engineers play a small role in balancing.
Let's end with an amazing fact?
ESET Botnet protection detects malicious communications (sure it does, so what?)
While their Online Tracker system extracts samples or malicious dumps from endpoints, contextually explores and tries to identify their C&C server keys, initiates fake connections to them and uses the new leads to protect all ESET customers worldwide.

Spoiler: Some eyecandy

Modules -->

Behavioral detection -->
(1)

(2)

In-product sandbox principle -->

Augur ML scheme -->

PS: Did you know that viewing diagrams of a product of interest (like this or that) subconsciously draws you towards its features and finally to the product?

The awfully amazing (+)

1. Usability
   1. Automated
   2. Lightest AV perhaps
   3. HIPS and FW alerts - detailed and flexible
   4. Customizable notifications
   5. Advanced logging
   6. HIPS & FW at learning mode - useful to auto-create safe rules (not for continuous use)
   7. HIPS & FW at policy mode - block all non-configured actions (for designated environments)
2. Security
   1. Highly multi-layered protection with tight coupling
   2. Signatures among the best + Augur ML engine
   3. 3rd largest market share of 12.4% - hence expected to have a huge data intelligence
   4. Overall very good real-time protection (independent tests)
   5. Pioneer to provide UEFI boot scan
   6. Memory scanning & fileless malware protection is noteworthy (some independent tests)
   7. Highly customizable levels of real-time file-system protection
   8. PUP/PUA detection among the best
   9. Perhaps the highest configurable FW in a consumer AV
      
      1. FW at automatic mode is decent
      2. FW at interactive mode can be very useful (for advanced users)
   10. FW alerts offer reverse DNS (displays the domain name associated with the IP) (Kaspersky offers experimental domain based rules) *
   11. Detects app modification and alerts to re-configure FW rules
   12. Router vulnerability scanner
   13. Highly configurable IDS
   14. Highly configurable web (especially HTTPS) protection
   15. SysInspector to compare system snapshots
   16. Device control + basic tools for system and network monitoring
   17. Alerts for Windows updates
3. Privacy
   1. Can customize the type + size of files uploaded for analysis, can set exceptions
   2. Safe browser for Banking & Payment Protection
   3. Anti Theft via portal (uses a phantom account)
   4. Parental Control via portal and suite settings
   5. Social Media Scanner via portal

The minor crises (—)

1. Usability
   1. Settings can be overwhelming for an average user
   2. Sometimes the "notify" feature on blocked actions (by HIPS) does not work, you would have to refer to logs when doubtful
   3. No wildcard support in HIPS rules (for advanced users)
   4. Need to answer additional UAC prompt while saving FW rules via an alert
   5. HIPS in interactive mode (advanced users) --> might be difficult to handle
   6. FW in interactive mode (advanced users) --> if you rely on IPs for allowing, alerts can be overwhelming. Would be less practical/safe to find/set a range of IP's (unless surely known) to the allowed rules for an app
   7. HIPS does not indicate the wrong input when alerting of incorrectly set rules
   8. Anti-theft's phantom account name on Windows does not match the user-assigned name via portal
2. Security
   1. "Ask alert" of HIPS auto-allows action if user does not respond within 1min
   2. HIPS modes (without user-defined rules) -->
      1. Default mode of HIPS auto-allows most actions
      2. Smart mode is less vocal about suspicious activities
   3. No App Control based on reputation, cannot be used as default-deny (for advanced users)
   4. Known to be weaker against unknown malware (not detected by signatures/DNA) at default settings
   5. Ransomware protection slightly on weaker side thanks to the above point (HIPS rules can be set to protect important data)
   6. Known to reduce reporting of suspicious detection to user - to highly reduce FP's
3. Privacy
   1. Banking Protection supports only IE, Chrome and Firefox. Chromium browsers not supported
   2. No VPN option (really nothing much)

A definitely maybe (recommend) for -->

1. Your novice friends
2. Users tired of advanced witchcraft configs
3. Gaming PC companion
4. People usually on the move with their machines
5. For your spouse or kids
6. For your (grand) parents living miles away
7. People using anti-exes / SRP, and alongside need a chilled out AV

It would be great if other ESET users could share their experiences

ESET through the eyes of a user -->
Overview

Spoiler: GUI | Modules

Main GUI

Modules list

Gaming mode/ MS Update/ Notifications ...

Scan options

Explorer menu + reputation check

Taskbar icon menu

What's new

Spoiler: Protection Alerts

HIPS

FW

App Modification (FW)

Malware

PUA

Bad website

Spoiler: Logging

Logs with filtering

Settings

Computer protection

Spoiler: Real-time File-system protection

Levels

Scan parameters (including heuristics and advanced heuristics/DNA sigs)

Settings

Different scans

Exclusions

Spoiler: LiveGrid | Cloud Protection

Sample submission & exclusions

Spoiler: HIPS

HIPS modes

HIPS Rules screen

Setting rules

*Please note that when creating a (generalized) rule for blocking some activity, make sure to create another (special) rule, to specifically allow good exceptions.
Example if you block all processes from starting/modifying your browser, allow the browser process (and updater) to start/modify itself as a required exception.

Internet protection

Spoiler: Web protection

Web access protection

Email protection

Network protection

Spoiler: Network protection

Connected Networks

Temporary IP blacklisting

Troubleshooting

Spoiler: Network Attack protection

Intrusion protection

Packet inspection

Spoiler: Firewall

FW modes

FW Rules screen

Rule settings

App Modification Detection (see "Protection Alerts" spoiler)

Privacy protection

Spoiler: Banking and Payment protection

Alert

Settings

Spoiler: Anti-theft

Enable AT via the web portal and create a Phantom Windows account

What Phantom account?

Spoiler: Parental Control

Web portal

Device settings

Security tools

Spoiler: Connected devices

Details of connected devices. Router security tips

Spoiler: SysInspector

Take a snapshot

A snapshot of a snapshot. Details

Spoiler: More tools

List

File System, Process and Network activity

Security report

System cleaner (only to detect anomalous configuration)

Scheduler

Uhm ...,

Spoiler: Cough Cough

It's me. Like me or not, you cannot ignore me. You are going to see my face in the forefront for many coming years - my garnered intelligence predicts!

See you around

 

[Wraith2020]

A thorough and an excellent review for ESET. I have been using ESET for the last 5 years and it has never let me down except once. You nailed all the pros and cons. For someone who's using ESET IS in a laptop, the Anti-Theft feature is a great addition. You pointed out about the VPN. Personally I think that the Internet Security version is fine without a VPN. ESET is not bloated like some other suites which requires extensions for the web protection to function properly. The web protection and the signatures/heuristic are one of the best, if not the best. The Parental Control feature is also one of the best in the market categorising every page precisely. The minor complains I have with are the HIPS and the Firewall. HIPS in automatic mode is rubbish and in Interactive Mode will drive you crazy. The best way is to set it to SMART MODE and create your own rules. The Firewall is one of the best with Botnet Protection but I would be happy if ESET implements SMART RULES for the Firewall like Norton. In automatic mode it allows all outbound connections but it should have been this way- allow for known good applications, block for known malicious applications and ask for unknown applications. Needless to say about system impact and lightness as you said in your review- the lightest suite out there. Last but not the least I can sleep peacefully knowing that the great robot is protecting my PC.

 

[SeriousHoax]

WoW!!! Just WoW! This is the most detailed review of any product I've seen anywhere. This is amazing! Well done my friend. Thank you

 

[Parsh]

ESET is not bloated like some other suites which requires extensions for the web protection to function properly.

One of the many commendable things that it deals with web protection without enforcing a browser extension.

Personally I think that the Internet Security version is fine without a VPN.

I concur that IS versions do not need a VPN. However, quite some established vendors are doing this since use of VPNs is very user-specific and might be useful based on your location and connection requirements. However, the basic VPNs that some provide are not secure/private enough.

but I would be happy if ESET implements SMART RULES for the Firewall like Norton. In automatic mode it allows all outbound connections but it should have been this way- allow for known good applications, block for known malicious applications and ask for unknown applications.

Is that how Smart mode in Norton FW works? It would be a good option and comparable to the "Smart mode" of ESET HIPS then. Asking for unknown and suspicious process connections and trusting connections by reputed applications. However, ESET has highly segregated the modes (a good thing in a way) without keeping the in-between options.

 

[Parsh]

WoW!!! Just WoW! This is the most detailed review of any product I've seen anywhere. This is amazing! Well done my friend. Thank you

Thanks a lot buddy!
Kaspersky's App Control and ESET's HIPS have so much control to offer in different ways, that it feels a synergy would have been very desirable though over-the-top.
Using ESET currently has been a very rich experience. I'm sure you would agree on this part

 

[Wraith2020]

ATM the banking protection does not seem to support Microsoft Edge Chromium. But if you use Google Chrome and/or Mozilla Firefox it works flawlessly.

 

[SeriousHoax]

Thanks a lot buddy!
Kaspersky's App Control and ESET's HIPS have so much control to offer in different ways, that it feels a synergy would have been very desirable though over-the-top.
Using ESET currently has been a very rich experience. I'm sure you would agree on this part

Yes of course I agree.
If I could mate Eset to Kaspersky and produce a hybrid child something like "Espersky" that would definitely be the best ever product for me

 

[Parsh]

ATM the banking protection does not seem to support Microsoft Edge Chromium. But if you use Google Chrome and/or Mozilla Firefox it works flawlessly.

Safe browser used to open Chromium Edge for me initially after disabling IE.
After I restored a system image, installed Bitdefender and then got back to ESET, it no longer triggers Edge (or other chromium browsers).
It does work with Firefox and Chrome . Just installed FF and gave a try. Thanks, will reflect that!

If I could mate Eset to Kaspersky and produce a hybrid child something like "Espersky" that would definitely be the best ever product for me

You had me rolling on the floor XD

 

[blackice]

This is exactly how I would evaluate ESET 13. Fantastic work on this review, as all your others. Thanks for taking the time to be so detailed!

 

[SeriousHoax]

Is that how Smart mode in Norton FW works? It would be a good option and comparable to the "Smart mode" of ESET HIPS then. Asking for unknown and suspicious process connections and trusting connections by reputed applications.

Norton doesn't have anything similar to HIPS. It has a Smart Firewall which in default mode asks user's permission when any unknown and suspicious process tries to make connection.

 

[Parsh]

Norton doesn't have anything similar to HIPS. It has a Smart Firewall which in default mode asks user's permission when any unknown and suspicious process tries to make connection.

Yes I was actually referring to Norton's smart firewall - that if its behavior that @Wraith2020 mentioned is added to an ESET FW mode, then it would be somewhat similar to the Smart mode of ESET HIPS.

 

[blackice]

A good setup for the firewall (should you choose to use it) is to put it in learning mode for a week or so, maybe two. Make sure the system is clean if you do this. Use all your apps as usual, be very careful using new apps or browsing during this time. Then when you put it into interactive mode most of the rules are made and you’ll get an occasional pop up. This isn’t the best for gamers who play lots of different games, you have to add every game as you go, but if you are very concerned about protecting outbound connections it works.

 

[SeriousHoax]

ESET let you exclude files based on hash which can be very useful for some. I don't remember noticing this in any other home security product.

 

[Parsh]

ESET let you exclude files based on hash which can be very useful for some. I don't remember noticing this in any other home security product.

That's interesting. Also they could add hash-based blacklisting, since they already use hashes.
I am reminded of the old feature requests done on their forums - adding wildcard support in HIPS. It's very much needed to make flexible rules, especially in work machines. You must have seen on their forums.
Right now we cannot add path-independent or semi-dependent HIPS rules on files. And sometimes a user would end up making a number of rules instead of one, since wildcard is not to be used. Or just use another security companion like OSArmor.
Another nice feature could be allowing command-line filtering option in HIPS rules. That way some users could relax their restrictions on command-line interpreters for example.

 

[SeriousHoax]

That's interesting. Also they could add hash-based blacklisting, since they already use hashes.

This is not going to happen. Hash based blacklisting is only applicable for initial cloud based protection but this is true for every AV. The closest thing you can do is to add a file manually to the quarantine.

I am reminded of the old feature requests done on their forums - adding wildcard support in HIPS. It's very much needed to make flexible rules, especially in work machines. You must have seen on their forums.
Right now we cannot add path-independent or semi-dependent HIPS rules on files. And sometimes a user would end up making a number of rules instead of one, since wildcard is not to be used. Or just use another security companion like OSArmor.
Another nice feature could be allowing command-line filtering option in HIPS rules. That way some users could relax their restrictions on command-line interpreters for example.

Yes wildcard support in HIPS has been requested in the forum quite a lot. This would make it a complete HIPS. It's one of the thing that they are reluctant to add. HIPS initially began as a module to protect Eset itself I think and they're trying to make it simpler without adding more advanced features.

 

[SeriousHoax]

Update servers are currently under a higher load due to a bigger update of the Augur module. We are about to apply throttling in the next few minutes to mitigate the situation. We apologize for the inconvenience.

A quote from Marcos on the Eset forum. Looks like Augur is receiving a major update. Anyway I'm just speculating.

 

[Parsh]

Hash based blacklisting is only applicable for initial cloud based protection but this is true for every AV. The closest thing you can do is to add a file manually to the quarantine.

There's a very specific use case of customized blocking of hashes.
Like blocking a particular file from "arriving onto and living on" your system anytime later on a shared PC, or blocking some known hashes of commonly exploited apps to explicitly prevent them from maliciously arriving on your PC. Though hashes approach will be limited to the originality and version of a file, some users might prefer filename-based or hash-based blacklisting of IOCs. The latter is used in some endpoint securities like TrendMicro and Symantec. OSArmor has MD5 hash-based blocking. Wish it was SHA based.

Yes wildcard support in HIPS has been requested in the forum quite a lot. This would make it a complete HIPS. It's one of the thing that they are reluctant to add. HIPS initially began as a module to protect Eset itself I think and they're trying to make it simpler without adding more advanced features.

Yeah! Though the Eset HIPS is not a full-blown HIPS like the defunct Outpost HIPS or Comodo (even this automates much of its granularity), wildcards would allow a well-rounded control a typical user could ask for.

 

[SeriousHoax]

There's a very specific use case of customized blocking of hashes.
Like blocking a particular file from "arriving onto and living on" your system anytime later on a shared PC, or blocking some known hashes of commonly exploited apps to explicitly prevent them from maliciously arriving on your PC. Though hashes approach will be limited to the originality and version of a file, some users might prefer filename-based or hash-based blacklisting of IOCs. The latter is used in some endpoint securities like TrendMicro and Symantec. OSArmor has MD5 hash-based blocking. Wish it was SHA based.

This would surely be a great addition but like you said Trend Micro and Symantec endpoint products has this feature so it's more logical for endpoint products. I don't think Eset will give this feature to their home products. Btw, I didn't know OSArmor has MD5 hash based blocking. Nice.

 

[Cortex]

Had an email from ESET a couple of days ago on the importance of a VPN - Couldn't see it mentioned in the thread, sorry if it has?

ESET News

 

[Durden]

Parsh, amazing and comprehensive review!
But you gotta stop doing that , you know, I have a limited number of laptops, I don't use virtual machines, yet each time you do a review like this you make it irresistible for me to try the product!
And it's ESET for crying out loud, I already have a soft spot for it.