ESET Internet Security 13 - a technology revisit to the Nod legacy

[Divine_Barakah]

No Kaspersky doesn't have HIPS but it has application control and behaviour blocker. Both of them when configured correctly can make you PC bulletproof.

https://media.kaspersky.com/pdf/Kaspersky_Lab_Whitepaper_HIPS_ENG.pdf

 

[Wraith2020]

https://media.kaspersky.com/pdf/Kaspersky_Lab_Whitepaper_HIPS_ENG.pdf

Can others please clarify? Are they referring to Application Control as HIPS?@harlan4096

 

[Vitali Ortzi]

A word of warning regarding ESET-

Although ESET has improved in detection of various types of Scriptors, some malware authors have circumvented the need for scripting in Powershell, Python, etc and have utilized other avenues to achieve similar results. These methods can yield malware that is harder for some AV applications to detect as they can be based on stuff like certutil, a valid command.

ESET has issues with this type of malware, even with the HIPS set at max protection. A ransomware file can be coded simply and easily to bypass the HIPS and encrypt files. Also, as coding is rather straightforward, the file would be zero day and bypass the AV.

This issue is by no means restricted to ESET, as programs from Forticlient to SEP will also fail. However quite a few (like Kaspersky, Avast/AVG, CF) will laugh at this stuff and block it quite easily.

Great to see you back !

 

[Divine_Barakah]

Can others please clarify? @harlan4096

As far as I know HIPS can be activated when you untick Kaspersky automatic mode (forgot the exact naming of that option as I am no longer using Kaspersky). Even on the automatic mode, HIPS runs in smart mode without asking for user's interaction.

 

[Wraith2020]

As far as I know HIPS can be activated when you untick Kaspersky automatic mode (forgot the exact naming of that option as I am no longer using Kaspersky). Even on the automatic mode, HIPS runs in smart mode without asking for user's interaction.

Yeah in the interactive mode, kis produces a lot of alerts. But the last time I tried kis in Interactive mode, the alerts came from Application Control. I found no evidence relating to HIPS.

 

[SeriousHoax]

https://media.kaspersky.com/pdf/Kaspersky_Lab_Whitepaper_HIPS_ENG.pdf

Yes Application Control is one kind of HIPS. There are a minimum of 3 types of HIPS used in AV products. I forgot who it was but someone in the forum beautifully explained all types of HIPS in a thread.

 

[Vitali Ortzi]

Wait so it can bypass the Application and device control module of Sep?
or just the default unmanaged Client ?

 

[SeriousHoax]

One thing I really want to know but haven't found any concrete answers yet. Does ESET protect the registry? I've never seen it scan the windows registry hive even in the Full Scan.

Good question. I never though of it before. I am pretty sure that ESET's real time protection doesn't monitor registry changes except its own which is monitored by HIPS. If a malware makes registry modification ESET can't stop that from happening. About the scanning part I had to search and I found a very disappointing answer. This is a response from 2015 when a user asked why Eset can't fix the registry entries made by malware:

Because security policies were created by Microsoft for a reason and it's not possible to distinguish between policies set by malware and those set by users (administrators). ESET has stand-alone cleaners for some of the mentioned malware modifications which should be used to revert such changes, if not made intentionally

So, Eset can't do anything about registry and I guess this is why you never saw it scanning registries.

 

[Parsh]

A word of warning regarding ESET-
Although ESET has improved in detection of various types of Scriptors, some malware authors have circumvented the need for scripting in Powershell, Python, etc and have utilized other avenues to achieve similar results. These methods can yield malware that is harder for some AV applications to detect as they can be based on stuff like certutil, a valid command.
ESET has issues with this type of malware, even with the HIPS set at max protection. A ransomware file can be coded simply and easily to bypass the HIPS and encrypt files. Also, as coding is rather straightforward, the file would be zero day and bypass the AV.

I suppose that you are referring to more and more LOLBins being exploited to bypass application control and UAC ... and that some AVs are just not focusing on this aspect enough.
It would be surprising if ESET HIPS does not warn about their trigger in Interactive mode. Ok, I just ran a quick test used by LOLBAS to demonstrate a simple bypass using certutil - and ESET HIPS at least alerts about the activity like a standard 'Interactive Alert'. Then, fortunately or unfortunately it's upto the user.

Spoiler: Certutil - cmd script

Don't you think that besides disabling scripts, blocking the unnecessary LOLBins from the LOLBAS list via HIPS would do good?
I understand that it could be a tough job since some of them are required for essential operations of the system. And ESET allows only path-based rules w/o wildcards.

This issue is by no means restricted to ESET, as programs from Forticlient to SEP will also fail. However quite a few (like Kaspersky, Avast/AVG, CF) will laugh at this stuff and block it quite easily.

Kaspersky and the likes could be monitoring LOLBin exploitation methods in a better manner. Some AVs will cover a range of these attacks well, but others might just cover another range better, or overlap. In the cat-and-mouse game, different cats will have different points of strength
I've read ESET researchers highlighting abuse of LOLBins a couple of times, so they at least have it in notice. Though as @SeriousHoax said, its true that if ESET scanner engine misses it, BB/HIPS is most likely to miss it too. It's upto the education and security posture of the user if he configures to monitor vulnerable processes discussed.

 

[Parsh]

One thing I really want to know but haven't found any concrete answers yet. Does ESET protect the registry? I've never seen it scan the windows registry hive even in the Full Scan. @SeriousHoax know anything on this?

@SeriousHoax has already covered the point. I'll just add that you can make HIPS rules to protect "specific" or "all" registry entries from below operations:

For most users, "all" is not a practical option. You'll be bombarded with alerts and can screw the system. But you can use the option to protect 'startup settings' at the very least. Eg. you could use HIPS rule to protect registry changes done to restrict Powershell.
Not related to real-time protection, but you can use a "SysInspector" snapshot of a clean system and compare with a new snapshot whenever you wish to. SI takes a snapshot of processes, drivers, network connections, registry etc. SysInternals Autoruns is a good alternative.

I am pretty sure that ESET's real time protection doesn't monitor registry changes except its own which is monitored by HIPS. If a malware makes registry modification ESET can't stop that from happening. About the scanning part I had to search and I found a very disappointing answer.

And they did not care to explain on the forum why Their usual stand you must have seen is that they feel doing something is unnecessary. And that they have other modules to take care of it in some or the other way. Maybe their DNA detections are fortified to detect code related to suspicious registry operations and they are strongly relying just on that. .

 

[blackice]

Good to see old faces pop up again @cruelsister

Edit: Also talk about stirring the pot, ESET threads haven’t been this hot since beavisvirus was around.

Also, in this case since they add signatures so fast wouldn’t it work most of the time to just save attachments/download for a day or two Before executing them? I know that wouldn’t stop everything, but that would cover your butt for a whole bunch of stuff.

ESET HIPS is useful for making advance custom rules.

Such as blocking powershell altogether if you don’t use it often. One of my favorite rules. I have no doubt someone like @cruelsister could own my computer if they wanted. So I just lay low and try to play nice and avoid the every day attack. Zero days are very interesting, but if I worry about them too much I lose a lot of sleep unnecessarily.

 

[harlan4096]

We can say that K. Application Control is similar to a HIPS...

 

[SeriousHoax]

And they did not care to explain on the forum why Their usual stand you must have seen is that they feel doing something is unnecessary. And that they have other modules to take care of it in some or the other way. Maybe their DNA detections are fortified to detect code related to suspicious registry operations and they are strongly relying just on that. .

Yes they never explain this type of questions They do rely heavily on their Advanced DNA detections which is serving them pretty well. They're also good against targeted attacks, remote code executions, etc but their product can't handle threats when legit processes like you said lolbins are used to do the dirty work. What's your opinion about this Enhanced Real World Test where only Eset and Kaspersky blocked everything and most other didn't even agree to take part in: Enhanced Real-World Test 2019 – Consumer | AV-Comparatives

 

[Wraith2020]

@SeriousHoax has already covered the point. I'll just add that you can make HIPS rules to protect "specific" or "all" registry entries from below operations:
View attachment 236612
For most users, "all" is not a practical option. You'll be bombarded with alerts and can screw the system. But you can use the option to protect 'startup settings' at the very least. Eg. you could use HIPS rule to protect registry changes done to restrict Powershell.
Not related to real-time protection, but you can use a "SysInspector" snapshot of a clean system and compare with a new snapshot whenever you wish to. SI takes a snapshot of processes, drivers, network connections, registry etc. SysInternals Autoruns is a good alternative.

And they did not care to explain on the forum why Their usual stand you must have seen is that they feel doing something is unnecessary. And that they have other modules to take care of it in some or the other way. Maybe their DNA detections are fortified to detect code related to suspicious registry operations and they are strongly relying just on that. .

Yeah once upon a time I had a HIPS rule to monitor startup applications. But since Nvidia GeForce Experience came into my PC, I got mad with alerts. Is it so much of a hassle just to include the registry in a full scan? Malwarebytes seems to do a thorough registry scan with their quick scan and it's just the main reason I've kept the program as my back-up scanner. If Malwarebytes can implement it, why not ESET? And if ESET implements this I'll no longer need mbam.

 

[blackice]

Yes they never explain this type of questions They do rely heavily on their Advanced DNA detections which is serving them pretty well. They're also good against targeted attacks, remote code executions, etc but their product can't handle threats when legit processes like you said lolbins are used to do the dirty work. What's your opinion about this Enhanced Real World Test where only Eset and Kaspersky blocked everything and most other didn't even agree to take part in: Enhanced Real-World Test 2019 – Consumer | AV-Comparatives

In these cases OSArmor plays nice with ESET, or some hardening.

 

[Parsh]

Also, in this case since they add signatures so fast wouldn’t it work most of the time to just save attachments/download for a day or two Before executing them? I know that wouldn’t stop everything, but that would cover your butt for a whole bunch of stuff.

You have good protection from ESET and OSArmor against email attachments and other downloads.
Safe email habits should minimize the stakes already. Keep macros in office disabled, do not enable editing in docs unless unnecessary, do not open suspicious email files... If you really want a strict approach, you could enforce these office/pdf apps and browser in sandboxie.
Coming to your point, surely it could help in some cases. You can use VT4Browsers extension for scanning downloads.

Such as blocking powershell altogether if you don’t use it often. One of my favorite rules. I have no doubt someone like @cruelsister could own my computer if they wanted. So I just lay low and try to play nice and avoid the every day attack. Zero days are very interesting, but if I worry about them too much I lose a lot of sleep unnecessarily.

There are limitations. Eg. attacks can bring their own powershell binaries too. Hence it's about reducing the attack surface, limited by the features. Monitoring unknown executed binaries and restricting powershell-related commandlines is one step ahead of this.
Anyways as you rightly said, home users do not need to care much about advanced attacks. And preparing against targeted attacks is bootless.

 

[Wraith2020]

In these cases OSArmor plays nice with ESET, or some hardening.

Yeah spot on. OSArmor and ESET seems to make a great combo. I personally also suggest Syshardener to disable all scripts. I'm thinking of following @harlan4096 and adding sandboxie so that my browser always run sandboxed. That way 99% of threats will be eliminated.

 

[blackice]

Safe email habits should minimize the stakes already.

The truth is home users with truly safe habits are probably fine with ESET, or anything else competent, on it’s own. There’s always the off chance you run into something particularly nasty, but that can happen even when you think you have everything covered (outside of a completely locked down system, but the usability for that is not for the daily user). Webmail + decent security + safe habits + offline backup =

 

[Parsh]

They do rely heavily on their Advanced DNA detections which is serving them pretty well. They're also good against targeted attacks, remote code executions, etc but their product can't handle threats when legit processes like you said lolbins are used to do the dirty work. What's your opinion about this Enhanced Real World Test where only Eset and Kaspersky blocked everything and most other didn't even agree to take part in: Enhanced Real-World Test 2019 – Consumer | AV-Comparatives

The test uses Powershell attacks for most of the part, C# (high level programming language) malware and office macros - all of these using different techniques and known exploit frameworks including pen-testing tools. What good would pen-test tools be if AVs could easily defeat them?
ESET and Kaspersky have a strong monitoring against powershell attacks as evident from their own analysis blogs and these tests. They also arguably have among the best "in-memory" scanners (among the AVs), that they have documented in their whitepapers. So it wouldn't be so surprising.
I think Avast/AVG are also not behind, especially since cruelsister suggested.
Detection of malware written in high-level programming language is an ESET DNA strong-point. I do not remember the attack exactly, but Kaspersky's memory protection along with its FW was among the first to detect and block a new state-sponsored malware (no, I am not talking about Duqu 2.0).
I do not think this test is very much advanced either. Just good enough to filter which products can still not handle such known types of targeted attacks, now that one would expect them to :

The tools employed include heavily obfuscated malicious code, the malicious use of benign system tools, and non-file-based malicious code.

Many others not participating just indicate they're either not prepared or are not confident about their efficacy.
I believe @Andy Ful has a good grasp of some of these tools like Metasploit
In another famous test, ESET, Kaspersky and AVG/Avast were among the few to block in-memory powershell attack using Mimikatz, though ESET did not succeed in the final test.

 

[Parsh]

what about false positives is it good for development environment ?? is it keep nagging like noisy child when new a new scripts or executable are created ?

I just missed your post buddy I have not tried running scripts or interpreters you're referring to. And I've totally blocked scripts except for cmd, so won't be able to verify in a dev environment.
However, ESET at default settings should be non-intrusive. If you face issues, ESET has very robust exclusion options.

Yeah spot on. OSArmor and ESET seems to make a great combo. I personally also suggest Syshardener to disable all scripts. I'm thinking of following @harlan4096 and adding sandboxie so that my browser always run sandboxed.

Exactly my setup