ESET Internet Security 13 - a technology revisit to the Nod legacy

Product name
ESET Internet Security 13.1.21.0
Installation (rating)
5.00 star(s)
User interface (rating)
4.00 star(s)
Accessibility notes
+ Main GUI is fairly simple for an average user
- Module categorization in main GUI and in Settings are not in tune, might come across as confusing
+- Some old users like this aging interface, some do not
Performance (rating)
5.00 star(s)
Core Protection (rating)
5.00 star(s)
Proactive protection (rating)
5.00 star(s)
Additional Protection notes
+ Automated protection at default, good enough for average users
+ Memory scanning/ file-less malware protection/ Banking protection rated high in some 3rd party tests
+ Signatures / DNA detection among the best
+ Provides highly configurable HIPS & Firewall for advanced protection
- Known not to be very effective VS unknown malware
- Configuring well or setting HIPS & Firewall to interactive mode needs good knowledge of OS
https://www.av-comparatives.org/tests/enhanced-real-world-test-2019-consumer
https://www.mrg-effitas.com/research/current-state-of-malicious-powershell-script-blocking
https://www.mrg-effitas.com/wp-content/uploads/2020/01/2019_Online_BankingQ4.pdf
https://www.mrg-effitas.com/wp-content/uploads/2020/01/MRG_Effitas_2019Q4_360.pdf
Browser protection (rating)
5.00 star(s)
Positives
    • Many features
    • Low impact on system resources
    • Highly configurable
    • Strong and reliable protection
    • Excellent scores in independent tests
    • Multi-layer protection approach
Negatives
    • Mixed results from independent testing labs
    • Can be complex in some situations
Time spent using product
Computer specs
Intel i5 4th Gen (upto 2.3Ghz Turbo) | 8GB DDR3 | 1TB HDD | AMD Radeon 8670M Graphics (2GB)
Recommended for
  1. All types of users
Overall rating
5.00 star(s)

Vitali Ortzi

Level 22
Verified
Top Poster
Well-known
Dec 12, 2016
1,147
A word of warning regarding ESET-

Although ESET has improved in detection of various types of Scriptors, some malware authors have circumvented the need for scripting in Powershell, Python, etc and have utilized other avenues to achieve similar results. These methods can yield malware that is harder for some AV applications to detect as they can be based on stuff like certutil, a valid command.

ESET has issues with this type of malware, even with the HIPS set at max protection. A ransomware file can be coded simply and easily to bypass the HIPS and encrypt files. Also, as coding is rather straightforward, the file would be zero day and bypass the AV.

This issue is by no means restricted to ESET, as programs from Forticlient to SEP will also fail. However quite a few (like Kaspersky, Avast/AVG, CF) will laugh at this stuff and block it quite easily.
Great to see you back !
 

Wraith2020

Level 2
Mar 19, 2020
89
As far as I know HIPS can be activated when you untick Kaspersky automatic mode (forgot the exact naming of that option as I am no longer using Kaspersky). Even on the automatic mode, HIPS runs in smart mode without asking for user's interaction.
Yeah in the interactive mode, kis produces a lot of alerts. But the last time I tried kis in Interactive mode, the alerts came from Application Control. I found no evidence relating to HIPS.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
One thing I really want to know but haven't found any concrete answers yet. Does ESET protect the registry? I've never seen it scan the windows registry hive even in the Full Scan.
Good question. I never though of it before. I am pretty sure that ESET's real time protection doesn't monitor registry changes except its own which is monitored by HIPS. If a malware makes registry modification ESET can't stop that from happening. About the scanning part I had to search and I found a very disappointing answer. This is a response from 2015 when a user asked why Eset can't fix the registry entries made by malware:
Because security policies were created by Microsoft for a reason and it's not possible to distinguish between policies set by malware and those set by users (administrators). ESET has stand-alone cleaners for some of the mentioned malware modifications which should be used to revert such changes, if not made intentionally
So, Eset can't do anything about registry and I guess this is why you never saw it scanning registries.
 

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
A word of warning regarding ESET-
Although ESET has improved in detection of various types of Scriptors, some malware authors have circumvented the need for scripting in Powershell, Python, etc and have utilized other avenues to achieve similar results. These methods can yield malware that is harder for some AV applications to detect as they can be based on stuff like certutil, a valid command.
ESET has issues with this type of malware, even with the HIPS set at max protection. A ransomware file can be coded simply and easily to bypass the HIPS and encrypt files. Also, as coding is rather straightforward, the file would be zero day and bypass the AV.
I suppose that you are referring to more and more LOLBins being exploited to bypass application control and UAC ... and that some AVs are just not focusing on this aspect enough.
It would be surprising if ESET HIPS does not warn about their trigger in Interactive mode. Ok, I just ran a quick test used by LOLBAS to demonstrate a simple bypass using certutil - and ESET HIPS at least alerts about the activity like a standard 'Interactive Alert'. Then, fortunately or unfortunately it's upto the user.
Screenshot (455).png
Don't you think that besides disabling scripts, blocking the unnecessary LOLBins from the LOLBAS list via HIPS would do good?
I understand that it could be a tough job since some of them are required for essential operations of the system. And ESET allows only path-based rules w/o wildcards.
This issue is by no means restricted to ESET, as programs from Forticlient to SEP will also fail. However quite a few (like Kaspersky, Avast/AVG, CF) will laugh at this stuff and block it quite easily.
Kaspersky and the likes could be monitoring LOLBin exploitation methods in a better manner. Some AVs will cover a range of these attacks well, but others might just cover another range better, or overlap. In the cat-and-mouse game, different cats will have different points of strength :)
I've read ESET researchers highlighting abuse of LOLBins a couple of times, so they at least have it in notice. Though as @SeriousHoax said, its true that if ESET scanner engine misses it, BB/HIPS is most likely to miss it too. It's upto the education and security posture of the user if he configures to monitor vulnerable processes discussed.
 

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
One thing I really want to know but haven't found any concrete answers yet. Does ESET protect the registry? I've never seen it scan the windows registry hive even in the Full Scan. @SeriousHoax know anything on this?
@SeriousHoax has already covered the point. I'll just add that you can make HIPS rules to protect "specific" or "all" registry entries from below operations:
Screenshot (458).png
For most users, "all" is not a practical option. You'll be bombarded with alerts and can screw the system. But you can use the option to protect 'startup settings' at the very least. Eg. you could use HIPS rule to protect registry changes done to restrict Powershell.
Not related to real-time protection, but you can use a "SysInspector" snapshot of a clean system and compare with a new snapshot whenever you wish to. SI takes a snapshot of processes, drivers, network connections, registry etc. SysInternals Autoruns is a good alternative.
I am pretty sure that ESET's real time protection doesn't monitor registry changes except its own which is monitored by HIPS. If a malware makes registry modification ESET can't stop that from happening. About the scanning part I had to search and I found a very disappointing answer.
And they did not care to explain on the forum why :) Their usual stand you must have seen is that they feel doing something is unnecessary. And that they have other modules to take care of it in some or the other way. Maybe their DNA detections are fortified to detect code related to suspicious registry operations and they are strongly relying just on that. .
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Good to see old faces pop up again @cruelsister

Edit: Also talk about stirring the pot, ESET threads haven’t been this hot since beavisvirus was around.

Also, in this case since they add signatures so fast wouldn’t it work most of the time to just save attachments/download for a day or two Before executing them? I know that wouldn’t stop everything, but that would cover your butt for a whole bunch of stuff.

ESET HIPS is useful for making advance custom rules.
Such as blocking powershell altogether if you don’t use it often. 👍 One of my favorite rules. I have no doubt someone like @cruelsister could own my computer if they wanted. So I just lay low and try to play nice and avoid the every day attack. Zero days are very interesting, but if I worry about them too much I lose a lot of sleep unnecessarily.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
And they did not care to explain on the forum why :) Their usual stand you must have seen is that they feel doing something is unnecessary. And that they have other modules to take care of it in some or the other way. Maybe their DNA detections are fortified to detect code related to suspicious registry operations and they are strongly relying just on that. .
Yes they never explain this type of questions :sneaky: They do rely heavily on their Advanced DNA detections which is serving them pretty well. They're also good against targeted attacks, remote code executions, etc but their product can't handle threats when legit processes like you said lolbins are used to do the dirty work. What's your opinion about this Enhanced Real World Test where only Eset and Kaspersky blocked everything and most other didn't even agree to take part in: Enhanced Real-World Test 2019 – Consumer | AV-Comparatives
 

Wraith2020

Level 2
Mar 19, 2020
89
@SeriousHoax has already covered the point. I'll just add that you can make HIPS rules to protect "specific" or "all" registry entries from below operations:
View attachment 236612
For most users, "all" is not a practical option. You'll be bombarded with alerts and can screw the system. But you can use the option to protect 'startup settings' at the very least. Eg. you could use HIPS rule to protect registry changes done to restrict Powershell.
Not related to real-time protection, but you can use a "SysInspector" snapshot of a clean system and compare with a new snapshot whenever you wish to. SI takes a snapshot of processes, drivers, network connections, registry etc. SysInternals Autoruns is a good alternative.

And they did not care to explain on the forum why :) Their usual stand you must have seen is that they feel doing something is unnecessary. And that they have other modules to take care of it in some or the other way. Maybe their DNA detections are fortified to detect code related to suspicious registry operations and they are strongly relying just on that. .
Yeah once upon a time I had a HIPS rule to monitor startup applications. But since Nvidia GeForce Experience came into my PC, I got mad with alerts. Is it so much of a hassle just to include the registry in a full scan? Malwarebytes seems to do a thorough registry scan with their quick scan and it's just the main reason I've kept the program as my back-up scanner. If Malwarebytes can implement it, why not ESET? And if ESET implements this I'll no longer need mbam.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Yes they never explain this type of questions :sneaky: They do rely heavily on their Advanced DNA detections which is serving them pretty well. They're also good against targeted attacks, remote code executions, etc but their product can't handle threats when legit processes like you said lolbins are used to do the dirty work. What's your opinion about this Enhanced Real World Test where only Eset and Kaspersky blocked everything and most other didn't even agree to take part in: Enhanced Real-World Test 2019 – Consumer | AV-Comparatives
In these cases OSArmor plays nice with ESET, or some hardening.
 

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Also, in this case since they add signatures so fast wouldn’t it work most of the time to just save attachments/download for a day or two Before executing them? I know that wouldn’t stop everything, but that would cover your butt for a whole bunch of stuff.
You have good protection from ESET and OSArmor against email attachments and other downloads.
Safe email habits should minimize the stakes already. Keep macros in office disabled, do not enable editing in docs unless unnecessary, do not open suspicious email files... If you really want a strict approach, you could enforce these office/pdf apps and browser in sandboxie.
Coming to your point, surely it could help in some cases. You can use VT4Browsers extension for scanning downloads.
Such as blocking powershell altogether if you don’t use it often. 👍 One of my favorite rules. I have no doubt someone like @cruelsister could own my computer if they wanted. So I just lay low and try to play nice and avoid the every day attack. Zero days are very interesting, but if I worry about them too much I lose a lot of sleep unnecessarily.
There are limitations. Eg. attacks can bring their own powershell binaries too. Hence it's about reducing the attack surface, limited by the features. Monitoring unknown executed binaries and restricting powershell-related commandlines is one step ahead of this.
Anyways as you rightly said, home users do not need to care much about advanced attacks. And preparing against targeted attacks is bootless.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Safe email habits should minimize the stakes already.

The truth is home users with truly safe habits are probably fine with ESET, or anything else competent, on it’s own. There’s always the off chance you run into something particularly nasty, but that can happen even when you think you have everything covered (outside of a completely locked down system, but the usability for that is not for the daily user). Webmail + decent security + safe habits + offline backup = 👍
 

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
They do rely heavily on their Advanced DNA detections which is serving them pretty well. They're also good against targeted attacks, remote code executions, etc but their product can't handle threats when legit processes like you said lolbins are used to do the dirty work. What's your opinion about this Enhanced Real World Test where only Eset and Kaspersky blocked everything and most other didn't even agree to take part in: Enhanced Real-World Test 2019 – Consumer | AV-Comparatives
The test uses Powershell attacks for most of the part, C# (high level programming language) malware and office macros - all of these using different techniques and known exploit frameworks including pen-testing tools. What good would pen-test tools be if AVs could easily defeat them? ;)
ESET and Kaspersky have a strong monitoring against powershell attacks as evident from their own analysis blogs and these tests. They also arguably have among the best "in-memory" scanners (among the AVs), that they have documented in their whitepapers. So it wouldn't be so surprising.
I think Avast/AVG are also not behind, especially since cruelsister suggested.
Detection of malware written in high-level programming language is an ESET DNA strong-point. I do not remember the attack exactly, but Kaspersky's memory protection along with its FW was among the first to detect and block a new state-sponsored malware (no, I am not talking about Duqu 2.0).
I do not think this test is very much advanced either. Just good enough to filter which products can still not handle such known types of targeted attacks, now that one would expect them to :
The tools employed include heavily obfuscated malicious code, the malicious use of benign system tools, and non-file-based malicious code.
Many others not participating just indicate they're either not prepared or are not confident about their efficacy.
I believe @Andy Ful has a good grasp of some of these tools like Metasploit :)
In another famous test, ESET, Kaspersky and AVG/Avast were among the few to block in-memory powershell attack using Mimikatz, though ESET did not succeed in the final test.
 

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
what about false positives is it good for development environment ?? is it keep nagging like noisy child when new a new scripts or executable are created 😂😂 ?
I just missed your post buddy 😄 I have not tried running scripts or interpreters you're referring to. And I've totally blocked scripts except for cmd, so won't be able to verify in a dev environment.
However, ESET at default settings should be non-intrusive. If you face issues, ESET has very robust exclusion options.
Yeah spot on. OSArmor and ESET seems to make a great combo. I personally also suggest Syshardener to disable all scripts. I'm thinking of following @harlan4096 and adding sandboxie so that my browser always run sandboxed.
Exactly my setup :)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top