ESET IS - April 2021 Report

venustus said:
I have felt a slight impact especially when launching a program with these more aggressive settings :)
Click to expand...
Yeah ESET's advanced techniques (more static heuristics, possibly sandbox emulation on-device) do tend to be heavy. Both involve more analysis before the program is even allowed to run, which I think most users perceive as a slowdown. A behavior blocker traps and evaluates API calls which happen less often and most apps when they are doing CPU-intensive things are not calling out to Windows APIs constantly.

harlan4096 said:
It seems scripts detections did not improve even hardening the settings...
Click to expand...
That's too bad. Once again, "SM25.vbs" seems to have identically duplicated itself and then put that script into AutoRuns.... I can't imagine a behavior blocker would miss that. From the Huorong test:
SM25.vbs triggers wscript.exe and mshta.exe. Last named tries calling out, triggers Huorong Network Access Control (=Firewall) appears, default action is to auto-block after 45 seconds, so I chose "Deny". wscript.exe tries setting an AutoRun, flashing red Huorong HIPS alert (File protection) appears, whose default action is to auto-block after 45 seconds, so I chose "Deny". Next is a Huorong HIPS alert (Sensitive action) on Hidden PowerShell script executions. Default action is to auto-block after 45 seconds, so I chose "Deny". All services but mshta.exe autoterminate, broken mshta.exe window closed personally. No further malicious traces, no AutoRuns. Untouched source file deleted before firing off 2nd_opinion scans. HIT.
Click to expand...

I think for most people, ESET should be left at the default settings. Maybe turning on advanced DNA signatures would be interesting because we have seen some impressive ML detections from ESET before. The aggressive settings and their performance impacts don't justify the marginal improvement in protection.
 
  • Like
  • +Reputation
Reactions: Nevi, Mercenary, Kongo and 11 others
harlan4096 said:
I already turned on that DNA hehe... see the pics in my previous post...
Click to expand...
Nice!

Yeah against scriptors especially, signatures are a losing game. When ESET was actively adding signatures for my PoCs, I found a meaningless Python syntax change was enough to break detection: #45 and Malware analysis - "pyrate", Behavior Blocker Bypass POC #3 ... and that's not even really trying. There's just way too many ways in a script to obfuscate your intentions from static inspection. With compiled executables, the way the compiler organizes and optimizes code leaves behind a lot more unique signatures you can latch on to.
 
  • Like
  • +Reputation
Reactions: Nevi, Mercenary, Kongo and 9 others
A small test (to make ESET fans happy 😅) performed today with a high detected sample but not detected by ESET at VT "apparently":
U.png
ST.png
1.png
AR.png
SOS.png

Thanks @upnorth for the sample...
 
Last edited:
  • Like
  • Applause
  • +Reputation
Reactions: Nevi, toto_10, JB007 and 14 others
  • Like
  • Applause
Reactions: Nevi, Behold Eck, upnorth and 10 others
mlnevese said:
The fact a sample is not detected by an engine on VT does not mean it doesn't actually detect it. That is a well-known fact many people keep forgetting.
Click to expand...
I know, that's why I said "apparently"... this time was "right" since it was not detected on demand but was on dynamic :)
 
  • Like
  • +Reputation
Reactions: Nevi, Moonhorse, upnorth and 9 others
harlan4096 said:
Привет, ребята, до конца месяца я только что реализовал эту программу.:

[KB6119] Настройка правил HIPS для продуктов ESET business для защиты от вымогателей

[KB6132] Настройка правил брандмауэра для ESET Endpoint Security для защиты от программ-вымогателей

Также сохраняя прежние агрессивные ухищрения...
Click to expand...
Why didn't you add my suggestions for rules to hips in addition to the settings recommended by the antivirus developers? :) ;)
 
Last edited:
  • Like
Reactions: Nevi, Venustus and harlan4096
The surprising thing is that at this point, We still have to add manually those entries in HIPS to stop/block scripts, java rats and others threats creating their entries and infect the system...

In recent tests, ESET was able to detect/remove only 2 entries in Windows AutoRuns sections (in 2 different tests), but still remained other additional ones, and those 2 detections took place after the system restart, when the system was already infected... 🤷‍♂️🤦‍♂️🙄

Where is ESET BB...?
 
  • Like
  • +Reputation
  • Applause
Reactions: Nevi, Paul.R, Behold Eck and 13 others
blackice said:
A very good question, it must take a really long time to download and it just isn't there yet...
Click to expand...
help.eset.com

Ransomware Shield | ESET Glossary

ESET's Ransomware Shield uses behavior-based detection to block malicious applications. Ensure ESET LiveGrid® is enabled for optimal protection.
help.eset.com help.eset.com
1619028600513.png

What drives me nuts is that ESET advertises that their product does have a behavior blocker for ransomware behavior at least. Also "Deep Behavioral Inspection" since 2019:

1619028741757.png


This is describing a behavior blocker, specifically calling out "Registry Events". To date I've never seen any of these features activate, either personally or in a Malware Hub test. The only dynamic detections I've seen are the "<signature> was found in a file downloaded/opened by <process>" which is basically just signature scanning during execution.

If you have a behavior blocker, it's really unlikely that it'd let a file copy itself then add to AutoRuns. I tested this against several AV software earlier: Homebrewed Zero Day behavior blocker test
1619028981314.png
 
  • Like
  • +Reputation
Reactions: Paul.R, Evjl's Rain, CyberPanther and 14 others
ESET could have many preset HIPS rules with a simple on/off switch. The rules could be even automatically turned on/off according to how paranoid you set it. As it is, the HIPS is basically useless for a basic user and demand some work for advanced users.
 
  • Like
Reactions: Nevi, Venustus, Mercenary and 8 others
mlnevese said:
ESET could have many preset HIPS rules with a simple on/off switch. The rules could be even automatically turned on/off according to how paranoid you set it. As it is, the HIPS is basically useless for a basic user and demand some work for advanced users.
Click to expand...
I still can't get my head around having to fiddle with HIPS settings in Eset.

Beyond my level of expertise, and I wish Eset would come up with some preset rules rather than the Auto option ?
 
  • Like
Reactions: Gandalf_The_Grey, mlnevese, Nevi and 1 other person

You may also like...