Malware Hub Report ESET IS - April 2021 Report

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

MacDefender

Level 14
Verified
Oct 13, 2019
685
I have felt a slight impact especially when launching a program with these more aggressive settings :)
Yeah ESET's advanced techniques (more static heuristics, possibly sandbox emulation on-device) do tend to be heavy. Both involve more analysis before the program is even allowed to run, which I think most users perceive as a slowdown. A behavior blocker traps and evaluates API calls which happen less often and most apps when they are doing CPU-intensive things are not calling out to Windows APIs constantly.

It seems scripts detections did not improve even hardening the settings...
That's too bad. Once again, "SM25.vbs" seems to have identically duplicated itself and then put that script into AutoRuns.... I can't imagine a behavior blocker would miss that. From the Huorong test:
SM25.vbs triggers wscript.exe and mshta.exe. Last named tries calling out, triggers Huorong Network Access Control (=Firewall) appears, default action is to auto-block after 45 seconds, so I chose "Deny". wscript.exe tries setting an AutoRun, flashing red Huorong HIPS alert (File protection) appears, whose default action is to auto-block after 45 seconds, so I chose "Deny". Next is a Huorong HIPS alert (Sensitive action) on Hidden PowerShell script executions. Default action is to auto-block after 45 seconds, so I chose "Deny". All services but mshta.exe autoterminate, broken mshta.exe window closed personally. No further malicious traces, no AutoRuns. Untouched source file deleted before firing off 2nd_opinion scans. HIT.

I think for most people, ESET should be left at the default settings. Maybe turning on advanced DNA signatures would be interesting because we have seen some impressive ML detections from ESET before. The aggressive settings and their performance impacts don't justify the marginal improvement in protection.
 

MacDefender

Level 14
Verified
Oct 13, 2019
685
I already turned on that DNA hehe... see the pics in my previous post...
Nice!

Yeah against scriptors especially, signatures are a losing game. When ESET was actively adding signatures for my PoCs, I found a meaningless Python syntax change was enough to break detection: #45 and Malware analysis - "pyrate", Behavior Blocker Bypass POC #3 ... and that's not even really trying. There's just way too many ways in a script to obfuscate your intentions from static inspection. With compiled executables, the way the compiler organizes and optimizes code leaves behind a lot more unique signatures you can latch on to.
 

SFox

Level 5
Verified
Jun 11, 2019
208
Привет, ребята, до конца месяца я только что реализовал эту программу.:

[KB6119] Настройка правил HIPS для продуктов ESET business для защиты от вымогателей

[KB6132] Настройка правил брандмауэра для ESET Endpoint Security для защиты от программ-вымогателей

Также сохраняя прежние агрессивные ухищрения...
Why didn't you add my suggestions for rules to hips in addition to the settings recommended by the antivirus developers? :) ;)
 
Last edited:

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Apr 28, 2015
7,353
The surprising thing is that at this point, We still have to add manually those entries in HIPS to stop/block scripts, java rats and others threats creating their entries and infect the system...

In recent tests, ESET was able to detect/remove only 2 entries in Windows AutoRuns sections (in 2 different tests), but still remained other additional ones, and those 2 detections took place after the system restart, when the system was already infected... 🤷‍♂️🤦‍♂️🙄

Where is ESET BB...?
 

MacDefender

Level 14
Verified
Oct 13, 2019
685
A very good question, it must take a really long time to download and it just isn't there yet...
1619028600513.png

What drives me nuts is that ESET advertises that their product does have a behavior blocker for ransomware behavior at least. Also "Deep Behavioral Inspection" since 2019:

1619028741757.png


This is describing a behavior blocker, specifically calling out "Registry Events". To date I've never seen any of these features activate, either personally or in a Malware Hub test. The only dynamic detections I've seen are the "<signature> was found in a file downloaded/opened by <process>" which is basically just signature scanning during execution.

If you have a behavior blocker, it's really unlikely that it'd let a file copy itself then add to AutoRuns. I tested this against several AV software earlier: Homebrewed Zero Day behavior blocker test
1619028981314.png
 

mlnevese

Level 24
Verified
May 3, 2015
1,375
ESET could have many preset HIPS rules with a simple on/off switch. The rules could be even automatically turned on/off according to how paranoid you set it. As it is, the HIPS is basically useless for a basic user and demand some work for advanced users.
 

F 4 E

Level 3
Jan 27, 2019
105
ESET could have many preset HIPS rules with a simple on/off switch. The rules could be even automatically turned on/off according to how paranoid you set it. As it is, the HIPS is basically useless for a basic user and demand some work for advanced users.
I still can't get my head around having to fiddle with HIPS settings in Eset.

Beyond my level of expertise, and I wish Eset would come up with some preset rules rather than the Auto option ?
 
Top