Updates Eset LiveGrid needs tweaking

[McMcbrad]

Hi,

I would like to bring something to ESET users's attention that I believe is worth mentioning.

I am a malware hunter and it happened today that both me and @upnorth came across the same ransomware sample.
The sample has been uploaded to malware testers here: https://malwaretips.com/threads/ransomware-x2-26-10-2020.104800/#post-910958
File hash is 9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847[truncated for safety]

All layers of ESET missed the sample (files in VM were encrypted as well), which is not unusual and I would not consider it a valid reason to uninstall the product and switch to someone else immediately.
What I found shocking however is the LiveGrid reputation score of the file:

I am curious how a new executable (according to their own system) with low number of users and no digital signature gets 50% good score???
That's a great mystery.
I have uploaded the sample to Eset and I have started a thread on their forum. I hope they are willing to cooperate on this.

Your LiveGrid system needs tweaking

Hi, I am a malware hunter and Ive come across an interesting ransomware sample, which Ive also uploaded to you. What I am curious to know is how a brand new and unknown, unsigned executable with low number of users gets half-way good reputation? Not only all of your technologies failed to stop th...

forum.eset.com

 

[McMcbrad]

Update from ESET forum admin:

"Since the file was new to LiveGrid, it got medium reputation. Now that it's been blacklisted, it shows risky reputation:

"
And that's really the new reputation score:

However, it looks like brand new samples get 50% good reputation by default. This is not totally wrong, as when you don't know anything about a file, it's 50/50 whether it's good or malicious. However, from protection point of view it's not too great.

 

[marcopaone]

Norton is encrypted too with both sample on malwarehub, same for F-Secure.
WiseVector blocks both sample and Kaspersky too.

 

[McMcbrad]

I can't agree that reputation has no effect on protection. I am sure ML and other modules take reputation into account when analysing a file.

 

[McMcbrad]

 

[Durden]

It's nice that they try to avoid FP and and optimize performance.. but they always hide behind that claim whenever they fail!
What do they have to say for themselves about other products doing much better protecting their novice users while also maintaining a low FP profile! Oh and a lot of them are catching up to ESET in terms of performance.

 

[McMcbrad]

It's nice that they try to avoid FP and performance.. but they always hide behind that claim whenever they fail!
What do they have to say for themselves about other products doing much better protecting their novice users while also maintaining a low FP profile! Oh and a lot of them are catching up to ESET in terms of performance.

To be honest, I can accept all kinds of product failures, as this is technology, we are dealing with unknown... nobody can be and should be 100% perfect. However, customer support has set standards and is quite easy - support answers like these are utterly hideous. This is what I can't accept by no means.

Even advanced users should not be writing HIPS rules, we’ve got better things to do. ESET should provide the option for controlled folder access, doing it in a simple way. The programming logic might be to do it via HIPS. We don't know and don't care.

 

[plat1098]

People spend big bucks for antivirus like ESET. Then, they proceed to whitelist and allow all kinds of bad stuff. Then, they get mad at their expensive antivirus. "You were to supposed to protect me!" Blah blah.

Any user-defined input should be designed with the five-year old in mind. Dumb it down and use pictures. Then, maybe even I would consider using it.

Or, refine machine learning. Or both.

Edit: there's a certain attitude that comes with representing a major and highly-regarded corporation. It's called "arrogance."

 

[McMcbrad]

People spend big bucks for antivirus like ESET. Then, they proceed to whitelist and allow all kinds of bad stuff. Then, they get mad at their expensive antivirus. "You were to supposed to protect me!" Blah blah.

Any user-defined input should be designed with the five-year old in mind. Dumb it down and use pictures. Then, maybe even I would consider using it.

Or, refine machine learning. Or both.

Edit: there's a certain attitude that comes with representing a major and highly-regarded corporation. It's called "arrogance."

I am an IT admin for a large company and have 10+ years of experience with products like SEP, McAfee ENS and many others. I also hold a bachelor in computing and have multiple other certifications. I can tell you even I won’t dare opening this window and writing HIPS rules. Furthermore, heavily relying on HIPS for everything, which year are we? Is it 2006 again?

 

[Andy Ful]

It seems that Eset uses the file reputation as a small addition to the detection engines to improve protection without increasing much the false positives rate. It is included in the LiveGrid feature which is similar to Windows Defender Block At First Sight. It is an early warning post-infection system. So, Eset will allow a file if it was not recognized as malicious on any computer with installed Eset and connected to the Eset cloud. You can call it "reputation default allow". It is a different approach as compared to Avast Hardened Mode, Comodo file lookup, or Microsoft SmartScreen which we can call "reputation default deny".

Post edited (see italics)

 

[McMcbrad]

It seems that Eset uses the file reputation as a small addition to the detection engines to improve protection without increasing much the false positives rate. It is included in the LiveGrid feature which is similar to Windows Defender Block At First Sight. So, Eset will allow a file if it was not recognized as malicious on any computer with installed Eset and connected to the Eset cloud. You can call it "reputation default allow". It is a different approach as compared to Avast Hardened Mode, Comodo file lookup, or Microsoft SmartScreen which we can call "reputation default deny".

Yes, we were explained that. However, when I suggested that they should release something similar to controlled folder access, which they disable, by disabling Windows Defender, I was explained that I need to write a HIPS rule. The product failure is not an issue, their response is not right.

So what happens exactly is, I have taken my time to report their failure and they ("ESET") instead of logging this feedback and using it to improve their product, fall into explanations what I could or couldn't do.

 

[McMcbrad]

Another update: the ransomware was deleted half an hour ago automatically by Eset.
I submitted the file at 9:41, and it has been deleted at 13:25.
That's 3:44 response time, which isn't to bad. The support issue remains however.

 

[McMcbrad]

 

[fabiobr]

View attachment 247982
View attachment 247983

I love how they use the "false positive card" when they don't see how to explain such lack of feature.

Kaspersky does this and has one of the lowest FPs rates on the market.

What is the definition of trusted then? Why have an antivirus if they can't see what is untrusted? Why do they have heuristics?

 

[McMcbrad]

I love how they use the "false positive card" when they don't see how to explain such lack of feature.

Kaspersky does this and has one of the lowest FPs rates on the market.

What is the definition of trusted then? Why have an antivirus if they can't see what is untrusted? Why do they have heuristics?

Oh no, they didn't use the false positives card, they did something worse. They literally thought they will get away with making me look stupid, as if I don't know how to use the product. As if just because they offer HIPS, we should all spend 5 days doing rules for it. That's why we all buy a laptop, to install Eset and start configuring the HIPS. They didn't know they will have hard time with fooling me around and they quickly changed the tone afterwards.

 

[SeriousHoax]

This is typical response from ESET. Many users have asked what you asked there including me a couple of times but they never listen to those feedbacks. ESET's priority is always less false positive and less system impact. They won't make changes proactive protection wise. Their signature and on demand statistical scanner is the best on the market and they still almost purely relies on that it seems.

LiveGrid is merely a sample submission backend for them. The reputation info means absolutely nothing. An unknown sample is submitted to them via LiveGrid and if it's a PE executable then their cloud sandbox analyzes it and if it gives a verdict with pure confidence that it's a malware then it's blocked via LiveGrid as "Suspicious". Only for PE executables. But rarely I've seen it working in my experience and most of the time it only detected new samples after I submitted it via email to them. It also happened a few times that even after submitting multiple times they didn't add a signature. Then I had to write in the email why I think a signature should be added with a Virustotal link and only then they created signatures. This happened usually for low risk malwares/pup.
On the contrary Kaspersky's reputation info and cloud sandbox is far more effective. It can analyze almost all types of files, not just executables. I've also seen a couple of times, Kaspersky halting scanning of a file till the file is uploaded and a verdict is received from their cloud sandbox which can take couple of minutes depending on the server load.

 

[McMcbrad]

This is typical response from ESET. Many users have asked what you asked there including me a couple of times but they never listen to those feedbacks. ESET's priority is always less false positive and less system impact. They won't make changes proactive protection wise. Their signature and on demand statistical scanner is the best on the market and they still almost purely relies on that it seems.

LiveGrid is merely a sample submission backend for them. The reputation info means absolutely nothing. An unknown sample is submitted to them via LiveGrid and if it's a PE executable then their cloud sandbox analyzes it and if it gives a verdict with pure confidence that it's a malware then it's blocked via LiveGrid as "Suspicious". Only for PE executables. But rarely I've seen it working in my experience and most of the time it only detected new samples after I submitted it via email to them. It also happened a few times that even after submitting multiple times they didn't add a signature. Then I had to write in the email why I think a signature should be added with a Virustotal link and only then they created signatures. This happened usually for low risk malwares/pup.
On the contrary Kaspersky's reputation info and cloud sandbox is far more effective. It can analyze almost all types of files, not just executables. I've also seen a couple of times, Kaspersky halting scanning of a file till the file is uploaded and a verdict is received from their cloud sandbox which can take couple of minutes depending on the server load.

ESET 15/16 will have protected folders. I promise you that.

 

[AYIZEB]

I don't understand eset, they may have the best product on the market and they don't listen to current trends or their users ...

 

[SeriousHoax]

ESET 15/16 will have protected folders. I promise you that.

Highly unlikely based on their current outlook. Besides based on my assumption, ESET usually implements new features depending on their Enterprise customers feedback and they do have some high profile customers. Enterprise customers don't need protected folders so that's why I'm saying it's unlikely to happen.

 

[McMcbrad]

I will try my best lol
I love challenge
I can see I have other users there on my side too.