Update Eset LiveGrid needs tweaking

McMcbrad

McMcbrad

Level 8
Hi,

I would like to bring something to ESET users's attention that I believe is worth mentioning.

I am a malware hunter and it happened today that both me and @upnorth came across the same ransomware sample.
The sample has been uploaded to malware testers here: https://malwaretips.com/threads/ransomware-x2-26-10-2020.104800/#post-910958
File hash is 9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847[truncated for safety]

All layers of ESET missed the sample (files in VM were encrypted as well), which is not unusual and I would not consider it a valid reason to uninstall the product and switch to someone else immediately.
What I found shocking however is the LiveGrid reputation score of the file:
1603709635762.png


I am curious how a new executable (according to their own system) with low number of users and no digital signature gets 50% good score???
That's a great mystery.
I have uploaded the sample to Eset and I have started a thread on their forum. I hope they are willing to cooperate on this.
forum.eset.com

Your LiveGrid system needs tweaking

Hi, I am a malware hunter and Ive come across an interesting ransomware sample, which Ive also uploaded to you. What I am curious to know is how a brand new and unknown, unsigned executable with low number of users gets half-way good reputation? Not only all of your technologies failed to stop th...
forum.eset.com forum.eset.com
 
Last edited:
McMcbrad

McMcbrad

Level 8
Update from ESET forum admin:

"Since the file was new to LiveGrid, it got medium reputation. Now that it's been blacklisted, it shows risky reputation:

image.png "
And that's really the new reputation score:
1603711703057.png


However, it looks like brand new samples get 50% good reputation by default. This is not totally wrong, as when you don't know anything about a file, it's 50/50 whether it's good or malicious. However, from protection point of view it's not too great.
 
Durden

Durden

Level 3
It's nice that they try to avoid FP and and optimize performance.. but they always hide behind that claim whenever they fail!
What do they have to say for themselves about other products doing much better protecting their novice users while also maintaining a low FP profile! Oh and a lot of them are catching up to ESET in terms of performance.
 
Last edited:
McMcbrad

McMcbrad

Level 8
Durden said:
It's nice that they try to avoid FP and performance.. but they always hide behind that claim whenever they fail!
What do they have to say for themselves about other products doing much better protecting their novice users while also maintaining a low FP profile! Oh and a lot of them are catching up to ESET in terms of performance.
Click to expand...
To be honest, I can accept all kinds of product failures, as this is technology, we are dealing with unknown... nobody can be and should be 100% perfect. However, customer support has set standards and is quite easy - support answers like these are utterly hideous. This is what I can't accept by no means.

Even advanced users should not be writing HIPS rules, we’ve got better things to do. ESET should provide the option for controlled folder access, doing it in a simple way. The programming logic might be to do it via HIPS. We don't know and don't care.
 
Last edited:
P

plat1098

Level 22
Verified
People spend big bucks for antivirus like ESET. Then, they proceed to whitelist and allow all kinds of bad stuff. Then, they get mad at their expensive antivirus. "You were to supposed to protect me!" Blah blah.

Any user-defined input should be designed with the five-year old in mind. Dumb it down and use pictures. Then, maybe even I would consider using it. (y)

Or, refine machine learning. Or both.

Edit: there's a certain attitude that comes with representing a major and highly-regarded corporation. It's called "arrogance."
 
McMcbrad

McMcbrad

Level 8
plat1098 said:
People spend big bucks for antivirus like ESET. Then, they proceed to whitelist and allow all kinds of bad stuff. Then, they get mad at their expensive antivirus. "You were to supposed to protect me!" Blah blah.

Any user-defined input should be designed with the five-year old in mind. Dumb it down and use pictures. Then, maybe even I would consider using it. (y)

Or, refine machine learning. Or both.

Edit: there's a certain attitude that comes with representing a major and highly-regarded corporation. It's called "arrogance."
Click to expand...
I am an IT admin for a large company and have 10+ years of experience with products like SEP, McAfee ENS and many others. I also hold a bachelor in computing and have multiple other certifications. I can tell you even I won’t dare opening this window and writing HIPS rules. Furthermore, heavily relying on HIPS for everything, which year are we? Is it 2006 again?
 
Andy Ful

Andy Ful

Level 65
Verified
Trusted
Content Creator
It seems that Eset uses the file reputation as a small addition to the detection engines to improve protection without increasing much the false positives rate. It is included in the LiveGrid feature which is similar to Windows Defender Block At First Sight. It is an early warning post-infection system. So, Eset will allow a file if it was not recognized as malicious on any computer with installed Eset and connected to the Eset cloud. You can call it "reputation default allow". It is a different approach as compared to Avast Hardened Mode, Comodo file lookup, or Microsoft SmartScreen which we can call "reputation default deny".

Post edited (see italics)
 
Last edited:
McMcbrad

McMcbrad

Level 8
Andy Ful said:
It seems that Eset uses the file reputation as a small addition to the detection engines to improve protection without increasing much the false positives rate. It is included in the LiveGrid feature which is similar to Windows Defender Block At First Sight. So, Eset will allow a file if it was not recognized as malicious on any computer with installed Eset and connected to the Eset cloud. You can call it "reputation default allow". It is a different approach as compared to Avast Hardened Mode, Comodo file lookup, or Microsoft SmartScreen which we can call "reputation default deny".
Click to expand...
Yes, we were explained that. However, when I suggested that they should release something similar to controlled folder access, which they disable, by disabling Windows Defender, I was explained that I need to write a HIPS rule. The product failure is not an issue, their response is not right.

So what happens exactly is, I have taken my time to report their failure and they ("ESET") instead of logging this feedback and using it to improve their product, fall into explanations what I could or couldn't do.
 
McMcbrad

McMcbrad

Level 8
fabiobr said:
I love how they use the "false positive card" when they don't see how to explain such lack of feature.

Kaspersky does this and has one of the lowest FPs rates on the market.

What is the definition of trusted then? Why have an antivirus if they can't see what is untrusted? Why do they have heuristics?
Click to expand...
Oh no, they didn't use the false positives card, they did something worse. They literally thought they will get away with making me look stupid, as if I don't know how to use the product. As if just because they offer HIPS, we should all spend 5 days doing rules for it. That's why we all buy a laptop, to install Eset and start configuring the HIPS. They didn't know they will have hard time with fooling me around and they quickly changed the tone afterwards.
 
SeriousHoax

SeriousHoax

Level 32
Verified
This is typical response from ESET. Many users have asked what you asked there including me a couple of times but they never listen to those feedbacks. ESET's priority is always less false positive and less system impact. They won't make changes proactive protection wise. Their signature and on demand statistical scanner is the best on the market and they still almost purely relies on that it seems.

LiveGrid is merely a sample submission backend for them. The reputation info means absolutely nothing. An unknown sample is submitted to them via LiveGrid and if it's a PE executable then their cloud sandbox analyzes it and if it gives a verdict with pure confidence that it's a malware then it's blocked via LiveGrid as "Suspicious". Only for PE executables. But rarely I've seen it working in my experience and most of the time it only detected new samples after I submitted it via email to them. It also happened a few times that even after submitting multiple times they didn't add a signature. Then I had to write in the email why I think a signature should be added with a Virustotal link and only then they created signatures. This happened usually for low risk malwares/pup.
On the contrary Kaspersky's reputation info and cloud sandbox is far more effective. It can analyze almost all types of files, not just executables. I've also seen a couple of times, Kaspersky halting scanning of a file till the file is uploaded and a verdict is received from their cloud sandbox which can take couple of minutes depending on the server load.
 
McMcbrad

McMcbrad

Level 8
SeriousHoax said:
This is typical response from ESET. Many users have asked what you asked there including me a couple of times but they never listen to those feedbacks. ESET's priority is always less false positive and less system impact. They won't make changes proactive protection wise. Their signature and on demand statistical scanner is the best on the market and they still almost purely relies on that it seems.

LiveGrid is merely a sample submission backend for them. The reputation info means absolutely nothing. An unknown sample is submitted to them via LiveGrid and if it's a PE executable then their cloud sandbox analyzes it and if it gives a verdict with pure confidence that it's a malware then it's blocked via LiveGrid as "Suspicious". Only for PE executables. But rarely I've seen it working in my experience and most of the time it only detected new samples after I submitted it via email to them. It also happened a few times that even after submitting multiple times they didn't add a signature. Then I had to write in the email why I think a signature should be added with a Virustotal link and only then they created signatures. This happened usually for low risk malwares/pup.
On the contrary Kaspersky's reputation info and cloud sandbox is far more effective. It can analyze almost all types of files, not just executables. I've also seen a couple of times, Kaspersky halting scanning of a file till the file is uploaded and a verdict is received from their cloud sandbox which can take couple of minutes depending on the server load.
Click to expand...
ESET 15/16 will have protected folders. I promise you that.
 
SeriousHoax

SeriousHoax

Level 32
Verified
McMcbrad said:
ESET 15/16 will have protected folders. I promise you that.
Click to expand...
Highly unlikely based on their current outlook. Besides based on my assumption, ESET usually implements new features depending on their Enterprise customers feedback and they do have some high profile customers. Enterprise customers don't need protected folders so that's why I'm saying it's unlikely to happen.
 

Similar threads

McMcbrad
Q&A How to perform a trustworthy test of anti-malware solution?
    • Like
    • +Reputation
    • Applause
Replies
19
Views
703
General Security Discussions
EndangeredPootis
EndangeredPootis
Parsh
User Feedback ESET Internet Security 13 - a technology revisit to the Nod legacy
    • Like
    • +Reputation
    • Applause
Replies
67
Views
6,428
Security Programs - Users Feedback
RXZ6Q
R
RoboMan
Q&A Why I think testing "labs" are useless
    • Like
    • Applause
    • +Reputation
Replies
76
Views
3,729
General Security Discussions
show-Zi
show-Zi
Top