Update Eset LiveGrid needs tweaking

McMcbrad

McMcbrad

Level 20
Oct 16, 2020
962
It says "Malware"

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses
opentip.kaspersky.com

This is a bit more info about the sample:
1603755776529.png

1603755860283.png
 
Last edited:
  • Like
  • Thanks
Reactions: JB007, Protomartyr, mlnevese and 7 others
Minimalist

Minimalist

Level 4
Oct 2, 2020
170
McMcbrad said:
ESET 15/16 will have protected folders. I promise you that.
Click to expand...
I somehow doubt it. As they say they have it "covered" with their HIPS for those that want to use it.
To be fair, a lot of other AVs don't offer that also. And Kaspersky's implementation is not that different from ESET's and is far from being "user friendly". I don't see ordinary users using it. At least I see it that way.
 
  • Like
Reactions: JB007, Protomartyr, plat1098 and 4 others
SeriousHoax

SeriousHoax

Level 34
Verified
Mar 16, 2019
2,343
Btw, this is how in ESET protected folders can be configured:

malwaretips.com

ESET - Implement Protected Folders via HIPS

ESET Nod 32/Internet Security/Smart Security 1. Open ESET. Go to Setup -> Advanced setup -> HIPS -> In the HIPS SETTINGS sections click on the "Edit" button on the right side of Rules. On the new window, click on Add to create a new HIPS rule. 2. Now, put any name you wish in the Rule name...
malwaretips.com malwaretips.com

This is for Kaspersky:

malwaretips.com

KIS/KTS/KSC Cloud - Implementing Protected Folders via Manage Resources

KIS/KTS/KSC Cloud Implementing Protected Folders via Manage Resources 1.- Go to Settings -> Protection -> Application Control -> Manage Resources 2.- Expand Personal Data folder and then select User Files folder 3.- Click on Add and then on Category and type a name, for example: PROTECTED...
malwaretips.com malwaretips.com
 
  • Like
Reactions: starsfighter, Protomartyr, fabiobr and 6 others
McMcbrad

McMcbrad

Level 20
Oct 16, 2020
962
SeriousHoax said:
Btw, this is how in ESET protected folders can be configured:

malwaretips.com

ESET - Implement Protected Folders via HIPS

ESET Nod 32/Internet Security/Smart Security 1. Open ESET. Go to Setup -> Advanced setup -> HIPS -> In the HIPS SETTINGS sections click on the "Edit" button on the right side of Rules. On the new window, click on Add to create a new HIPS rule. 2. Now, put any name you wish in the Rule name...
malwaretips.com malwaretips.com
Click to expand...
It wouldn't have worked on both samples, but file journaling with effective DBI would have been able to remediate the ransomware, which simply registers one service. DBI could've become suspicious when executable with no digital signature and no visible window is ran. It also adds hooks. At that point it could've started monitoring the changes and journaling the files. Deleting then dropping large number of files in a sequence is a clear indication of ransomware. It could then kill the process, delete the service registry key, delete the file and restore all files from the journal. This would've been the correct behaviour.
 
  • Like
Reactions: mlnevese, Protomartyr, SeriousHoax and 1 other person
SeriousHoax

SeriousHoax

Level 34
Verified
Mar 16, 2019
2,343
McMcbrad said:
It wouldn't have worked on both samples, but file journaling with effective DBI would have been able to remediate the ransomware, which simply registers one service. DBI could've become suspicious when executable with no digital signature and no visible window is ran. It also adds hooks. At that point it could've started monitoring the changes and journaling the files. Deleting then dropping large number of files in a sequence is a clear indication of ransomware. It could then kill the process, delete the service registry key, delete the file and restore all files from the journal. This would've been the correct behaviour.
Click to expand...
I'm just showing that Protected Folders can be configured via ESET HIPS.

Btw, protected folders is not a guaranteed method either. In our malware hub here, protected folders of F-Secure, Trend Micro have been breached by malwares in one or two tests. There was also a POC which breached Microsoft Defender's protected folder when ran as administrator. So, many AV don't want to implement this because nowadays often malwares leverage trusted windows process for encryption which often bypasses protected folders which use reputatinal data to determine what is trusted and not unlike Microsoft Defender's protected folders which blocks everything. Block everything unless manually whitelisted is safer of the two approach.


The journaling function is also something not every AV can afford to implement. It increases CPU, ram, disk usage activity which may hamper performance. Kaspersky had some performance impact because of that but now they have mastered this it seems so performance impact is almost non-existent now. Bitdefender also have this journaling system now so kudos to them. According to Marcos of ESET forum, ESET also tried this but the performance impact is too much for their liking. Like I said before, false positive and performance impact are top two priorities of ESET.
 
  • Like
  • +Reputation
  • Applause
Reactions: Guilhermesene, mlnevese, starsfighter and 4 others
McMcbrad

McMcbrad

Level 20
Oct 16, 2020
962
SeriousHoax said:
I'm just showing that Protected Folders can be configured via ESET HIPS.

Btw, protected folders is not a guaranteed method either. In our malware hub here, protected folders of F-Secure, Trend Micro have been breached by malwares in one or two tests. There was also a POC which breached Microsoft Defender's protected folder when ran as administrator. So, many AV don't want to implement this because nowadays often malwares leverage trusted windows process for encryption which often bypasses protected folders which use reputatinal data to determine what is trusted and not unlike Microsoft Defender's protected folders which blocks everything. Block everything unless manually whitelisted is safer of the two approach.


The journaling function is also something not every AV can afford to implement. It increases CPU, ram, disk usage activity which may hamper performance. Kaspersky had some performance impact because of that but now they have mastered this it seems so performance impact is almost non-existent now. Bitdefender also have this journaling system now so kudos to them. According to Marcos of ESET forum, ESET also tried this but the performance impact is too much for their liking. Like I said before, false positive and performance impact are top two priorities of ESET.
Click to expand...
When you ask for £49.99 per year, per device people expect you to do more than just saying "we tried and we failed". That's not excuse.
 
  • Like
Reactions: fabiobr, Protomartyr, miyagi and 1 other person
McMcbrad

McMcbrad

Level 20
Oct 16, 2020
962
miyagi said:
Agreed. Wanted to also note that we are fortunate as MT members to learn from other's experience. It boils down to we consumers wise decision to give or not give business.
Click to expand...
To give or not to give? That's the question. If I go on a company's forum and I read:
"Dear users, we are truly sorry to inform you that we won't be protecting you from ransomware effectively.
We tried a common ransomware protection technique, but the performance hit was too much for our liking."
I will answer that question too quick FOR THEIR LIKING.
 
  • Haha
Reactions: miyagi

Similar threads

McMcbrad
Q&A How to perform a trustworthy test of anti-malware solution?
Replies
19
Views
1,130
General Security Questions
EndangeredPootis
EndangeredPootis
Parsh
User Feedback ESET Internet Security 13 - a technology revisit to the Nod legacy
Replies
67
Views
7,410
Security Programs Tested Archive
RXZ6Q
R
RoboMan
Q&A Why I think testing "labs" are useless
Replies
87
Views
5,264
General Security Questions
mlnevese
mlnevese
Top