- May 3, 2015
- 1,168
Just for comparison. What is KSN's verdict if you submit the file?
It’s too late now. We should’ve checked in the morning.Just for comparison. What is KSN's verdict if you submit the file?
It’s too late now. We should’ve checked in the morning.
I somehow doubt it. As they say they have it "covered" with their HIPS for those that want to use it.ESET 15/16 will have protected folders. I promise you that.
At the moment of posting the 2 rsw in Hub yesterday morning, Kaspersky already detected on demand the exe rsw, and by PDM on execution the ps1 script (checked in KOTIP service)Just for comparison. What is KSN's verdict if you submit the file?
This PS1 script is really nasty. Good thing Kaspersky is able to detect it.At the moment of posting the 2 rsw in Hub yesterday morning, Kaspersky already detected on demand the exe rsw, and by PDM on execution the ps1 script (checked in KOTIP service)
It wouldn't have worked on both samples, but file journaling with effective DBI would have been able to remediate the ransomware, which simply registers one service. DBI could've become suspicious when executable with no digital signature and no visible window is ran. It also adds hooks. At that point it could've started monitoring the changes and journaling the files. Deleting then dropping large number of files in a sequence is a clear indication of ransomware. It could then kill the process, delete the service registry key, delete the file and restore all files from the journal. This would've been the correct behaviour.Btw, this is how in ESET protected folders can be configured:
![]()
ESET - Implement Protected Folders via HIPS
ESET Nod 32/Internet Security/Smart Security 1. Open ESET. Go to Setup -> Advanced setup -> HIPS -> In the HIPS SETTINGS sections click on the "Edit" button on the right side of Rules. On the new window, click on Add to create a new HIPS rule. 2. Now, put any name you wish in the Rule name...malwaretips.com
I'm just showing that Protected Folders can be configured via ESET HIPS.It wouldn't have worked on both samples, but file journaling with effective DBI would have been able to remediate the ransomware, which simply registers one service. DBI could've become suspicious when executable with no digital signature and no visible window is ran. It also adds hooks. At that point it could've started monitoring the changes and journaling the files. Deleting then dropping large number of files in a sequence is a clear indication of ransomware. It could then kill the process, delete the service registry key, delete the file and restore all files from the journal. This would've been the correct behaviour.
When you ask for £49.99 per year, per device people expect you to do more than just saying "we tried and we failed". That's not excuse.I'm just showing that Protected Folders can be configured via ESET HIPS.
Btw, protected folders is not a guaranteed method either. In our malware hub here, protected folders of F-Secure, Trend Micro have been breached by malwares in one or two tests. There was also a POC which breached Microsoft Defender's protected folder when ran as administrator. So, many AV don't want to implement this because nowadays often malwares leverage trusted windows process for encryption which often bypasses protected folders which use reputatinal data to determine what is trusted and not unlike Microsoft Defender's protected folders which blocks everything. Block everything unless manually whitelisted is safer of the two approach.
The journaling function is also something not every AV can afford to implement. It increases CPU, ram, disk usage activity which may hamper performance. Kaspersky had some performance impact because of that but now they have mastered this it seems so performance impact is almost non-existent now. Bitdefender also have this journaling system now so kudos to them. According to Marcos of ESET forum, ESET also tried this but the performance impact is too much for their liking. Like I said before, false positive and performance impact are top two priorities of ESET.
To give or not to give? That's the question. If I go on a company's forum and I read:Agreed. Wanted to also note that we are fortunate as MT members to learn from other's experience. It boils down to we consumers wise decision to give or not give business.
I don't mind them not implementing journaling function because of performance impact but proactive protection against ransomwares need to improved that's for sure.When you ask for £49.99 per year, per device people expect you to do more than just saying "we tried and we failed". That's not excuse.
Even with no journaling it could use other methods such as the WiseVector "trap" or however it was called. I trust Eset. I am sure they will do something. We just need to wait and see what.I don't mind them not implementing journaling function because of performance impact but proactive protection against ransomwares need to improved that's for sure.