Video ESET Smart Security 2022 (Custom Roboman's Settings)

Source
https://www.youtube.com/watch?v=S0S_6qv8_KE
Video created by
Shadowra

SeriousHoax

Level 41
Verified
Top poster
Well-known
Mar 16, 2019
3,092
Eset has been tracking the sample in their cloud for 2 weeks.
I sent it to EDTD (Eset Dynamic threat defense) sandbox available for business products and the report gives the sample as clean :O
Looks like EDTD is pretty dumb 😕 A pro ESET user already told me a couple of weeks ago that it's subpar. I guess Kaspersky's sandbox available on Opentip and Avast's Cyber Capture are better.
But at least an ESET analyst should've checked it by now. Strange!
 

SeriousHoax

Level 41
Verified
Top poster
Well-known
Mar 16, 2019
3,092
Got a response from Marcos on the ESET forum.
We've added detection - MSIL/BadJoke.AAW trojan. It's a benign scaring application.
So looks like it doesn't actually write to MBR. It's rather a program to scare users into thinking that it happened.
I can confirm that the detection is added even though VT is not showing it yet,
1.png
 

Andrew3000

Level 10
Verified
Malware Tester
Well-known
Feb 8, 2016
461

SeriousHoax

Level 41
Verified
Top poster
Well-known
Mar 16, 2019
3,092
This is another 2y old malware that ESET pick as clean (Also in sandbox)


I heard ESET uses Microsoft's Azure AI servers for EDTD, not their own.
The earlier sample also wasn't detected by Microsoft Defender. The initial cloud scan found some malicious behavior in it, but it wasn't the final determination. Then I uploaded that to Microsoft and a few hours later Microsoft started detecting via cloud and my submission showed the Final determination status as malicious.
The malware that you shared here now is also not detected by Microsoft Defender at the moment and I think as a result also not by ESET Dynamic Threat Defense.
There was another fairly new sample that was tested by someone that wasn't detected by any of the popular AVs on Virustotal except Microsoft Defender. That sample was then detected by ESET's LiveGuard on ESET Smart Security.
So now everything points to what I heard. This ESET Dynamic Threat Defense aka LiveGuard is not ESET's own technology. It's Microsoft's Azure AI sandbox, or whatever that is called. If Microsoft's cloud don't detect something, then ESET's EDTD/LiveGuard won't.
(Correct me if I'm wrong).
Edit: Microsoft won't do any more analysis of it. They did it before and confirms that this is not malicious :unsure:
1.png
 
Last edited:

RoboMan

Level 34
Verified
Top poster
Content Creator
Well-known
Jun 24, 2016
2,338
Interesting, I just re did this whole test with the samples @Shadowra provided me, and I noticed no persistance after reboot. Actually, after reboot, no active process, no autorun or registry entry. There's a possibility ESET HIPS blocked several components of the attack, but not all of them.

I will publish here my test later today, and will do a specific analysis on this file for tomorrow.
 

RoboMan

Level 34
Verified
Top poster
Content Creator
Well-known
Jun 24, 2016
2,338
Interesting, I just re did this whole test with the samples @Shadowra provided me, and I noticed no persistance after reboot. Actually, after reboot, no active process, no autorun or registry entry. There's a possibility ESET HIPS blocked several components of the attack, but not all of them.

I will publish here my test later today, and will do a specific analysis on this file for tomorrow.
Here's my ESET test with the same files @Shadowra used :)

The main difference is the configuration, this video used my latest configuration file (with registry and hosts protection).

 

Shadowra

Level 17
Thread author
Verified
Malware Tester
Sep 2, 2021
848
Here's my ESET test with the same files @Shadowra used :)

The main difference is the configuration, this video used my latest configuration file (with registry and hosts protection).


Thanks for the updated video :)

Too bad the malware that was writing to the MBR was detected by Eset Database, I would have liked to see if HIPS would have blocked the attack (the file that was putting colors in your video is not writing to the MBR)
 

Razza

Level 2
Aug 12, 2014
89
I do like Eset have used it in the past a few times, one thing I don't like about it years after other AV's have added behaviour blocker Eset doesn't have one it's too signature dependent.

I know it got Hips on the default settings of automatic mode I don't think it block or detects anything not seen ever flag anything.
 

Nightwalker

Level 23
Verified
Helper
Top poster
Content Creator
Well-known
May 26, 2014
1,275
I heard ESET uses Microsoft's Azure AI servers for EDTD, not their own.
The earlier sample also wasn't detected by Microsoft Defender. The initial cloud scan found some malicious behavior in it, but it wasn't the final determination. Then I uploaded that to Microsoft and a few hours later Microsoft started detecting via cloud and my submission showed the Final determination status as malicious.
The malware that you shared here now is also not detected by Microsoft Defender at the moment and I think as a result also not by ESET Dynamic Threat Defense.
There was another fairly new sample that was tested by someone that wasn't detected by any of the popular AVs on Virustotal except Microsoft Defender. That sample was then detected by ESET's LiveGuard on ESET Smart Security.
So now everything points to what I heard. This ESET Dynamic Threat Defense aka LiveGuard is not ESET's own technology. It's Microsoft's Azure AI sandbox, or whatever that is called. If Microsoft's cloud don't detect something, then ESET's EDTD/LiveGuard won't.
(Correct me if I'm wrong).
Edit: Microsoft won't do any more analysis of it. They did it before and confirms that this is not malicious :unsure:
View attachment 262440

Are you sure about that? I think ESET just use the Azure server (the infrastructure), it doesnt mean that it is using Microsoft Defender technology, they are not the same thing.

If I am not wrong all ESET technology is proprietary and "in-house", maybe @Marcos can clarify it for us.
 

SeriousHoax

Level 41
Verified
Top poster
Well-known
Mar 16, 2019
3,092
Are you sure about that? I think ESET just use the Azure server (the infrastructure), it doesnt mean that it is using Microsoft Defender technology, they are not the same thing.

If I am not wrong all ESET technology is proprietary and "in-house", maybe @Marcos can clarify it for us.
I'm not sure as I said that's what I heard. But also, when an ESET forum member wrote this in a comment, Marcos didn't correct him.
He also said that it's costly, that's why they included it in the ESET Smart Security Premium products. EDTD also requires an extra subscription for their Endpoint products. If everything was their own, then it shouldn't cost anything/much extra, specially in the ESET Home products for basic analysis. Avast literally has CyberCapture in their free products, Kaspersky has the Opentip service free for public use, Avira also submits unknown files to their cloud and gives a verdict which is available even in the free versions, etc. So for ESET this shouldn't cost too much extra to implement in all of their products.
Analysis wise, Microsoft's cloud and EDTD/LiveGuard's results are matching in many cases.
But anyway, as I said I'm not sure but some things points towards that. I would also like to know if this info is wrong.
If the info is wrong, then ESET is just being cheap and trying to earn some extra cash by trying to move users to Smart Security Premium subscription.
BTW, isn't Voodoshield AI uses or at least used to use Microsoft Azure AI or something like that? The cost is alright I guess since @danb is able to afford it. ESET is much bigger financially.
Hopefully Marcos can clarify all the confusion.
 

Zorro

Level 8
Well-known
Jun 11, 2019
365
It was in private message, that's why you couldn't find.
Good. It is not clear if this program really changes the master boot record and prevents the system from booting, then this is not a "joke" already, but a serious problem for a home user (especially if he does not have a bootable USB flash drive), and if this colored cube itself through some time disappears, then it can be called a "joke". Therefore, I wanted to read the entire dialogue in order to understand whether it is really a joke for virus analysts to change the master boot record by a malicious program :)
 

SeriousHoax

Level 41
Verified
Top poster
Well-known
Mar 16, 2019
3,092
Good. It is not clear if this program really changes the master boot record and prevents the system from booting, then this is not a "joke" already, but a serious problem for a home user (especially if he does not have a bootable USB flash drive), and if this colored cube itself through some time disappears, then it can be called a "joke". Therefore, I wanted to read the entire dialogue in order to understand whether it is really a joke for virus analysts to change the master boot record by a malicious program :)
You're right. But what I shared is the only reply I got. So I don't know anything else.
 

czesetfan

Level 1
Dec 3, 2021
42
On the one hand, the antivirus showed itself not bad, we can say that only 1 malicious program was able to harm the system, and in total there were almost 1000 such programs in the test. 1 in 1000 is not bad.
But with such tight settings, the antivirus should not have let this malware pass. Moreover, this is not even the Internet Security - this is a whole Premium, in which there is LiveGuard! Besides, if I'm not mistaken, ESET has some kind of protection against changes to the master boot record. Or is there no such function? In any case, if the case turns out as in the test, then the average user is unlikely to be able to restore the boot record on his own. And this is very bad. For an ordinary John. He will have to pay for the services of a computer specialist.
What will Marcos say?
I noticed the "inactivity" of LiveGuard. According to the manual Proactive protection | ESET Dynamic Threat Defense | ESET Online Help, this feature only responds to these four suspicious file locations:

Proactive protection detects only files from the following sources:

•Files downloaded using a supported web browser
•Downloaded from a mail client
•Files extracted from an unencrypted or encrypted archive using one of the supported archive utilities
•Executed and opened files located on a removable device


Do I understand correctly that it doesn't respond to files that are already on the hard drive?
 
  • Like
Reactions: Andrew3000

Andrew3000

Level 10
Verified
Malware Tester
Well-known
Feb 8, 2016
461
I noticed the "inactivity" of LiveGuard. According to the manual Proactive protection | ESET Dynamic Threat Defense | ESET Online Help, this feature only responds to these four suspicious file locations:

Proactive protection detects only files from the following sources:

•Files downloaded using a supported web browser
•Downloaded from a mail client
•Files extracted from an unencrypted or encrypted archive using one of the supported archive utilities
•Executed and opened files located on a removable device


Do I understand correctly that it doesn't respond to files that are already on the hard drive?
I can tell you what I have seen with ESET Endpoint Security and EDTD enabled, (ESET Dynamic Threat Defense) the sandbox for business users.
It often happened that during game updates on steam, files (especially .exe/dll even if already known to the cloud) were uploaded to the sandbox.
But even in this case they were “downloaded” and were not previously present on the PC.
So it is likely that the files already on the computer are not being loaded into the sandbox.
Exactly how it works, I don't know how to explain it.