App Review Of LoLBins, 0-Days, ESET, and Microsoft Defender

[LennyFox]

Because the products modules are designed to respond a certain way to real world route of infection. Some venders harden real world route of infection modules as that's were the threats actually come from. [1]

This vendor stated above they do not block these tools because they can be used for good and bad. Have you looked up and discovered what this tool is and how it's used. It's a security tool. This vendor also stated that if there was a payload in it, it would be detected or stopped post execution either way. [2]

Real in the wild malware for a payload you ask, because that is what's out there. It's testing realistic. [3]
.

1. It would be strange when vendors would harden against imaginary routes.

2. Be carefull what you wish, let Cruel Sister's follow up video do the talking

3. As stated a PoC demonstrates that something can be exploited in a repeatable and predictable manner in a real world environment. Vendors do respond to this as does ESET (in jan 2024)

[CA8602] ESET Customer Advisory: Unquoted path privilege vulnerability in ESET products for Windows fixed

support.eset.com

So let me repeat my question: When vendors take PoC's seriously, why do you consider an "actual in the wild distributed via route of infection" as the only valid proof?

 

[Practical Response]

1. It would be strange when vendors would harden against imaginary routes.

2. Be carefull what you wish, let Cruel Sister's follow up video do the talking

3. As stated a PoC demonstrates that something can be exploited in a repeatable and predictable manner in a real world environment. Vendors do respond to this as does ESET

[CA8602] ESET Customer Advisory: Unquoted path privilege vulnerability in ESET products for Windows fixed

support.eset.com

So let me repeat my question: When vendors take PoC's seriously, why do you consider an "actual in the wild distributed via route of infection" as the only valid proof?

If cruelsis uses a real in the wild sample "no matter detection" and applies it via route of infection. Then it's done properly.

Nothing imaginary to routes if infection, it sounds as if you have no idea how security really works and how systems get infected.

Be careful what I wish, is that supposed to be a threatening demeanor.

This isn't just any POC, it's a specific file, that was benign and already stated it's allowed by the vendor because of what it is. " Do I need to break out the crayons and draw a picture"

 

[Oldie1950]

It's good that the ignore function exists.

 

[LennyFox]

If cruelsis uses a real in the wild sample "no matter detection" and applies it via route of infection. Then it's done properly [1]

Nothing imaginary to routes if infection, it sounds as if you have no idea how security really works and how systems get infected. [2]

Be careful what I wish, is that supposed to be a threatening demeanor. [3]

This isn't just any POC, it's a specific file, that was benign and already stated it's allowed by the vendor because of what it is. " Do I need to break out the crayons and draw a picture" [4]]

[1] not an answer but a repetition of your opinion

[2] not an answer, but a disqualification of me

[3] No, it is a matter of speech in Dutch intended metaphorically, thanks for attending me, therefor I added a smiley in the original post to show good intent.

[4] Not nessecary, let's agree to disagree

 

[Practical Response]

[1] not an answer but a repetition of your opinion

Not my opinion its how this works. The infection has to get onto the system somehow correct, hence "route of infection"

[2] not an answer, but a disqualification of me

Refer to answer 1

[3] No, it is a matter of speech in Dutch intended metaphorically, thanks for attending me, therefor I added a smiley in the original post to show good intent.

Paint it how you want, you have come at me before and rage quit this forum because, since you are relentless and obviously have issues with me.

[4] Not nessecary, Iet's agree to disagree

I was wondering as you keep responding, oh and speaking of.

This thread is becoming way too long for one to keep up.

This has been stated before yet everyone keeps responding after its said. I have just as much right to respond as well especially if it takes so many members ganging up as they do here. It is ridiculous. How is anyone supposed to take this forum seriously when its members act this way and allow shady things in a security environment.

Quick everyone jump on, if enough come at me, I might actually... Nope forget it, I wont back down, as I feel you all are not anyone I should be bowing down too.

 

[Practical Response]

Thank you for the demonstration folks, I knew you would not let me down. This is how you treat and respond to those you disagree with. Its a wonder why the forum reads it has 60,000 members but in actuality you rarely see more than 50 on at any given time.

Keep treating users the way you do, and while your at it go look at other sites where they discuss this one, and what a joke they think it is because of things just like this. No one takes this place seriously because of it.

I left a simple link to Marcos explaining this test was invalid because it was a benign file they don't block intentionally and it housed no payload.

It was stated well what if it did and it was a zero day, well Eset has many modules designed to monitor detect based on behavior ect for unknowns.

It does not matter what others opinions of the product are, whether they think its great or worthless, it matters to do this correctly in testing if you are going to present a theory that reflects upon the product.

Legit testing.

-Actual payload with sample from the wild.
-Route of infection, not just mysteriously showing up on the desktop to be executed.
-No disabling of any of the modules of the product, let it work as intended

If these are applied and the product fails, then so be it, it was tested in a respectful responsible manor.

I wont say anymore on the subject regardless of the jabs, baiting and illogical things thrown.

 

[devjit2020]

Relax guys. No need of fighting & arguing. We all know that ESET is a top tier product. Cruel sister is not bashing anybody but then again this test does not prove that ESET is ineffective. Protection is a very broad term and depends mainly on the user. I have used Kaspersky & Bitdefender in the past but have found myself always coming back to ESET & F-Secure. Although the former 2 are much better in protection, I always found them intrusive in my gaming PC whereas the latter 2 are extremely light & I don’t even notice them running. They also have kept me infection free for the past 5 years although my common sense is the topmost factor. We all have our preferences and CS likes Comodo above all other solutions. Does that mean that Comodo is the best? No…every time I install Comodo I end up uninstalling it because of performance issues, gui glitches & bugs. We all know that ESET didn’t bat an eye since the file was not malicious and this behaviour is expected from ESET. If the downloaded file was malicious and if the lolbin tried to connect to a malicious server then probably we would have seen ESET in action. So we have it- neither has CS bashed ESET and neither is this test a valid one to prove if the security solution can protect a user or not. God help them who have uninstalled ESET by watching this video because it’s clearly not what CS has tried to prove through this video.

 

[Practical Response]

LOLBAS

Lists of LOLBins and Scripts that can be abused with download and execute functionality.

Sftp
Presentationhost
Configuresecuritypolicy
MSHta
MSPub
Sftp
Protocolhandler
Installutil
MsoHtmEd
Outlook
MSAccess

Of these there are 3 that draw attention immediately. Outlook, MSPub, and MSAccess.

Outlook.exe is the executable file that launches the Microsoft Outlook email management program.

MSPub.exe is the executable name for Microsoft Publisher, and launches its application.

MSAccess.exe is a legitimate executable file that allows users to access Microsoft Access.

If we apply the theory that it can be exploited to download and execute malicious items on the desktop therefore it should be detected and blocked, this might cause issue for these vary legit tools would it not. Are vendors supposed to irritate their customers with blocks of these because they can be abused, or find ways to examine the contents of the third party files or payloads as well as monitor behavioral actions post execution.

 

[Trident]

Whilst some of these can be blocked completely from execution as they are not needed, others can be monitored more strictly for behavioural patterns. For example, MS Access or Outlook are not expected to create executables not signed by Microsoft (or if the updater is actually a separate process, haven’t checked recently, they shouldn’t be creating any).

Anomaly detection is necessary for these.

The Certutil for majority of home users brings very little value.
You can’t fault a vendor who decided to block them (people can always create exceptions) and you can’t fault a vendor who decided not to block them — as long as they still provide acceptable protection via other means.

I personally prefer these blocked and if the solution doesn’t do it, I will do it myself.

 

[Andy Ful]

To sum up.

1. This video does not show that Eset is worse than Defender.
2. No video test can show that Eset is worse than Defender and vice versa.
3. This video is not a real-world protection test.
4. The video tests can be misunderstood by many people who think that a failure on the example can prove some minority of the overall protection.

The above was mentioned in my posts and those posted by Practical Response.

If we assume that points 1-5 are true, we can focus on what information can follow from the video.

1. Defender protection can be slightly stronger when blocking the attack method via Certutil.
2. Blocking that method is probably uncommon among AVs on default settings (more examples needed).
3. It is unclear if Eset could improve its protection by blocking that method on default settings (the method can be only a part of a real-world attack).
4. That method is not malicious, so the decision to block it can be considered by the AV vendor if the attack can bypass other protection features.
5. That method can be potentially dangerous when the payload is undetected by the AV.

 

[Trident]

This is true for all AV implementations.

For example Trend Micro has decided for all unsigned files to trigger a warning that upon first attempt to run a file, serves as a block.
On the second attempt for execution, it includes “run anyway”.
Not everyone should follow, for example recent MS implementations are more aggressive, others monitor unsigned files’ behaviour more aggressively.

Bitdefender as of recently includes memory scanner to more efficiently detect packers.
Symantec/Norton have very vague implementations of memory scanning only looking at specific addresses for specific malware (detection denoted MemScan.xxx)
Symantec/Norton however are very aggressive towards new, custom packers.

The malware problem is very complex and whilst solutions to an extent overlap, complete copy and paste is not necessary, as long as the job is done.

It is the analogy that was once provided on this forum, “what is better, pants or skirt”?
Both are the same, some people consider pants appropriate, others go for skirt. As long as they are wearing clothes, all good…

 

[Practical Response]

This is true for all AV implementations.

For example Trend Micro has decided for all unsigned files to trigger a warning that upon first attempt to run a file, serves as a block.
On the second attempt for execution, it includes “run anyway”.
Not everyone should follow, for example recent MS implementations are more aggressive, others monitor unsigned files’ behaviour more aggressively.

Bitdefender as of recently includes memory scanner to more efficiently detect packers.
Symantec/Norton have very vague implementations of memory scanning only looking at specific addresses for specific malware (detection denoted MemScan.xxx)
Symantec/Norton however are very aggressive towards new, custom packers.

The malware problem is very complex and whilst solutions to an extent overlap, complete copy and paste is not necessary, as long as the job is done.

It is the analogy that was once provided on this forum, “what is better, pants or skirt”?
Both are the same, some people consider pants appropriate, others go for skirt. As long as they are wearing clothes, all good…

I'm not sure I would use that analogy, as you wouldn't catch me in a skirt, heels and 5'oclock shadow. 🫣

 

[Trident]

I'm not sure I would use that analogy, as you wouldn't catch me in a skirt, heels and 5'oclock shadow. 🫣

I already caught you yesterday, when your camera switched on by mistake.

 

[Practical Response]

I already caught you yesterday, when your camera switched on by mistake.

Did you tip the door man on your way in

 

[Trident]

Did you tip the door man on your way in

I told him that if he wants tip, he should look no further than MalwareTips, where @Practical Response and @Andy Ful would advise him on various network and Windows security implementations. He said he was previously hacked and he needs that, so it all worked out.

And then I saw you.

Spoiler: You

 

[Practical Response]

I told him that if he wants tip, he should look no further than MalwareTips, where @Practical Response and @Andy Ful would advise him on various network and Windows security implementations. He said he was previously hacked and he needs that, so it all worked out.

And then I saw you.

Spoiler: You

I hope my voice was as lovely as I look.