Sick and tired of ESET letting things through

You cannot expect a user to come up with technique specifics other than undetected samples, hence your statement in this regard is a bit uncalled for.

So, threads in the forum are not reality, the test are not reality? All the other products are facing the same fluid environment, still NOD comes out these days next to last.

There is a mix up between your ideas of users seeking 100% protection - taking this line constantly to deflect reality, whilst users being aware that it cannot be achieved, and what is actually happening.

You do not wish to look into it, fair enough.

N.B. have asked Prevx to correct their ridiculous statics from their website, just to show my support for NOD

 

To the original poster,
Unless you're a software company, I can't imagine what environment would require you to regularly open executables from outside sources. If this is a customers way of sending data, presentations, etc, they should be required or strongly encouraged to change that.

Assuming it is absolutely necessary, I'd suggest using a virtual environment as workstations. You've got options here, some free, VirtualPC, VMware, VirtualBox. Make the host systems default-deny, nothing new running on them. Make the virtual systems the default deskspace where all work is done. When one gets infected, restart it from a clean image. There's also reboot to restore options. Sandboxing is another. Which you choose is much less important as long as you use one of the options. A little more information regarding the work environment and what you do on them would be a big help with devising a solution for you.

 

Most of the users would have noticed that Eset has evolved since v 2.5, but obviously not to the better. Back then it had an edge over almost any other AV, now it is a the bottom. Perhaps as relying to much on traditional techniques.

I even encouraged Eset to improve detection by submitting samples, e.g. https://www.wilderssecurity.com/showthread.php?t=269737, however this one was known already to others for 3 weeks, going by as the DHL scam, which NOD still has problems to detect...

And as it happened it came through email, not detected then and not with advanced heuristics during the on-demand scan.

it is indeed useless to continue this thread if Eset continues the dismissal and telling users that it is there own fault when getting infected, which in my case did not happen by the use of brain, still remaining the fact that NOD did not detect it. And this is what this threat is all about... ...which is not a test, but real time fluid environment

 

Vtol Quote

Unfortunately in my experience it is their fault most of the time. Click happy and then before long, oops infected

Yes there other infection vectors too, but mainly as above.

Actually Esets statement is sort of a double negative, admitting failure, and in a way implying that having no AV wouldn't make any difference as you'll get infected either way Of course i'm being a bit cheeky, as Eset obviously detects a certain amount of malware, and as we know, NO anti is 100%, or probably ever will be.

 

begs the question what is the use of any AV and why to pay for it?

 

I asked for technical specifics, not techique specifics, and yes, it is called for if the issue being discussed is any product letting things through.

Technical specifics = what's the machine state prior to the incident, what other products are active, was a downloaded executable being launched by the user, is the user running at Admin or Limited level at the time, was an alert of any nature produced at any time during the supposed incident and how was it acted upon, how has the user verified that the system is genuinely compromised, and so on.

Now, at the start of this thread, there was actually a reasonable set of items along those lines that the original poster cited. It wasn't comprehensive, but it was enough in my mind to develop a productive discussion. Things started to move off the rails shortly thereafter.

Ultimately, regardless of product choice, the issue is what to do to resolve the problem at hand - remember the initial post? There is a problem at hand after all. Obviously, how a product is configured is a key detail. How the environment is configured is a key detail as well. Little of either have been explicitly discussed. Some has (e.g. implement SRP), although it's unclear how viable that is in this situation. Is this a case in which focus on those details are germane? I have no idea, but that's where I'd start.

Blue

 

Let's take the following scenario:
1, A malware writer creates a piece of malware and wants it to be undetected by ESET, Kaspersky, etc. He adjusts it to the extent that it is undetected by the AVs he chose.
2, The piece of malware is distributed via botnets to a lot of people at a time
3, You are among first to receive it. At this time it's obviously undetected if:
a) you use any of the AV products the author focused at
b) your security solution does not recognize the malware by any means
4, You or other people report the malware to their AV vendor
5, The AV vendor analyzes the file and issues an urgent update

I think this is what happened in case of those spammed DHL* emails. However, I must also stress that there have been numerous variants of it that were detected proactively by ESET whilst almost none of other AVs recognized it (maybe the author didn't aim at ESET that time or it would have taken him too much time to evade detection by ESET so he was satisfied with the result he achieved).

 

good point. and since your are admin here do you mind taking off the thread as from the point of where it got derailed and make it separate, so that the initial thread can be continued as well the derailed part, considering latter vital as well?

 

Was not the among the first one to receive it, you are starting there from a wrong assumption.
That piece of malware does not seem to evade any specific AV vendor. what is particularly interesting, and I mentioned that also, is that urls embedded for downloading further stuff would have been blocked by Eset back then already - would that not be hint for the scanner to say 'hey, I cannot find anything suspicious right now but those urls are already blacklisted by Eset, hence take into custody and submit for analysis'?

 

Derailed is focusing on specific personalities rather than the technical issue, blithely referring to users as stupid or in other disparaging manner, making assertions out of thin air and so on. Stay off that path and the current thread can continue.

Blue

 

well, let me say I am not surprised by your defiant response, trying to suppress the underlying course of the issue.

none of the forum members, or what that matters, particular user has been referred to as stupid, but the way Eset keeps on bouncing problems back to users and claiming it is their fault to get infected in the first place makes one look like. Thought about that? The thing is that it is your opinion and you got the right as being the admin, you believe that the problem will eventually go away buy closing or erasing posts, just because they do not fit Eset's marketing?

Perhaps it is ok though for your moderator to call data ridiculous, but users should not...

Maybe others do not get to read this anymore, I am sure you do and all I hope for is that you sit down and talk to your developers in order to get NOD back to where it belongs, at top of AV...

 

Goodness me, this thread has really gone too far.

I'll repeat it again: this is about Eset missing more things than in the past, I.E. its users are experiencing more malware infections. Moreover, I have personally experienced slow adding of malware samples, some taking weeks.

It's not about "dumb" users. There have always been careless one's and this might never change. It's about Eset, which is more advanced today but misses more threats.

No amount of discussion can change my mind as I have had a fair amount of encounters: Piece of malware (verified by myself (yes I executed it)) uploaded to Jotti, many other scanners (no need for details) find it and Eset does not. Sample sent to Eset and other vendors, Eset takes a long time too add it.

The infection can be blamed on the user, sure, but then again the AV should catch it if its competitors already detect it for weeks. Eset has access to Jotti's database, and to virustotal's so there is no excuse for adding it too late.

In all of this I still buy Eset licenses because I like them. I want to support them getting to the top again. But I will not recommend it to anyone else unless I kind of know they can make the right decision when it comes to clicking on unknown executables:

Phew, I had quite a rant here.

 

Whoever proclaims that ESET is slow in adding detection, please PM me the subject of the email with suspicious samples you submitted per the instructions here so that I can check out their status if they were actually left or if it took several days until detection was added. Samples are being processed continually so it shouldn't take long until detection is either added or refused due to the sample being corrupt or benign.

 

It doesn't matter if it's ESET, AntiVir, MBAM, or any other anti-virus or anti-malware. Malware is developed and spread faster than any of them can respond. Malware detection is a reactive technology. It detects and reacts to known threats. Thanks to custom malware kits, there's probably over a million pieces of malware in existence by now when you count variants. In any environment that allows an unknown executable to run, eventually malicious code will run. It's just not possible to detect or identify it all. At one point when I was doing a lot of testing with live malware, I was getting malware in e-mail attachments that almost every scanner at VirusTotal would miss on the day I received it. A day or 2 later, the scan results were much better, but by then the damage is done. Don't bother asking who did the best. Even if I chose the 2 that caught the most, some of it would have been missed. Blaming ESET or any other AV vendor is a waste of time. The default-permit design philosophy of both AVs and the operating systems they try to protect is flawed. A default-permit system cannot be made secure. Whether the vendors admit to it or not, they are being overwhelmed by the sheer quantity of malware. It's a deliberate act by the malware writers.

Regarding blame, it's unfortunate but true, it is usually the user who is at least partly to blame when their system becomes infected. I have clients that fall for the same social engineering tricks over and over. "Educating" them has been an exercise in futility. Then again, there's plenty of blame to go around, starting with an operating system that allows most anything and expects nothing from the user. Then there's security app vendors who have tried to protect systems while accommodating that policy. Perhaps if they'd started educating users 15-20 years ago about the inherent weakess of default-permit, we might have ended up with smarter users. In all fairness, no one saw this present day mess coming.

The typical internet user knows almost nothing about their PCs and how they work, and we have millions of them all connected together by the web. You couldn't design a better disaster scenario. As a system administrator, you need to develop a security policy that will accommodate the needs of your workers while protecting their workstations and the rest of your infrastructure. AVs and malware detection should play a role but can't be considered as a complete solution. There's several of us here who would help you devise a policy and build a setup that will fill your needs, if that's what you want. If it is, please give us some more information, starting with why workers need to open unknown executables.

 

I suggest you look up the definition of defiant....

for that matter, continue on and look up the definition of suppress....

I've been calm and fully transparent in this thread.

Blue

 

Ha-ha! ROFL ! Is there anybody in this forum (100 000 members) who claims that ESET is actually FAST in adding detection

 

:O Mr. Norton fanboy is on the ESET forum. Norton is the best antivirus program ever made. A shame there ain't a Norton forum on here.

 

I didn't expect anything other than that from a blind NOD32 user.

 

Could say the same to you. But more important, why blind?

BTW, in the Norton BETA topic I said Norton is a great product: so why bash me as being a blind NOD32 user, I tried Norton 2010, Kaspersky 2010, AVG Free, Panda Cloud, Avira Free, Avast Free and MSE. Eventually I ended up with NOD32 (again). Looks like I made a well thought decision, how can you say I'm a blind NOD32 user?

 

Hello,

You two, guys are diverting from the original topic. The OP was not referring to Norton compared to NOD32 but how a Fake AV got through the AV installed on his PC.


Referring to the OP I think one good thing to do with NOD32 would be doing like some other AV vendors have done recently. Add a Sandbox to the AV. That is better than the Web-AV or Http-traffic-scanner [as some AV vendors call that feature] since these are based on blacklist/whitelist and I believe that approach is no loger working.

Regards,

Carlos

 

Nowhere in this topic I mention anything about Norton . However , some people react more agressively when others are telling them that it is time for their "King" to be deposed . I am not a classic Norton boy + I am well aware of ESET company and products since 2.5 till today to be able to comment them and not to be offended with words like "fanboy" . This forum needs moderation , ESET doesn't need defence from forum team.

 

I agree ESET has to add something. That is why I asked about the upcoming features in version 5, haven't got an answer yet.
The time signatures did the job is a few years ago. ESET have always trusted on their heuristics, but that's also the past.
Two options:
1. sandbox: like already said: many antiviruses are adding this component: Kaspersky, avast, Comodo.
2. behavior blocker: and then a really good one, not one like avast's or Avira's which actually are doing nothing.

Let's see what makes it in the upcoming ESET 5.

 

Here in Brazil i have no problems with Rogues i never receive, but i receive various Spy-Bankers by email and i send some not detected for ESET and after a few hours he is detecting them besides me respond always... here works fine.

 

When I used ESET software, there was 2-3 months where I was continually having to send them samples on a daily basis because of a lack of detection. The reaction time varied from file to file, importance to importance, but it was generally slow.

This is a fact, whether it be because ESET is small, or a different underlying problem, it doesn't really matter to me. But ESET is slow at adding detection for user submitted files.

Thankfully I've since stopped wasting so much of my life doing an unpaid version of ESET's job and use an AV that detects most of my daily issues.

 

/sarcastic mode ON/
Well, SLOW is a good point. I started two support cases in mid february, on one I got an answer last week (no reaction in 2 months), on the other I got a request for more data mid of march - still no solution after two months.

They obiously have not enough manpower to get it - maybe that also affects the the signatures... ?

Didnt someone ask how many employees they have?
/sarcastic mode OFF/

I still hope they get better...