Some thoughts about future ESET versions...

Well, I thought I would just share a few thoughts and I'd like to hear what you all think.

I'm a proud user and reseller of the excellent ESET product line - there's so much to like. Lightweight, fast, fairly good detection and fantastic remote administrator. It keeps getting better.

Some great improvements in version 4 but there's things I'd like to see improved further. They are pretty much problems with any AV in these areas so I dont expect miricles.

Cleaning
I find too often if a virus does manage to get downloaded and execute, even if ESET detects it.. it can still cause mayhem. One of these particular files that I managed to execute was detected but not cleaned properly so I sent it to ESET. Also, what about files that INFECT or attach to system files? Can we not use sysinspector to make a backup periodically of main system files that are usually infected, explorer etc and revert to a snapshot as a cleaning resolution? Better handling of file infectors and polymorphic or morphing viruses is important - these seem to beat ESET. I just think AV's should be able to monitor system changes in key areas. The Services, Hooks, BHOs, RunOnce and Run areas, and even monitor changes to key system files to aid cleaning and even detection.... That leads me to...

Improve reporting and detection
For example we could send a list of start-up programs and running services (with our approval) to ESET for them to inspect. For system files, like explorer.exe check their checksum and CRC for vadility even, now I wouldn't say delete these files (because what if they were genuine updates) - but at least send some header or detail file info to ESET to research. You know what I mean, some kind of reporting function which we can turn on and off. I'm up for helping ESET improve the product by sending a few small details of my system run/services/registry/BHOs. What about send sysinspector details to eset on a regular basis? They could then collect information about startup files, dll files, hooks, etc, and improve the detection of the product. We do need to improve the spyware detection without the software becoming bloated. Could we maybe have an optional definitions file called extended malware, which is lower risk threats (more annoyanceware - like hotbar is detected by NOD and it's bundled with Nero burning rom, not really a threat as such more annoy us ware. I would prefer the spyware database to be catching the real bad guys and then another db for these silly toolbar things) which some users may prefer to have at the expense of a file opening a nano of a nano second longer. I remember ESET struggling to remove the XP antivirus 2008-2009 varients. I hope this was improved for example. I see a few cases of poor detection or removal. But not to say the product is bad, just I think it could do even better.

I understand ESETs ethos is to make the defs as clean as possible and using more generic rules to avoid the db becoming bloated. Good idea, long as it can clean the infections correctly for each variant. However, these generic detections don't always work, and in some cases work too good..

Settings protection for key system areas or browsers
IE is not the most secure browser, could we not check browser helper objects, proxy changes, homepage changes, security settings changes by third party programs and then have a choice to revert these settings by using the sysinspector for example.

Rescue
I think this is a great idea... a bootable media which can scan the system is a way forward. Long as we can copy up-to-date defs to it, what about use your ESET license on a Pocket Drive to be able to use the CD with the latest defs from the Pocket Drive. Long as cleaning is good enough it doesn't delete system like crazy, it's a neat idea. There is viruses out there that even in task manager you close the buggers and they open again because a parent process is running that is infected. Could eset not detect the parent of these files and remove them, long as it's not a system file.


I welcome the changes to the firewall, automatic with rules is good for Domain Network environments. Someone mentioned the idea of HIPS.. well I would agree and disagree... HIPS would make the software bigger than what it already is.. but I think some form of basic scanning on the file before network access would be good if it doesn't already scan network aware software. DLL injection could do with some improvements and support for blocking these trojan downloaders.

Could we not intergrate the Spybot S&D hosts file list into ESET? Something like that?


Just ideas... let me know your thoughts. Don't expect my ideas to be much but I thought I'd share them as I really want to see ESET be at the top again. I know they can do it...


PS. You know what I would like to see Very very much like to see... because I deploy ESET on a lot of domain enabled networks with MS exchange... Can we please have a revised Exchange version, and maybe even a bundle called: ESET Business Server Security... whoo sounds nice.. with Exchange support and File scanning.... Does anyone agree?

 

ESET should be able to detect the malware before it succeed in infected the system file .

No , thanks ! We have Windows Defender for free , built-in and running by default in Windows Vista and it will be in the new Windows 7 (if Microsoft doesn't even integrate their free AV in it) . Additionally , Windows Defender is available for free for XP users. It monitors Services , Internet Explorer settings , run and start-up keys , hosts , etc .

ESET Smart Security monitors all the communication in and out (Interactive mode) . If a malware modifies a system file and this system file tries to call home for example (trying to by-pass the firewall) , ESS can isolate that file . Of course , that doesn't cover other areas but that is why we have AV part of the program . ESS v4's firewall is improved is each and every aspect . I am using it and I can see it .

 

The firewall has been improved yes, however we'd like .... to think that it would stop viruses before it gets in, but what if it doesnt like i've seen in some cases.

I havent had much luck with windows defender, doesn't seem to stand up to an attack.

 

The firewall ? Are you sure ? "that it (the firewall) would stop viruses before" they get in ? This is not a firewall's job . The first level of defence in case a communication has been allowed by a firewall is the web-access protection with its sensitive heuristics .

Quite the contrary , in my opinion. I'd say that Windows Defender is the best addition to any antivirus/antimalware/security suit .

 

I didn't doubt that it can protect some things.. but it's like any security product. Not invincible.

Howcome Windows defender could not stop the installation of XP Antivirus 2009. Where as something like PrevX edge can....

I know what a firewall does, but I'm sorry I worded the last post a little incorrectly as I was in a rush. What I meant is the HTTP filter... we would like to think that stops the infection in the first place but sometimes this can this bypassed for whatever the reason. All you have to do is get a VMware box and surf a few funny sites..... one or two of the viruses on them will actually pass the HTTP filter and then when you run them ESET goes crazy detecting virus after virus. Not to say ESET is ineffective, far from that... just this is something ALL AV's fail to deal with sometimes - they are never 100%.

However this is an interesting read: http://www.pandasecurity.com/about/panda-technologies/ - They have sucessfully implemented some interesting technologies:

- Collection of data from the community. The system centrally collects and stores behavioral patterns of programs, file traces, new malware examples, etc. This data comes from Panda users, and from other companies and collaborators. This wide capacity to collect information provides higher visibility of the threats that are active in the Internet.



- Automated data processing. The system automatically analyzes and classifies the thousands of new samples received every day. To do this, an expert system correlates the data received from the community with PandaLab’s extensive malware knowledge base. The system automatically returns verdicts (malware or goodware) on the new files received from the community, thereby reducing the tasks that PandaLabs must carry out manually to a minimum.



- Release of the knowledge extracted. This knowledge in delivered to users as web services or through signature file updates.

If ESET could perfect something like that....

 

Have you recenly installed a Panda product ?

Please , do an experiment for me :

- Download a trial of Panda Internet Security 2009 and install it on a computer running lets say 512 Mb RAM , 900 Mhz processor , Windows XP . I'll send you some cash you you could reboot that machine to a usable state. But more likely the OS will die.

- Download a trial of Panda Internet Security 2009 and install it on a computer of your choice . Reboot and start Task Manager . Please , count the processes and how much memory they take . Not talking about the CPU ?

If you can find less than ... 10-20 ...

My Dual core Intel processor with 2 Gb RAM is acting quite strange after Panda , asking for cure , the OS needs so much time to recover , if at all possible.




- Please , compare with ESS




Panda's detection rate / cleaning ability is not better than ESET Smart Security v4 . Let's not talk about their "magic" technoligies when their products are as huge as a building .

 

I used Panda back in the day when it was version 6, when it went to version 7 it wasn't too bad, but then when they started doing Panda Antivirus 200x it got REALLY bad. Buggy code, slow, false positives, etc... I find it strange a CD-ROM is a requirement with Panda, it seems to be the truprevent that hogs it down - and I can see why when it's doing all the checks Panda claims.. I was merely pointing out though about the reporting side. I think collecting SysInspector reports for ESET to use in statistical data and also improving detection would be a great help for them to keep on improving. I keep say improving don't I? To be honest I think ESET is already very damn good, I used to use Outpost but ESET is good enough considering I'm behind a NAT router sooo... yeah, it's good. I personally love the Remote Administrator though! That is one very good asset for ESET.


I'm not saying we should make ESS bloated... I love ESET for the very reason of it's low overhead and Panda didn't do too bad in AV-comparatives past month or too, but I wasn't saying it's detection was better. It most probably isn't. I've heard good things about Avira though. It's not really a matter of whats better or worse, I'm just trying to think of a way to help make ESET an even better product.. it's not easy for an already very good AV. These ideas were not mean't to be go and implement them, just merely thoughts - incase there was a good one that could be implemented.

All I was highlighting is that they have the so called reporting technology which allows their customers to help them improve. Not that they will, but the fact is ThreatSense only sends information about a file if it really is very, very suspicious where as something like PrevX would report too much back and to some would be a privacy concern. But, it would be nice if we could send SysInspector reports to ESET so they can possibly collect the data and detect new possible infections. That's the spot I'm trying to get on. I for one don't welcome a bloated product.

Just out of interest have you tried Avira? I have limited experience with it as the general product isn't as polished for a business environment but it seems to be doing very well on recent AV tests, suppringly. ESET did however have less FP's.

 

Hello,

In response to your questions:

ESET Smart Security and ESET NOD32 Antivirus v4.0 includes a new device driver-based cleaning module which should offer better removal for malware, especially those which start before the operating environment is fully initialized.

The files and objects required to start a system that can be modified by malware are comparatively large. Having ESET SysInspector backup several hundred megabytes of files on a scheduled basis would be problematic. It would also duplicate the functionality of technologies such as Windows System Restore or third-party products like Acronis True Image.

In ESET Smart Security (ESET NOD32 Antivirus) v4.0, the ESET SysInspector program is now integrated. If you submit an ESET SysInspector log when contact technical support through the program, then information about the objects running (or installed) on the computer will be available to the support engineer who receives the case. ESET SysInspector logs do include checksum-type information for some of the logged objected.

The classification of malware with ESET Smart Security/ESET NOD32 Antivirus v4 will be improved so that the lowest-rated threats are categorized differently than traditional forms, such as viruses, worms and rootkits.

The fake antivirus software is continuously updated by the criminal gang behind it to avoid detection by anti-malware companies. ESET does a good job of detecting and removing it and oftentimes there are variants that are only detected by 1-3 programs, including NOD32. If you ask some of the support engineers for other companies or take a look at their support forums then you will see that everyone has missed detections and nearly every update contains improvements for detection. As stated above, the v4 engine has some options for malware removal not available in previous versions, so if something like a fake antivirus program does manage to get a foothold, remediation should be easier.

The problem with technologies that alert the user about changes to the web browser or startup locations is that they tend to either be rather "noisy" and notify users of changes to the point where the user will take whichever action they think will make the warning disappear, regardless of the consequences, or too "quiet" and silently disallow or block operations such as software installation, which can make for increased troubleshooting.

The SysRescue module creates bootable media for scanning, so in the event it is needed, it comes up in a clean operating environment.

Network-aware applications ("web browsers") are scanned more stringently than other applications in v3, as are downloaded files.

You can block access to web hosts using ESET Smart Security v4.0. For more information, see this message.

ESET currently provides NOD32 for Microsoft Exchange, which is based on the NOD32 v2.7 engine. I believe it is available in a business bundle with ESET Smart Security or ESET NOD32 Antivirus. Your ESET sales representative or channel manager can provide more information about how it is licensed.

Regards,

Aryeh Goretsky

 

agoretsky - Thanks for the informative reply.

The only thing I have struggled with is the Firewall, in Interactive mode it doesn't seem to work after a reboot even on a fresh install... it starts alerting me to allow/deny programs and then stops all of a sudden and blocks everything.