Eset NOD32 Antivirus and Eset Smart Security version 9

Discussion in 'other anti-virus software' started by Blackcat, Oct 26, 2015.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Catching cloudcar.exe in the off-line real-time scan engine would cut down on the perceived impression that there is an issue with the scan engine. So doing so is a smart move.

    I did find a posting on the AMTSO web site of a study that became the model for the Cloudcar test: http://www.amtso.org/wp-content/sp-...e_Cloud_Testing_Metrics_and_Methodologies.pdf . It did recommend for scanning of external media data transfers but not on a cloud basis; rather by offline content scanning based on hash or code. Actually the diagram shows all content scanning being performed outside of the cloud with only url and domain validation being performed in the cloud.

    As a test, I did copy the cloudcar.exe file to a thumb drive and deleted cloudcar.exe from my internal HDD. I then proceed to copy cloudcar.exe from the thumb drive back to the internal HDD and Eset did not detect it. Again, I am sure Eset scanned the file upon creation on my internal HDD but did not alert due to the fact the file is not malicious. Nor for that matter is it suspicious since it is not a valid executable. All Eset has to do is include the clouldcar.exe hash in the offline blacklist or include a signature for it and this issue is resolved.
     
    Last edited: Jan 24, 2016
  2. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    No they not going to fix this specific file by adding it to the local signature, as that is not live grid.

    The issue they fixing is there is no cloud lookups for local file access.

    If this file starts been detected by virus signatures but not by live grid then it will still be broken.
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes that's logical. Purpose of this file is to test cloud detection. So file should be detected by cloud if that option is enabled and it shouldn't be detected if that option is disabled. Live grid enabled - detected, Live grid disabled - not detected.
    "Cheating" with detection of test files is defeating the whole purpose of test files.
    I'm sure Eset will solve this problem with future updates.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    This Live Grid issue has been discussed previously on the Eset Forum here: https://forum.eset.com/topic/3100-small-question-eset-livegrid-file-reputation/

    Note the following discussion excerpt:

    SweX, on 26 Aug 2014 - 07:08 AM, said:

    Yes if you execute a file that is blocked in LiveGrid, then you will see a notification saying "Blocked object" or "Suspicious object blocked".

    Marcos replied:

    Not exactly. This doesn't work on file execution as querying cloud would take substantial time which would cause delays upon executing files. Needless to say that determining if a file is safe just based on cloud data isn't reliable as there are also updates to plethora of popular unsigned applications that would be otherwise considered suspicious. As you know, a serious false positive could have the same effect on a system as a dangerous virus.
    So I wouldn't hold your breath that resident file cloud scanning is going to happen.

    Macros also explains how the cloud blacklist works in this discussion. Again if you have HTTP Filtering disabled, you will not be protected against 0-day malware that has been previously detected and added to the Live Grid blacklist.
     
  5. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Not true. HIPS, Self Defense, Advanced Memory Scanner and Exploit Blocker are all enabled by default. Both in V8 & V9. If Exploit Blocker was disabled when you checked in the settings then, either your installation didn't finish correctly, or you must have disabled EB at some earlier point.
    What ? :confused:
    https://forum.eset.com/topic/7172-how-can-i-tell-if-livegrid-is-working/?p=39152
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Wow that's news for me. I've used ESET with protocol filtering disabled and never new that by this cloud would be disabled also. It never greyed out Live grid option after protocol filtering was disabled. IDK why there is an option to enable/disable Live Grid in real-time protection, since Live Grid is used for web and email only. It's a little confusing and can be misleading for users that configure advanced settings.
    If real-time protection (sans protocol filtering) is not using Live Grid then it's OK for that file not to be detected.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Again, refer to the AMTSO .pdf I posted in reply #126. There is no recommendation that resident files be scanned in the cloud. The only recommendation made was URL scanning from web or e-mail sources and that scanning of web based file downloads be done by "file reputation:"

    The testing methodology described here measures the ability of AV products to block malicious URLs and associated malware files based on examination of URL source ("exposure layer protection") and examination of file characteristics of the downloaded malware ("infection layer protection").
    Additionally:

    If the malware file subsequently arrives at the target computer by other means (e.g., file transfer from a USB storage device), the malware file is detected and blocked by the AV product file reputation service.
    And that the file reputation scanning be done locally off-line by "content using hash or code examination." Again refer to the "Infection Layer" diagram noted in the article and where "File Reputation" physically resides. It is not in the cloud but on the user's PC. Hash scanning implies use of white and black lists. Code examination means the file is scanned by both signature and non-signature methods. Eset's current protection fulfills all these requirements. The only outstanding issue is that Eset is not detecting the test cloudcar.exe in off-line content scanning. Add a signature for it and the issue is resolved.


     
    Last edited: Jan 25, 2016
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Where you could be vulnerable is if you do not use SSL Protocol scanning in Eset. First and most important, you are no more vulnerable in this regard if using any AV that does not scan SSL traffic.

    That said if SSL traffic is not being scanned, Eset cannot do a cloud lookup for a 0-day download and check is it's on the black list. Again, it will only be on the black list if Eset has prior knowledge of it's existence.

    In reality, Eset is one of the best AV's for developing signatures rapidly for in the wild malware. So I would say that even with all web filtering disabled, your exposure risk pertaining to downloads is minimal. Case in point is the Ransom32 malware where Eset was one of the few vendors who had a signature for it within a few days of its discovery.

    - EDIT-

    Since I don't use web e-mail, I forgot this. If you connect to your e-mail provider via web mail using a HTTPS connection, none of your e-mail content is being scanned with SSL protocol filtering disabled. Something to ponder ..................
     
    Last edited: Jan 25, 2016
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    @itman
    Thanks for pointing out that methodology, I totally missed it in your first post.
    According to that methodology locally stored file reputation data is also part of cloud protection. Data was probably gathered using AV's cloud so it can be considered as part of cloud protection. This way you get a part of cloud protection even when you're not online.
    In this case adding detection for this file to locally stored file reputation database would solve a "problem". Off course file should probably be detected only if Live Grid is enabled in real-time protection.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    In regards to HTTP Filtering, I personally have never had a file download blocked for suspicious(excluding cloudcar.exe) status. I have had downloads or web access blocked by the following black lists as recorded in my event logs:

    1. IP address/URL
    2. Anti-phishing - again only the EICAR test.
    3. PUA status

    For all other downloads which were malicious, they were caught by Eset's network filter using the ThreatSense real-time engine; by signature as best as I can determine. I will also assume that advanced heuristics, again running in the network filter, could catch malware for which no signature yet exists. The bottom line is none of these files were stored on my HDD before they were detected. So in essence, the files were detected "in the cloud;" the cloud in this case begin the network adapter buffer.

    In reference to the screenshots referred to by link by Swex in reply #121, suspicious activity was encounter on a web site - note the alert message reference to a specific IP address. I assume that one of the non-signature Eset protections detected it. It appears that the activity was some type of download that was blocked and quarantined. Also of interest is the download activity was done by download manager software and not the browser. The only thing I am puzzled about is that the alert said to "submit the file to Eset for analysis." I thought Live Grid did that automatically? Perhaps the user had the Live Grid option to "auto submit files" turned off?
     
    Last edited: Jan 25, 2016
  11. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    I reinstalled ESS 9 today and strangely enough the SSL filtering works this time. Previously I could not access SSL sites.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I had no problem in the initial release with accessing SSL sites per se. My complaint was the use of Eset's root cert. on SSL web sites. On some sites, it would not use the Eset root cert. and on others it would. For example with Google searches, Google's web site cert. was pinned to its issuing root cert.. On other SSL web sites, this did not occur. I could make no " rhyme or reason" over the criteria Eset was using to pin a web site's cert. to the Eset root certificate. I am uneasy over having a vendor determine by whitelist what is a "good" SSL website and which is a "bad" web site as far as SSL filtering is concerned. Of course, none of the sensitive SSL web sites I use such as my healthcare providers were whitelisted.

    Do me a favor. If you had defined user HIPS rules in ver. 8, are those rules now sorted by allow and block status i.e. alphabetically. Or are they now all jumbled in some unknown order?
     
    Last edited: Jan 25, 2016
  13. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    I will post to marcos what eset tech support told me.

    itman cloud scanning is reputation scanning, they one and the same thing.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    No, they are not.

    I have e-mailed AMTSO in regards to Cloudcar test specifics. If and when I get a reply, I will post same.

    In the meantime, it clearly states in the methodology .pdf I posted previously that cloud file reputation be done on Internet downloads only. Quote:

    The testing methodology proposed here expands AV product performance measurement to include the additional malware protection afforded by Web reputation services that block the malware before it is downloaded.
    Putting the Cloudcar test aside, there have been know past "synchronization" issues with the cloud and locally maintained white and black lists used for off-line file reputation scanning as noted here: https://forum.eset.com/topic/3888-bugs-in-eset-file-reputation-eset-live-grid/page-2 . Additional in this thread, Macros explains that only PE files are scanned which explains why the clouldcar.exe file was not detected in off-line reputation scanning as I suspected.

    Personally I believe if one doesn't want to use Eset's HTTP Filtering, they would be better off using a product that is designed to perform file reputation scanning after the file is created on the hard disk. As I mentioned previously, I also run Emsisoft Anti-Malware in addition to Eset. Both EAM and EIS do full file reputation scanning on file creation, access, or execution depending on real-time scanner settings. By full scanning, I mean that they will block and quarantine an executable if the file is indeed "unknown" to it's community based database. This has been a pain for me on more than one occasion; like when SpyShelter released a new version of its test tool a few months back.

     
    Last edited: Jan 27, 2016
  15. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    Recently switched to ESS version 9. So far so good.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Jamie King, V.P. of Operations at AMTSO got back to me with blazing fast speed. Below is the Cloudcar test specification:

    CloudCar

    CloudCar can be defined in short as a test file that may be provided by any vendor that provides a cloud solution.

    Many security vendors are enabling cloud based solutions. These solutions rely on specific and reliable network communication for proper functioning. Testing labs construct elaborate systems to simulate the real world in order to conduct their tests and monitor results safely. It is possible that while constructing these systems the network rules imposed may interfere with a product’s ability to communicate correctly with its backend servers. This is where CloudCar comes in. CloudCar is a file that will only be detected by a product’s cloud service. Scanning CloudCar with the network disconnected (or inoperable) must not result in a detection. Scanning with the product connected properly to the internet must result in a detection. With CloudCar a tester can verify that a setup for a given product allows it to communicate properly with its cloud service.

    Each vendor will have its own CloudCar and these files should never have a traditional detection written for them because they are not malicious. The CloudCar executable itself need have no specific functionality. It simply must have a unique hash.

    Ref.: http://www.amtso.org/download/amtso-use-and-misuse-of-test-files/

    Note what I highlighted in bold. It is assumed that "connected to the Internet" means you connect via the browser and that your security solution provides a method to scan such Internet connections. It is also noted that detection of the "clouldcar.exe" vendor sample be detected by hash method and that its detection by any other method other than by Internet connection is expressly prohibited.

    So it appears Eset is 100% in compliance as far as this test is concerned.
     
    Last edited: Jan 27, 2016
  17. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    No, it just means the computer with the AV needs to be connected to internet and that the file should not be detected when the computer is offline.

    It doesn't mean that the file should only be detected while passing through some kind of stream scanner. There are so many products which detect cloudcar online only and don't use stream scanning, because their file system component uses cloud lookups as well.
     
    Last edited: Jan 28, 2016
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Actually, AMTSO confirmed to me what I posted is correct as far as existing Cloudcar testing is concerned. However, if the AV scanner is always connected to the clould, that would also fulfill the Clouldcar test requirement. Again, the Clouldcar test is about checking the download before it is physically created on the HDD.

    The issue that has developed is if file reputation scanning should be done in the cloud for existing files on the HDD. That is a separate issue.
     
  19. khanyash

    khanyash Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,428
    I installed ESS 9 under Shadow Defender.
    Default settings. Didn't updated it.
    Tried AMTSO test.
    It detected everything but didn't detected Cloudcar.
    I tried few times & also checked internet was working fine but ESS didn't detected Cloudcar?
     
  20. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    Cloudcar detection also isn't triggered when it's still in the browser's cache from previous attempts, as there is no need to initiate another download attempt.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Do the following. Note the following screen shots are for ver. 8. The functionality is the same for ver.9.

    First, verify LiveGrid has been enable.

    1. Access "Advanced Setup" section.
    2. Select "Tools."
    3. Select "LiveGrid."
    4. Verify that LiveGrid is enabled as shown below. If not enable. Always click "OK' to change the setting and for any "OK' prompt from Eset thereafter.
    Eset_LiveGrid.png

    Next, verify LiveGrid is enabled in ThreatSense settings for Web Access Protection.

    1. Navigate to "Web and Email" section under "Advanced Setup."
    2. Select "Web Access Protection."
    3. Click on the ThreatSense "Setup" box.
    4. Select "Options."
    5. Verify that "Eset LiveGrid" option is checked. If not, checkmark it and select "OK."
    Eset_WAP_LiveGrid.png

    Exit Eset and re-execute Cloudcar test. Post if this was successful.
     
  22. khanyash

    khanyash Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,428
    So default settings doesn't detect Cloudcar with Web Protection & Realtime Protection both?
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Yes and no.;)

    You're offered an option to enable LiveGrid at installation time. If you miss that option during that time, then LiveGrid is not activated I believe. Also if you installed ver. 9 on top of ver. 8, all your ver. 8 settings are retained. It is possible LiveGrid was set off in ver. 8?

    Did you do the steps I instructed and see if you pass the Cloudcar test?
     
    Last edited: Jan 28, 2016
  24. khanyash

    khanyash Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,428
    I had mentioned in my post that I had tested ESS under Shadow Defender. I dont have it installed.

    At that time I had checked Live Grid option during install. It was a clean install V9. I will try to test later again.

    I am little confused reading the posts here.
    Is LiveGrid protection local too or tied to web protection only? And I mean with default settings.

    UPDATE - I tried again & Cloudcar is not detected, neither on download nor on execution.
    Clean install V9 under Shadow Defender so system restart cannot be performed.
    I didn't updated the databases.
    During install LiveGrid was checked & after install checked the settings LiveGrid & other options were enabled under "Tools" option in the GUI.

    Win 10 64
    Checked with Chrome 32 Bits, Internet Explorer, Cyberfox 32 Bits Portable & Edge.
     
    Last edited: Jan 28, 2016
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    There are a couple of possible explanations:

    1. Verify that HTTP Filtering option is enabled in Web Access Protection setting. If not, enable it and retest Cloudcar.

    2. There is an issue with your alert settings and the Cloudcar download was blocked but you weren't alerted to that. Check your "Detected Threats" log and see if the following log entry exists:

    1/21/2016 4:32:19 PM HTTP filter file http://amtso.security-features-check.com/cloudcar.exe Suspicious Object connection terminated XXX-PC\XXX Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    If so, then Eset SS 9 did detect the Cloudcar download.

    3. There is a problem with the cloud protection in ver. 9. I thought I did test Cloudcar when I had ver. 9 installed briefly on Win 7 but not sure of that. Perhaps someone who has ver. 9 installed can verify that Eset SS 9 does detect Clouldcar? Also the verification must be done using WIN 10.

    Note: Eset has had a number of issues with ver. 9 especially running under WIN 10. Many Eset users are running ver. 8 currently until ver. 9 is stable.

    4. Somehow running ESS under Shadow Defender interferes with the cloud protection. Although Eset does not require a reboot after installation, I always do that after installing security software.

    5. I know that Cloudcar is detected using IE. I can't vouch for the other browsers you have installed. So, there might be an issue with the other browsers or with their settings detecting
    Cloudcar.

    If above no.1 or 2 are not true, I would post your issue on the Eset Smart Security Forum and see if someone has an explanation.

    As far as your question of if a local copy of the cloud file reputation database exists, I explained that previously. It does, but by design it will not detect Clouldcar. There also have been past documented issues with the local rep database; primarily the frequency in which it is updated with the clould database data.
     
    Last edited: Jan 29, 2016
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.