Eset NOD32 Antivirus and Eset Smart Security version 9

Discussion in 'other anti-virus software' started by Blackcat, Oct 26, 2015.

  1. khanyash

    khanyash Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,428
    itman,

    Thanxx for all the info.

    The settings were all fine i.e enabled.
    But yes didn't checked log entries.

    I do think there was no detection.

    Anyway when I am free I will try to install ESS & test again.

    Regards
    Yesnoo
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    This whole cloud reputation scanning issue has made me fully aware of one point - that SSL protocol scanning needs to be enabled. If it is not, no encrypted HTTPS web traffic is being monitored.

    Yes - there are issues with concept of third party scanning of encrypted web traffic overall. There have been past and present issues with how Eset has implemented SSL traffic scanning. Overall though, I believe the risks of having no cloud reputation scanning being performed or data inspection by the real-time scan engine of encrypted web traffic outweigh the outstanding issues. Note the following Gartner analysis:

    Gartner believes that by 2017, more than 50% of the network attacks, both inbound and outbound, will use encrypted SSL/TLS communications. Attackers are focusing on the use of SSL/TLS, because they know the majority of organizations blindly trust encrypted communications and don’t (or can’t) decrypt, making them unable to assess and
    block threats that leverage SSL/TLS.


    Ref.: http://www.slideshare.net/RichardMc...cybercriminals-hiding-in-ssl-traffic-46110317
    Eset does offer methods to excluded privacy sensitive SSL web sites from SSL scanning. Ditto for some SSL web sites that refuse to display using Eset's SSL root certificate. Beginning with version 9, all non-blacklisted web sites with EV certificates and most major bank web sites are excluded from SSL scanning using an internal whitelist. I have also only occasionally detected a very slight delay in the rendering of SSL web sites with SSL Protocol Filtering enabled.

     
  3. khanyash

    khanyash Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,428
    There should be an option to not scan sites with EV certificates.
     
  4. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    Oh well. ESS version 9 is not launching. This is why people run Windows Defender.
     
    Last edited: Jan 29, 2016
  5. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,623
    Location:
    USA
    LOL. On a computer that is not already broken it launches fine. I'm having no issues whatsoever on 2 machines.
     
  6. Rompin Raider

    Rompin Raider Registered Member

    Joined:
    May 6, 2010
    Posts:
    1,254
    Location:
    Texas
    Same here ...zero issues.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    There is but before I get into that, I will elaborate on EV web sites. They also can contain crap. I have personally encounter such web sites. Even if the intent of the EV web site was not malicious, the web developer could have been careless; primarily to save money. For example, he could have downloaded a malicious free Wordpress plug-in from a non-reputable source, etc..

    You can exclude EV certs. in Eset but the process is burdensome and complicated for the average user in my opinion. Then there is the issue of updating the exclusion if the web site cert. changes. What I do when I want to exclude a SSL web site is to do so using the url exclusion feature in Web Access Protection using the following notation - https://*.sitename.com/*. This will exclude the site and all sub-domains of same from all unencrypting activity. Note that it also excludes the site from all filtering activities so no cloud reputation scanning is being performed. Unfortunately, it does not exclude the site from Eset's cert. pinning activities with the result being the Eset root cert. is still shown in the browser. Of course, this prevents the EV green status from being displayed. I have posted this as a bug on the Eset forum but have my doubts to any action being taken by Eset.

    -EDIT-

    I should add that in ver. 9, Eset does allow unimpeded display in the browser of web sites with EV certs. by internal whitelisting of web sites. This does not guaranty all EV cert. web traffic will be unfiltered but only those known to Eset. Overall I don't think this is advisable since Eset has to be the judge of what is a "good or bad" EV web site. I prefer that I have that judgement which is "all EV web sites are possibly bad except those I specifically allow."
     
    Last edited: Jan 30, 2016
  8. khanyash

    khanyash Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,428
    Ok, got it.
    Thanxx for the info
     
  9. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    no you dont need to be in a web browser to be connected to the internet. I will contact him also as I cannot be sure you explained the situation to him given you dont understand what I am trying to explain. HTTP scanning is not a requirement for cloud scanning.

    I think designing malware protection on the assumption an infection must come via a web browser web pages is a bit naive, there is many ways to get compromised without even touching http/https content. So for that reason eset's cloud protection is not complete, in its current state of only working in a web browser it can be considered partial protection at best.

    It also can be diffilcult to get software developers to accept bugs, as a common tactic is to claim a bug is by design aka a feature. If eset are trying to say this is deliberate behaviour then they need to explain what is the point of the eset live grid toggle in the real time file scanning module as currently that does nothing. Also as to why the protocol filtering is a separate option to http scanning.
     
    Last edited: Feb 2, 2016
  10. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Can you verify your source where you found out that it is only working in web browser specifically ? To my best knowledge that is not the case.

    How did you come to the conclusion that is does nothing ? Keep in mind you also have a LiveGrid toggle connected to the "on-demand computer scan" settings as LiveGrid is used during scans to skip whitelisted files.

    "If it is found on the whitelist, the inspected file is considered clean and also flagged to be excluded from future scans. If it is on the blacklist, appropriate actions are taken – based on the nature of the threat. Only if no match was found, the file is scanned thoroughly. Based on results of this scan the file becomes a candidate to extend the corresponding list. This approach has a significant positive impact on scanning performance."
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Appears Chrcol believes that LiveGrid should be 100% cloud based which it is not. When doing an on-demand scan, it is using a disk based copy of the cloud white and blacklists. Since an Internet connection does not exist at that time, it should not detect cloudcar.exe per AMTSO guidelines I posted in reply #141. This do not mean that Eset would ignore any real malware that was listed in the disk based blacklist. The bottom line here is the detection of the previously Eset detected "in the wild" malware is the same whether the method used is cloud or disk based. :rolleyes:

    Elaborating even more, Eset becomes aware of the "in the wild" malware. It them updates the cloud database on its server. It then sends an update to the disk based blacklist via normal Eset update methods w/o waiting for the next scheduled update connection I presume. When Eset develops a signature for the malware, it updates the signature database and sometime later, removes the malware from disk and cloud blacklist databases. At that time if the malware is downloaded, the real-time scanner will detect it via signature using Eset's network filter before the malware ever reaches the hard disk. It is also possible the blacklisted malware after futher analysis is benign. If so, it will be removed from the cloud and local hard disk blacklist then added to the whitelist.
     
    Last edited: Feb 2, 2016
  12. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    SweX the source is me, I test my software and dont just take the developers word for it.

    I see no outgoing connections for cloud lookups to eset unless it is scanning http content. I have only tested this on 8.x not 9.x.

    As I understand it the cloudcar file is on eset's live grid blacklist, for that reason if it works as you say it works, then it should be picked up without http scanning if I try to e.g. execute it (even tho it isnt a real executable it has the .exe extension) or if I try to write it to the drive, such as downloading it.

    There is no reason why http scanning should pick this up and not file scanning unless the cloud protection is missing or incomplete on the file scanning. Which if is deliberate behaviour then eset are been a bit naive to think the only threat is via browsing web pages. I actually think its a bug that they trying to pass of as a feature. (at least in public, I am currently waiting for a beta build which they said will fix it).
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    Here's a proof that the on-demand scan leverages LiveGrid data to detect newly emerging threats. It's a payload (Dridex trojan) downloaded by ~2 hour-old VBA downloader and scanned by the on-demand scanner. The fact that CloudCar is detected only by web protection is not a bug; it's by design of how cloud lookup works so Itman and Swex are right and what they wrote is correct. If somebody from ESET confirmed that it's a bug, please drop me a pm with the statement as well as with the name of the person who provided that information. It's definitely not correct.
    I'd strongly recommend reporting issues or discussing ESET-related stuff in our official forum at https://forum.eset.com where your posts will receive best attention of ESET's moderators and staff.
     

    Attached Files:

  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I can understand Chrcol's confusion on reputatation scan processing using Live Grid. The topic has come up many times in the Eset forum. Also of note in reviewing the Eset responses closely, Eset never once stated that Live Grid file reputation scanning while off-line is done via cloud lookup. What was said and demonstrated was that Live Grid technology was employed in off-line scanning. Eset is traditionally "tight lipped" about specifics concerning its protection mechanisms for security and proprietary reasons.

    The point being overlooked is it doesn't matter how the file reputation scanning is employed off-line as long as the protection result is the same - correct?

    Chrcol to prove your point, what you will have to do is find a real malware that is currently being blacklisted in Eset's Live Grid cloud. That is when connected to the Internet, the file is detected by download. You will then have to disable Eset and download the malware. Then enable Eset and scan the file using the on-demand scan. If the file is not detected as a result of the on-demand scan, then you have a valid claim that Eset's off-line scanning is not equal that of its on-line cloud file reputation scanning. Of course, you will have to document all this activity. Finally, it goes without saying that this testing should be done on a test PC or; a full image backup be taken of the PC your using prior to testing for restore purposes in case of malware infection.

    -EDIT-

    You can find the Dridex malware here that Marco's mentioned: https//: www. hybrid-analysis.com/submissions?filter=file&page=2. It is listed by the .exe name Marcos posted in his screen shot.
     
    Last edited: Feb 3, 2016
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    I'd also add that we've never stated that all scanners are equal in terms of detection. Web and email protection are the first to scan files on download so they may use stronger heuristics and have more sensitive detection than the other scanners. What's more, web protection uses a strong url blacklist which enables it to block also malware that could otherwise slip through all other protection modules. It's important to keep all modules and protection features enabled in order for the product to provide protection to maximum extent.
     
  16. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    itman why should I test with real malware? the point of the cloudcar file is to test the cloud function by doing a risk free test.

    So the first question is.

    Is cloudcar blacklisted in eset's cloud?
    If yes why isnt it detected by the real time file scanner module when eset live grid is enabled?

    However it seems this discussion is over, marcos has confirmed eset have left the weakness in by design. Eset;s approach seems to be that only web traffic is worth protecting fully and malware doesnt come by other avenues.
    Also I am talking about real time scanner "not" on demand scanner marcos.

    Sort of correct, the problem is the result isnt the same, the file is detected over http but not from storage. Whilst on alternative anti virus software the cloud detects in both forms of access.

    What happens if I download that 2 hour hold malware that marcos tested with via utorrent and then executed it?

    Also the question has not been answered, you are claiming the eset live grid protects real time scanning properly but still havent given an explanation why it fails this simple cloud test, what reason would eset have to not blacklist cloudcar in its cloud blacklist? As after all they are listed on that website and as such the file should be blacklisted.

    I accept what you said about having some kind of local cloud cache so there is no lookup for every file access, but cloudcar is old, so it should be in that cache.
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    The attached screen shot shows what would happen upon execution.

    Nope, it's quite the contrary.
     

    Attached Files:

  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I have explained this in multiple previous postings. Again ............. per AMTSO directive, the clouldcar.exe file is not to be detected when an Internet connection does not exist. No where in the AMTSO directive does it state that an Internet connection has to be present when scanning is employed on a local drive basis. Hence, the clouldcar.exe file must not be detected by Eset when a local disk scan is done since no Internet connection exists at that time. An Internet connection will be established by Eset if unknown malware is found during the local scan for the purpose uploading the file for further analysis. This will occur if Live Grid is enabled and your settings for it allow for the upload.

    You can't or won't understand this fact. If you do not like the Cloudcar existing policy, I strongly suggest you address your objections to AMTSO and leave Eset out of the discussion.

    This is answered by the above reply. The Cloudcar test was not designed to test off-line local disk scanning. The EICAR tests are used for that purpose. Test with those. However, you will really won't be sure of Eset's capability unless you test with real malware as I described previously.

    You're "going over the line" with that statement. Eset works properly as designed as far as off-line malware scanning is concerned. If you want a scanner that always performs online scanning, then use one of the cloud based products like Panda for example.
     
    Last edited: Feb 4, 2016
  19. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,934
    Location:
    SW. Oklahoma
    Just got a free 6 months of ESS v9 and it seems to be working great on my Windows 10 Laptop. But time will tell.
     
  20. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    Make an image backup now bigc ;):isay:
     
  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
  22. LagerX

    LagerX Registered Member

    Joined:
    Apr 16, 2008
    Posts:
    565
  23. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,934
    Location:
    SW. Oklahoma
    Thank you Marcos, I enjoyed the read.
     
  24. TomFace

    TomFace Registered Member

    Joined:
    Jan 8, 2011
    Posts:
    77
    Location:
    USA
  25. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    I am using ESS9 on my desktop with Windows 10 x64 and I am not seeing the "splash screen" after startup, is it a bug? (the option is turned on)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.