MRG Effitas Online Banking / Browser SecurityCertification Q2 2019

Discussion in 'other anti-virus software' started by itman, Aug 15, 2019.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Eset only solution to 100% block w/o behavior means.

    https://www.mrg-effitas.com/wp-content/uploads/2019/08/2019Q2-Online-Banking.pdf
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Thnx for sharing and congrats to all that got certified.
     
  3. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    ESET is consistently one of the first antiviruses, to detect new threats.
     
  4. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    219
    Weren't hitmanpro and sophos a part of these tests too?
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    The most intesting thing was the Simulator Test, which uses a rogue extension. I wonder how those 4 managed to stop it, since it's basically part of the browser. But anyway, Zemana and McAfee performed the worse. Makes you wonder just how good the AI from Zemana truly is. Also, I need to get my hands on Wontok, it always performs well.

    https://www.wontok.com/safecentral/
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Not really a legit test in my opinion:
    Don't know how this is done in Chrome but in FireFox it is Toolbar -> Tools -> Web Developer.

    Web developer tools can be disabled in FireFox by:
    -EDIT- Appears its fairly easy for malware to enable developer mode and install malicious extensions in Chrome:
    https://www.bleepingcomputer.com/vi...le-chrome-developer-mode-extensions#installed
     
    Last edited: Aug 18, 2019
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Please be my guest and test it yourself.:rolleyes:
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    My bad, I thought you was the testing guy. I don't use any virtual machines, so I don't test this type of stuff anymore. But would be interesting to see if Eset could stop it.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    o_O The MRG report already shows Eset failed to detect it.

    Eset and a number of other AVs do not check for malicious browser extensions. How would they? Note that Google has a poor record on that regard. And they only check for same in Google Store/Play; not once the extension has been installed in the browser.
     
  11. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    Indeed, that is why it is a good idea to have an extension from a reputable source that monitors and looks at other extensions once installed ;)
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    As far as the simulator ZombieBrowser Pack test, I wouldn't worry about it. As noted by the Github web site page documentation on it, Meterpreter has to be installed on the device to pull off the attack. Most major AV's are pretty good at detecting and preventing Meterpreter from being installed. It appears to me MRG must have disabled the AV's realtime protection and installed Meterpreter to perform this test.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Forgot about it. Then I wonder how Kaspersky, Bitdefender and Avast managed to block it, I'm guessing it's because their safe browser doesn't allow extensions to be installed?

    Why do you say so, I believe that a malicious extension can simply steal data and send back the data to the hacker, without any additional malware installed.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Your miss the point. First, developer mode has to be enabled in Chrome. That is what Meterpreter is used for.

    I know that Eset disables existing extensions on Chrome and FireFox. I assume that is done when the browser is started in banking protection mode. I also assume it wasn't checking to see if developer mode was enabled thereafter, allowing for the malicious extension to be installed.
     
  15. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    518
    Location:
    Hungary
    Kaspersky disables everything as well.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Mozilla has an in depth tech article on FireFox developer mode here: https://developer.mozilla.org/en-US/docs/Archive/B2G_OS/Developer_Mode .

    The main thing to glean from this article is first, it is "God mode" for all practical purposes as to what can be done by the browser. The next thing to note is that it is not easy to activate developer mode except for one deprecated feature - WebIDE. Assumed this feature is what is being exploited by Meterpreter. Thankfully, it appears WebIDE feature should be removed from FireFox and retired shortly.

    -EDIT- If WebIDE is activiated from FireFox, it will create an .exe in the current User Temp folder. Assumed is everyone is blocking any exec's running from that directory.
     
    Last edited: Sep 11, 2019
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.