Am I loosing any security benefits by using EAV 5.2 instead of 6?

Discussion in 'ESET NOD32 Antivirus' started by GrammatonCleric, Mar 3, 2013.

Thread Status:
Not open for further replies.
  1. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    I have a desktop so I don't want the Anti-Theft module since if anyone breaks into my house and steals my desktop then I have larger things to worry about than my desktop PC.

    So basically are there any enhancements in Heuristics / definition / cleaning that I am forgoing by staying with 5.2 and not upgrading to 6?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    V6 can quicker protect against new born threats due to cloud blocking.
     
  3. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
  4. manak

    manak Registered Member

    Joined:
    Aug 12, 2012
    Posts:
    78
    Cloud blocking?
    I know EAV 5 provides Cloud-Based Whitelisting only.
    Does EAV 6 provide Cloud-Based Whitelisting/Blacklisting like Symantec Norton? ("Suspicious.Cloud...")
    It's good news and I hope that it will not increase False positive unlike Norton products.
     
    Last edited: Mar 4, 2013
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    Of course not, blacklisting everything by reputation is not a good idea as it would produce hundreds of thousands of false positives. Cloud blocking is implemented differently; the purpose is it protect users against new otherwise unrecognized threats without updating the signature database.
     
  6. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    I am wondering what type of Warning/popup/Information I and other users will see when something is blocked right away in the cloud? Thanks :)
     
  7. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    See attached:

     

    Attached Files:

  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    This is a traditional signature detection. Cloud blocking is reported as "Suspicious object" or "Blocked object".
     
    Last edited: Mar 7, 2013
  9. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    To digg a little deeper.... :D

    I saw these in the Swedish top 10 threats at virusradar.com last week and they are still in the top 10. So I am wondering if those are the particular cloud detections that you are talking about as "Blocked" and "Suspicious"

    FYI see number 3 (blocked) and 6 (suspicious):http://virusradar.com/statistics/10/se

    Blocked

    And Suspicious

    Now I think this is interesting and a welcome addition to the products, so I wouldn't mind if you could share how these Cloud blockings work, are they pure cloud based as in they happen in real-time from the cloud while browsing, or do they need/have a local db on the client side as well?

    I hope you don't mind me asking Marcos, Thanks :)

    Also, ESET should really write something about this on the Website so users can read about the new improved cloud tech, and how it works etc etc.....
     
  10. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Pardon lack of not having used a correct example of cloud-based blocked by ESET Flag.
     

    Attached Files:

  11. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    No I don't think that's it either, since afaik that warning is from the URL blacklist wich has been in the products for a long time by now.

    The Cloud Block/Suspicious Block is new to V6 if I understand Marcos correctly :doubt:

    Hopefully he will answer my post above yours so we can clear this interesting cloud stuff out:https://www.wilderssecurity.com/showpost.php?p=2200330&postcount=9
     
    Last edited: Mar 7, 2013
  12. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Perhaps I missed the ESET memo ? :cautious:

    As far as I understand cloud based blocking what I've shown here as a ESET Virus Lab Cloud Based detection notice.
     
  13. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    The "Blocked object" detections come from suspicious websites. V6 updates the list of such websites every few minutes via cloud while older versions update it with every attempt to update, ie. every hour by default.
    I don't want to go into details as this forum may also be read by bad guys, you know.
     
  15. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Sounds great Marcos, thanks for the info. Actually I was about to post a suggestion about this, if it were possible to push out updates for the website blocking in near real-time. But now I don't have to do that :D
    Yes I know ;) Though if you want to you could send me a PM with the yummy details, but if you are prohibited to share that stuff I understand that too :thumb:
     
  16. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
  17. er34

    er34 Guest

    For me, this is not a benefit at all.

    1. Browsers (IE, FF, CHR, OP) have such functions and they block bad and suspicious pages either in real-time (IE) or by lists updated very frequently.
    2. I am 100% sure that you do not block and blacklist thousands of suspicious/bad sites every hour so it is not that important if you have the sites blacklist from 09.00 am or 10.00 am
    E.g. v5 updates every hour and it has updated at 9am and has the local blacklist from 9am. However version 6 updates live every 1 minute and at 9:30 am it has slightly a bit newer information with 5-50 (speculating) newly blacklisted sites . It remains unknown how much new sites v6 has blocked more (if any) and how much of these new sites will I encounter on my daily bases. Additionally, let's not forget the browsers.


    So, my point is - when creating new functions, let them be effective and with real world benefit, not just marketing.
     
  18. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    I can make a quick test with 0-day malware blocked by ESET to see how browsers react. My assumption is that the majority of the urls will not be blocked as they are usually changing very frequently and malware authors use tricks to prevent url blocking from being effective so it's also the proactive detection that comes into play. Needless to say that if a user happens to run a trojan downloader, it won't download its payload via browsers.

    It actually matters if a new url with malware is blocked within minutes or with a delay of several hours. As I wrote above, the urls are changing frequently and are alive for a very short time.

    LiveGrid statistics is not just marketing. They show very well how effective the blocking is; needless to say that with further improvements of the system we received much less reports of malware infection issues which is a real world experience and not just marketing.
     
  19. er34

    er34 Guest

    Above (8th March) you write only about list of sites - not servers. Sites are opened via browsers. However, connection to servers not always via browsers. Trojan downloaders don't use browsers [/that's true] but you write about only websites



    Zero-day malware PE file is totally different from bad site. Again below you write about only websites. Blocking zero-day malware is not browser's top priority [it is just extra bonus], it is AVs top priority. Again, you said that "Blocked" detection is about websites.


    Yes, the URLs are chaning frequently and Yes, it matters for some people (not for all) if they are blocked within minutes, but do you @ ESET update that frequently? The max difference you say is 60 minutes. Updating every 1 minute and every 60 minutes. So, do you update the cloud that frequently so that 1 and 60 matters that much?

    I am talking about only websites blocking and the detection "Blocked", I am not talking about LiveGrid or the previous ThreatSense.
     
  20. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    @er34

    I have a hard time trying to figure out your point here? :doubt:

    Speaking for myself, of course it matters if ESET pushes out this data every 1-3 minute or every 60 minutes. The faster the better simple as that.

    Also only because browsers got similar features built in doesn't mean that they block the same sites that ESET does. Since in my experience ESET have blocked way more sites than my browsers blacklist. And if they now push out these updates every 1-3 minutes it will be even more effective than before.

    And afaik no browser out there uses data from ESET so the browser may block some that ESET won't, and vice versa. :)
     
  21. er34

    er34 Guest




    No, no , no .

    Swex, my point is different. It seems you didn't understand it.

    It does matter if it is updates every 60 minutes or every 1 minute (I agree - that is true, although it is true just for some people) but I mean -> even if the program v6 updates every 1 minute, this does not mean ESET Virus Lab updates their speicifc websites list every single minute. And if they don't do it every single minute, this feature is pointless because it makes the REAL update interval bigger than 1 minutes and practically a lot closer to 60 minutes. Which on the other side makes it closer to previous versions which update once every hour.
     
  22. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Now I understand better:)

    But how do you know that it is the ESET Virus Lab that is handling the update process of the Cloud updates, as you describe above? It hasn't been mentioned anywhere how it actually works that I have seen yet anyway o_O

    I wonder that, because I got the impression that the new Cloud based blockings in V6 showing Blocked or Suspicious, is a fully automatic system in the cloud independent of the AV Lab. No?
     
    Last edited: Mar 12, 2013
  23. er34

    er34 Guest

    Thank you! :)



    Yes, you are right - it has not been mentioned anywhere how it works but I suppose it is the VirusLab - not the HR team. ;)

    Since sites blocking (additing bad sites to signatures or web module blacklist) in previous versions such as 3/4 (may be 5, too) is manual process, from what I have seen and read here and there - I suspect this is the same in version 6. Just the update mechanism is different (from what Marcos writes here). I can't imagine automatic system in ESET to analyze if a site is bad or good - from that said - if it is automatic it would procude tons of false positives thus - it must be manuall process from the VirusLab. But this is just my speculation and guess.
     
  24. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Bump. I am still wondering whether it is an automatic system that handles the new Blocked/Suspicious in V6 ? Or if it still is a manual process o_O

    Or is that a part of the secret Marcos? :doubt:

    Thanks :)
     
  25. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    bad guy detected :ninja:

    jk :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.