Eset NOD32 Antivirus and Eset Smart Security version 9

Discussion in 'other anti-virus software' started by Blackcat, Oct 26, 2015.

  1. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    977
    Location:
    UK
    itman nowhere on the cloudcar website does it say its a http only test.

    It says its a cloud test. cloud and http are not the same thing.

    Cloud based protection means not using traditional virus signatures, but instead cloud lookups are done using reputation systems.
    Cloud protection can be used on real time file scanning, http scanning, email scanning and so on, its nothing specific tied to http.

    eicar is a test of traditional non cloud protections using virus definitions, why would I use eicar to test cloud functionality?

    I would love to see these published tests test components individually which would highlight the vendors who dont take a layered approach (such as eset). Rather than just one test with everything turned on.

    As already stated there is multiple problems with whats going on, none of which has really been explained and as such it still looks to me eset are trying to pass of a bug as a feature.

    1 - https scanning isnt viable because it breaks https reccomended practices, so as such https protection can be considered weak on eset if people follow what they should do which is to disable https scanning, no cloud protection in place.
    2 - http scanning is on by default and doesnt break any RFC guidelines, but does at least on my system cause performance problems with browsing, there is also the fact it only protects http traffic in recognised browsers, not email, not torrents, not files copied locally to the device, not files uploaded via vulnerable services etc.
    3 - cloudcar is in eset's cloud database, I know this because it is detected on a http test, however for unknown reasons (yes it hasnt been explained other than to say no it should not work this way, which is a bit vague) it isnt detected by other means of scanning such as file based scanning and email scanning, if I email the file to myself there is no warning even tho I have eset live grid and protocol filtering enabled.

    By the way how did you directly contact Jamie King,?

    I quote marcos

    So eset think http and email are the only attack vectors on a windows system? wow just wow. Also it isnt detected by email scanning on nod32 anti virus.
     
  2. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    977
    Location:
    UK
    Are all these products broken?

    I tested cloud lookups from my filesystem on these products which all passed.

    Norton
    Avast
    Webroot
    Avira
    Mcafee

    They all dont now what they doing, but eset the odd one out does right?

    Please explain how you directly contacted the vice VP of artmo as I need to confirm you not an industry insider.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    Go to the AMTSO web site. You can send an e-mail from there to AMTSO.

    Appears you found something that meets your requirements. So just use one of those products.

    In reality, you have no way of validating the actual off-line cloud lookup or other method detection effectiveness pertaining to in-the-wild 0-day malware for the above vendors. All that is being demonstrated is they can detect the cloudcar.exe file.

    These vendors could also be "fudging" on the off-line detection by only establishing a network connection and doing a cloud lookup when they detect the presence of cloudcar.exe file on the hard drive. The distinction here is a bit subtle. The cloud lookup should be done first and the file detected by a cloud reputation blacklist. This implies that every file is being scanned in the cloud upon execution or during off-line on-demand scanning. However if the file was flagged for example as suspicious or unknown locally prior to doing a cloud lookup, then this is "fudging." Worse if these vendors are detecting off-line the cloudcar.exe file by some local blacklist or signature method, it is a violation of AMTSO policy for the Cloudcar test. Finally and most importantly, there is no requirement by AMTSO that a prior downloaded cloudcar.exe be reputation scanned in the cloud. The whole point of the test if to prevent the file from downloading in the first place.

    -Footnote-

    If indeed the above vendors are performing legit off-line cloud reputation file scanning exclusively, I don't want anything to do with them. APT 0-day malware will launch a multi-stage attack on your PC. One of the first things it does is tamper with your network settings or intercept your network traffic. Once that is accomplished, any cloud based security reputation detection of the malware is nullified. With a local based reputation database used for off-line file scanning, you at least stand a chance of detecting the malware in an on-demand scan or upon execution assuming the malware has been detected by the security vendor and blacklisted prior to the infection.
     
    Last edited: Feb 8, 2016
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    Cloudcar simply does not meet file attribute requirements for local "cloud" lookups. ESET uses various types of hashes for cloud lookups; while some are used only by web and email protection, the others (more sophisticated) are also used locally by other scanners.
    Keep in mind that ESET uses approach to (cloud) detection that may be different to what other companies use. All technologies described in the pdf above are proprietary and are highly efficient for combating new borne malware.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    A suggestion in regard to this. Eset should develop a test file that is loaded in the off-line rep database and available for download via the Eset Forum. Other vendors such as MalwareBytes have such a file that is used to verify their anti-exploit protection. Users such as Chrcol could use such a test file to verify that Eset's off-line rep scanning works properly.

    Personally, I feel such tests are worthless since they are vendor supplied but the tests appear to be popular among users such as Chrcol.
     
  6. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    If ESET has the ability for local cloud lookups , there should be a way to test if they are working properly.
     
  7. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    977
    Location:
    UK
    The only contact I found was to a members only mail list which has yet to have a reply now for about 3 weeks.

    If its so easy to find why not post the email address here?
     
  8. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    977
    Location:
    UK
    exactly my point.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    On the home page, scroll down to the button "Send Us A Mail" and click on it. I received a response within hours from them.

    upload_2016-2-9_10-5-9.png
     
  10. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    977
    Location:
    UK
    yeah thats what I did, the only reply I got was this automated reply.

    isnt it odd how you just got a reply.

    I got that reply 2 weeks ago now and nothing since.

    Well marcos not replied since FleischmannTV chipped in, it cannot be that hard to test local cloud lookups without real malware. :)
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    Yes, I received that same robo reply initially. Then I received a reply from AMTSO shortly thereafter. I did fully identify myself when I sent the e-mail i.e. name, address, etc.

    Also, I am tired of your insinuations. Below is the e-mail I received from John Hawes who is the Chief Technology Officer of AMTSO. Note the portion I underlined:

    Hi Don,

    I’ve read through the Wilders thread you mentioned and I think I understand the problem. The CloudCar test file is intended to check whether cloud-based protection is enabled and properly functioning **only in the way described on the relevant AMTSO Security Features Check web page** – ”If you are able to download this file successfully, your Anti-Malware Cloud Lookup solution is NOT configured correctly.” All the listed vendors have agreed to include cloud-only detection for this test file **acquired in this manner**, and have confirmed that the download should be blocked if their cloud features are properly functioning.

    If you try to use the file to test the availability of cloud protection features in other ways, your mileage may vary - basically, anti-malware solutions vary immensely in how they operate, and finding a one-size-fits-all solution to this problem is by no means simple.

    I agree it would be useful to have a tool which could check standard on-access protection is also talking to its cloud properly, but as mentioned in the forum thread, for some products this may rely on the file producing enough initial grounds for suspicion to spark the cloud lookup. As yet we do not have a specific solution for this, but AMTSO is working on numerous improvements and expansions to the set of tools in the Security Features Check, so if you have any other suggestions or ideas that might be useful, please feel free to send them to me directly or to
    info@amtso.org<mailto:info@amtso.org>

    In the meantime, if you need a way of testing a specific setup not covered by our tools, you may be best off talking directly to the vendor in question - most vendors have their own test tools and sample files for internal QA and support purposes, which may also be used by professional testers to validate their testing setups, and those will be tuned to the specific vendor or product’s approach and technologies. If you like, I’d be happy to contact them and see if they can provide anything suitable.

    Hope that helps,

    John

    --
    John Hawes
    Chief of Operations, Virus Bulletin

     
    Last edited: Feb 11, 2016
  12. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    977
    Location:
    UK
    whats his direct email address?
     
  13. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    977
    Location:
    UK
    On another note, I discovered what seems perhaps odd behaviour with a custom hips rule.

    So I have a hips rule that requires approval to run a binary from the local profile temp folder.

    Interestingly when doing some SRP related testing I was running a program from the temp folder as the admin user and nothing was happening just a small spinning circle on the mouse cursor, indicating it was waiting for something. I then tried to run it a few more times in quick succession and the explorer window stopped responding, after I force killed the explorer process the binary ran. (there was no prompt from nod32 shown in all of this).
    I switched user back to my normal account, and the reason for the wait was there was an approval prompt there waiting for me, it was asking the wrong user for approval. Now I guess given my main account is the one that configured the hips rules so it sort of makes sense. I tested a few more times, and confirmed switching back to my main user, clicking allow, then switching back to admin, the binary executed.
    The issue is how I managed to get it to execute the first time when I killed the explorer process without hips approval.
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    I've tried to reproduce it on Windows 10 to no avail. I was able to switch between a standard user and administrator account and HIPS always asked to select an action.
     
  15. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    977
    Location:
    UK
    This is on windows 8.1 pro.

    I will test again if I have time to try and repeat it.

    So the scenario is.

    Windows 8.1 pro 64bit
    Make a HIPS rule to require approval to run binaries from the path (in my case is temp folder).
    Log onto a different account to the one that gets nod32 alerts, in my case its the main admin account.
    Try to run binary from that folder on the second account.
    You should see a spinning circle on the cursor as its waiting for the first account to approve the request.
    When I got it to run I tried to run the exe again many times in quick succession whilst it was waiting for nod32.
    The explorer.exe process then hung, and I killed it via task manager.
    Immediately after explorer was killed, the app ran.
     
  16. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,305
    I am getting some ERR_SSL_PROTOCOL_ERROR erros using Chrome along Eset Smart Security 9, a refresh make the page works but it is annoying. Is it a know bug?
    Seems related to SSL/HTTPS scan ...
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    Yes, there have been past issues with Chrome and SSL protocol scanning. Here's a link to the latest posting in the Eset forum: https://forum.eset.com/topic/7253-ess-9s-ssl-not-working-properly-used-to-before/ . If trying what is suggested there doesn't work, search for other related postings. If nothing helps, best to post your problem over in the Eset SS forum with specifics; e.g. screen shots, etc..
     
  18. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,305
    Thanks, I followed Marcos instructions and it seems that everything is fine for now.
     
  19. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    744
    Location:
    U.S. Citizen
    Question pleaser? From anyone , I have a a year and/or older Lic.,Key for ESET Smart Security will it work on ESET Smart Security 9?
    It was never use? Or can I P.M. the older Lic., Key so it will work with ESET Smart Security 9?

    Kind regards,
     
  20. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    218
    afaik, if it has time left on it, you can use it to license the newest version
     
  21. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    744
    Location:
    U.S. Citizen
    @m0unds,

    Thank you for the quick! Appreciated!:)
     
  22. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,926
    Would someone please be so kind to post the link for the offline installer for version 9 of NOD32? Thanks in advance!
    After many months offline I forgot the link. No, you don't have to post the full link, just where to find it (my bad, I forgot it). Yes, I renewed my licence.
     
  23. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    5,906
    Location:
    New York City
    http://support.eset.com/kb2885/
     
  24. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,926
    Thank you Thankful.
     
  25. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    ESET NOD32 Antivirus 9.0.375.0

    9.0.375.0 Final - x86 (English)
    http://download.eset.com/download/win/eav/eav_nt32_enu.msi

    9.0.375.0 Final - x64 (English)
    http://download.eset.com/download/win/eav/eav_nt64_enu.msi
     
    Last edited by a moderator: Mar 1, 2016
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.