本帖最后由 驭龙 于 2025-5-5 16:11 编辑
说到ESET的自我保护,大家的第一印象都是认为ESET很差,很容易就被病毒干掉了,那事实上ESET的自我保护究竟怎么样呢?简单的说在ESSV10之前和远古时期的Nod32时代,尤其是Nod32时代,ESET的自我保护基本上等于0的存在,注册表随便修改,之后的ESS V5以后稍微好一些,好像是V8还是V9是通过了十年前AVC自我保护测试的,而重大转折点是V10的出现,在此之前我是一直瞧不起ESET的,那时的我只知道Norton,眼中再无其它强者,但V10的出现让我一点点喜欢上ESET了。
想当年我还发过测试帖子,特别提到V10的脱胎换骨,从那时起,我就开始一点点喜欢上ESET了,当然依旧忘不了我的norton,哈哈
https://bbs.kafan.cn/thread-2041936-1-1.html
自从V10以后,ESET的自我保护实际上就已经不算差了,而且再加上是除了WD之外第一个支持PPL技术的第三方安全软件,自我保护其实已经名列前茅了,只是仅限于ekrn核心进程,用户层的egui依旧弱不禁风,所以很多人还是认为ESET自保很弱,动不动托盘图标就被干掉了。
关于PPL的相关帖子。
https://bbs.kafan.cn/thread-2086889-1-1.html
值得一提的是后期微软强制安全软件使用PPL才能注册安全中心,后面就出现了两种PPL注册方案,其一是核心进程支持PPL,但这种核心进程加载的DLL必须支持其他安全技术,如ASLR等技术,才能让核心进程获得PPL级的保护,也就是WD和ESET还有卡巴、avira EPP等使用的方案,另一种是使用单独的一个进程启用PPL注册安全中心,这种方案的好处是不需要更改架构,直接让一个进程骗取安全中心的注册,例如旧avira和现在的avast以及BD都是这种,如avast的wsc_Pxxxy.exe(隐去名字).exe进程,就是这种,而这种方案的缺点就是安全软件的核心进程,并没有得到PPL的保护,实际上就是没有PPL技术的支持。
当然那也不意味着不使用PPL就没有自我保护强度,只不过是依赖于自身的驱动进行保护,而没有系统级的PPL级保护。
现在回到ESET的话题,刚刚提到ESET的核心进程ekrn是有PPL保护的,但用户进程的egui就弱不禁风,而它是负责系统托盘和与用户交互的进程,被干掉就意味着ESET与用户失联了,系统托盘也没图标了,就算ekrn在后台运行,保护还在,杀掉样本也不会通知用户,仿佛ESET已经死了。
在此之后的某一个ESET版本改套路了,egui只是用户界面,不再负责系统托盘和用户通知,而是有新的进程eguiPxxxy.exe负责,这个进程是由ekrn启用的,虽然没有PPL支持(用户层的都不支持PPL)但是继承了ekrn部分权限,就算被干掉也会被ekrn重启。
由于我个人原因那几年没怎么上卡饭,所以ESET的这种更新是什么时候哪个版本的,我不能确定了,但起码有六七年的时间,所以现在的ESET是拥有很强自我保护能力的,虽然也还会被个别的killer样本干掉,但ESET防不住的样本,别的安全软件也未必防得住,就看人家搞不搞你了,如果人家想搞的话,是防不住的。
自我保护只不过是预防普通技术结束进程和破坏安全软件的功能,但不是万能的,还是会被干掉,而ESET的自我保护现在只是非常不错,并非无懈可击,可我想实话实说,ESET的自我保护真的不是V8之前那种弱不禁风的自我保护了,一句话ESET的自我保护不弱。
今天为什么突然提起ESET的自我保护呢?是因为我看到上个月末ESET的新闻,他们的企业版通过了AVC防篡改的认证,也就是自我保护的认证,而且ESET还说十年前的个人版也获得过认证,所以我才想起来发这个帖子,来说说ESET的自我保护。
AVC测试的完整报告,以及技术细节,记住ESET是被火力全开的,并不是默认设置,其中livegurad也被启用高级启发式和密码保护都是启用的。
https://www.av-comparatives.org/ ... ering_2025_ESET.pdf
官方原文:
BRATISLAVA — April 25, 2025 — ESET, a global leader in cybersecurity solutions, is proud to announce that its ESET PROTECT Elite cloud solution has passed AV-Comparatives’ rigorous Anti-Tampering Test, certifying its power to protect against tampering attacks that could result in permanent, temporary, partial or complete loss of product functionality.
Usually, once a cybercriminal compromises a network/machine, staying under the radar is mission critical. This is best achieved by eliminating endpoint security software, likely by using compromised credentials to access the network and then using legitimate tools as much as possible (living off the land). This is tampering, and it can lead to major security disasters if it is not protected against.
Regarding anti-tampering, ESET excelled in tests as far back as 2014 and 2015, when independent testing found ESET’s consumer offering 100% successful in preventing tampering attacks, a major milestone compared to the 32 other participating vendors. The same was confirmed in business products in 2023, when AV-Comparatives awarded ESET PROTECT Entry the highest degree of approval, affirming ESET’s continuous focus on products that are secure-by-design.
In testing this year, ESET PROTECT Elite received acclaim for its top-notch anti-tampering security, with AV-Comparatives highlighting its password protected settings as a very relevant functionality. Besides that, the solution excelled in mitigating against registry key, DLL, file system and even kernel driver manipulation, among others. This shows that our protection agent is qualified to defend against a vast array of attacks and techniques known to tamper with key processes. These anti-tampering capabilities are applied across all advanced ESET PROTECT tiers, including our XDR-enabling component, ESET Inspect.
”If a security tool can be tampered with, it’s not a security tool — it’s a vulnerability. At ESET, we take that principle seriously. We strive to deliver the highest level of protection, and anti-tampering has been one of our core defenses against hacking attempts for many years. In fact, it’s been over a decade since we pioneered several technologies specifically designed to safeguard our software from manipulation — making us one of the first vendors to do so. We're proud that AV-Comparatives has recognized that our commitment to this crucial functionality remains strong and relevant,” said Zuzana Legáthová, Director of Test, Analyst Relations and Market Research.
For any endpoint security solution, independent testing done by analysts is how a product receives professional acclaim and certification proving its expert competence. With Anti-Tampering becoming increasingly relevant in view of novel sophisticated threats such as EDR killers, it’s crucial for any business to seek a solution that can fill security gaps that might not be so obvious, such as the integrity of the product itself.
|
[复制链接]
发表于 
楼主