Malware continues to be a pervasive and costly threat to businesses, governments, and end-users worldwide. Multiple reporting sources estimate that total malware related cybercrime costs will reach $2 trillion globally in 2019 and will rise to $6 trillion by 2021.
Malware comes in many forms: viruses, worms, rootkits, botnets, file-less malware, ransomware, and crypto-miners are prevalent in the wild. Malware is usually, and almost by definition, an exploitation of an operating system or application vulnerability.
Viruses are far more sophisticated than they were decades ago. Now viruses are generally polymorphic, meaning they alter their structure to try to avoid detection upon every iteration. Viruses infect files and usually need user interaction to initiate a compromise.
Worms spread across unsecured networks, relying upon unpatched, compromised applications and unprotected ports.
Rootkits are low-level malware usually implemented like device drivers in operating systems. Rootkits allow bad actors complete control of affected machines.
Botnets are collections of controlled devices, often compromised by rootkits, that are used in large numbers to magnify other kinds of attacks, such as Distributed Denial of Service (DDoS) attacks, credential stuffing, account take-overs (ATOs), or other forms of cybercrime. Botnets can be composed of PCs, servers, smartphones, IoT devices, etc.
File-less malware is a fairly recent malicious innovation that seeks to avoid signature-based anti-malware scanners by propagating between machines without being written and transferred as files. Instead, file-less malware is malicious code which spreads by process or memory injection. Once on a target device, file-less malware uses native tools like PowerShell to assemble and execute the malicious payload.
Ransomware attacks are still popular and evolving. Ransomware is a form of malware that either locks users’ screens or now more commonly encrypts users’ data, demanding that ransom be paid for the return of control or for decryption keys. Needless to say, paying the ransom only emboldens the perpetrators and perpetuates the ransomware problem.
Many businesses and government agencies have been hit with ransomware over the last few years. Healthcare facilities have been victims. Transportation infrastructure has been affected. Even police departments have been attacked and lost valuable data. As one might expect, protecting against ransomware has become a top priority for CIOs and CISOs in both the public and private sectors.
Much of the cybersecurity industry has, in recent years, shifted focus to detection and response rather than prevention. However, in the case of ransomware, detection is pretty easy because the malware announces its presence as soon as it has compromised a device. That leaves the user to deal with the aftermath. Once infected, the choices are to pay the ransom and hope that malefactors return control or send decryption keys (not recommended, and it doesn’t always work), or wipe the machine and restore data from backup.
Restoration is sometimes problematic if users or organizations haven’t been keeping up with backups. Even if backups are readily available, time will be lost in cleaning up the compromised computer and restoring the data. Thus, preventing ransomware infections is preferred. However, no anti-malware product is 100% effective at prevention. It is still necessary to have good, tested backup/restore processes for cases where anti-malware fails.
Most ransomware attacks arrive as weaponized Office docs via phishing campaigns. Disabling macros can help, but this is not universally effective since many users need to use legitimate macros. Ransomware can also come less commonly come from drive-by downloads and malvertising.
Crypto-jacking is the unwanted execution of crypto-mining software on user devices. Crypto-jackers capitalized on the surge of cryptocurrency prices. Though cryptocurrency prices are down a bit currently, crypto-jacking is still a threat to unprotected devices, annoying device owners with increased power costs and depleted batteries in the case of mobile devices. Initially, some anti-malware solutions did not identify crypto-mining software as malicious, since it could be built with freely available and sometimes legitimate code.
Key features of endpoint protection products include host-based agents for detecting and preventing execution of malicious code, management console for collecting and analyzing information from deployed agents; collecting agent patch status and pushing upgrades, and an interface to Security Intelligence systems.
All end-user computers, smartphones, and tablets should have anti-malware endpoint security clients installed, preferably with up-to-date subscriptions. Servers and virtual desktops should be protected as well. Windows platforms are still the most vulnerable, though there are increasing amounts of malware for Android. It is important to remember that Apple’s iOS and Mac devices are not immune from malware, and as market share increases, particularly for Mac devices, the amount of malware for that platform will increase too.
2 Product Description
ESET Endpoint Security is their multi-platform offering for endpoint anti-malware and other endpoint security features. It runs on Windows 10, 8, 7, Vista, XP; Windows Server 2019, 2016, 2012, 2008, 2003; Mac OS 10.9+; all major Linux variants1; z/OS; VDIs; and Android 4+ and iOS 9+ mobile operating systems. All nodes in a customer organization can be managed via ESET Security Management Center which can run on-premises, in a hybrid deployment, and can be managed as SaaS through their cloud-based console. The product is licensed by node, with monthly or annual subscriptions available.
ESET agents have kernel-level components for self-defense. ESET Network Attack Protection, Reputation & Cache or Exploit Blocker features prevent execution of unknown threats to protect the agent(s) themselves. For example, Reputation & Cache locally hosts reputation information to enhance performance. Agents communicate with ESET Live Grid® in the cloud to get updated information on potential threats and file reputations. ESET agents use sandboxing both locally and (if customers consent) send suspicious code to ESET’s cloud sandbox for detonation and analysis. The ESET sandbox emulates apps, browsers, OSes, networks, and the cloud. Results from sandbox analysis can then be compared against ESET’s DNA Detections (described below). The agent does not use micro-virtualization techniques.
ESET Augur engine2 is the component which uses multiple, advanced Machine Learning (ML) techniques to detect malware. The Augur engine uses deep learning neural nets and long short-term memory plus additional unsupervised ML sorting algorithms. Augur analysis informs the ESET DNA Detections component, which extracts the bad “genes” of malicious and extrapolates results to allow the widest possible detection of potential malware. ESET emphasizes that this approach differentiates their product from competitors, in that, it is not limited to examining only large-scale malicious behavior in files. Thus, it allows ESET to detect and prevent polymorphic viruses, ransomware, and other trojans.
Botnet Protection and Network Attack Protection are the components that detect and deflect these types of respective attacks. Botnet Protection uses Network Traffic Analysis techniques to search for and then shut down command & control traffic. Network Attack Protection is an adjunct to the endpoint firewall feature which can prevent attacks by worms.
ESET’s anti-stealth technology is used to find hidden registry changes and defeat rootkits. Rootkits are kernel-mode drivers or code hidden in the boot sectors of disks. ESET Endpoint Security has algorithmic rootkit scanners, which watch for subtle mapping changes in low-level and usually undocumented system APIs. Though other endpoint security products have Windows rootkit protection, ESET also can detect and remediate rootkits in MacOS.
ESET Exploit Blocker watches applications that commonly have vulnerabilities, such as browsers, Adobe Reader and Flash, monitoring for the execution of malicious code techniques. It does not just rely on specific CVE identifiers, but rather behavioral analysis. This enables ESET to catch previously unknown and even Zero-day attacks.
ESET detects and prevents file-less malware. File-less malware was first seen in 2017, and it was developed specifically to evade anti-virus products. File-less malware “lives off the land”, that is, uses native tools in the operating system like PowerShell to assemble and execute malicious code. File-less malware can be injected into clean processes’ memory space in an attempt to avoid suspicion. Advanced Memory Scanner is the ESET Endpoint Security module which constantly monitors all processes and their memory spaces for new executable content. Though it is a post-execution technique, Advanced Memory Scanning can uncover malware that is obfuscated or encrypted.
Crypto-jacking apps and websites mine cryptocurrency for their operators, using the computing resources and power of others. Originally developed as a non-malicious way for websites to generate revenue, some crypto-miner operators aggressively use other’s resources, making them unwanted software. While generally not as destructive as ransomware or other common forms of malware, crypto-jackers drive up costs and run down the batteries of the unwilling miners. ESET Endpoint Security can discover and shut down crypto-jacker code.
ESET Endpoint Security can also detect and disable spyware, adware, and malvertizing; and can be used to detect steganographic data exfiltration techniques.
ESET Endpoint Security possesses the rare technical capability of being able to scan the Unified Extensible Firmware Interface (UEFI), and they were the first vendor to catch LoJax UEFI rootkit in the wild in 2017. In the case of special hard-to-remove malware types, ESET provides downloadable utilities.
In addition to malware detection and prevention, ESET Endpoint Security includes endpoint firewall, host-based intrusion prevention system (HIPS), URL filtering, application whitelisting, and system file integrity monitoring functionality which can be administered through the enterprise management console. ESET provides endpoint and vulnerability assessments and can report on vulnerability/exploit status by CVE. Moreover, the agent can perform “virtual patching” with its Exploit Blocker feature, which prevents known exploits from running.
ESET can send event info to Splunk or QRadar SIEM systems, or any SIEM that supports syslog. ESET Security Management Center also works with Remote Monitoring and Management (RMM) solutions such as ConnectWise, TigerPaw, or Kaseya. ESMC allows API access for other security solutions including SOAR. ESMC does not currently interoperate with other vendor’s Unified Endpoint Management solutions.
In order to better protect the management console, customers can use ESET Secure Authentication (at no extra charge) to set strong and/or Multi-Factor Authentication requirements. ESET Secure Authentication supports methods SMS One-Time Password (OTP) and Mobile Push Notifications. Customer can also build authentication apps using their SDK and APIs. Federated access using SAML is not supported. ESET agents require administrative privileges to install and configure, and the solution does interoperate with common Privileged Access Management (PAM) systems.
3 Strengths and Challenges
ESET Endpoint Security is a feature-rich solution for protecting almost all operating systems in use today. In addition to robust anti-malware capabilities, ESET is a suite of integrated endpoint security features including firewall, and file integrity monitoring. All of these functions can be easily administered from the ESET Security Management Center. Support for 38 languages is included.
ESET makes good use of multiple sophisticated ML algorithms to discover malware in their DNA Detections component. ESET has been actively using ML in their products for since 1998. ESET employs many advanced technique at all stages for possible intercept including pre-execution (UEFI Scanner, Network Attack Protection, Reputation & Cache, and In-Product Sandbox), execution (Exploit Blocker, Ransomware Shield, Advanced Memory Scanner, and Script Scanner [AMS]), and post-execution (LiveGrid Protection and Botnet Protection).
ESET has a global support organization. ESET’s products are enhanced by information from ESET Threat Intelligence, which provides detailed security analysis and whose team publishes results of their threat research.
Adding support for SAML federation for administrative users, particularly for the cloud-based ESET Endpoint Security Management Center, would be advantageous.