Bob 🇨🇦🇲🇽🇺🇦1d ago
Will Dormann

I wrote a thing about a thing.

Specifically, Finding Vulnerabilities with Crassus – A Case Study with ESET.

I created Crassus on a whim a few years ago, and it's interesting to see that it still can find things.

It's also interesting (disappointing) that reporting vulnerabilities to vendors is still as painful as ever.

Apr 3 at 8:58pmWeb
Show threadstephen-fox1d ago

@wdormann "Currently it is not possible to improve behavior."

-____________-

Show threadFritz Adalis1d ago
@wdormann
You did Crassus? Nice, thanks.
Show threadWill Dormann1d ago
@FritzAdalis
I'm flattered that you even knew about it! 🎉
Show threadMatt Organ1d ago

@FritzAdalis @wdormann also came here to say exactly this. Kudos 😎

I've been looking to play around with this for a while as it looks awesome.

Show threadJán Trenčanský20h ago
@wdormann Hey, thanks for the report and sorry about that response. Whoever wrote it was not being very helpful, I'll look into that. By "another product" they mean ESET Endpoint Security which has a driver that (should) enforce self-defense on the path. Without EES, EIConnector doesn't work. That however doesn't make this finding invalid, if you are somehow able to install one without the other.
Show threadWill Dormann15h ago

@j91321
Thanks.

I think at the end of the day, "Product <foo> is vulnerable, but product <bar> mitigates it", does not change the fact that "Product <foo> is vulnerable"

Specifically, in my original analysis, I installed the product with ESET Endpoint Antivirus 11.0.2044.0, and that product does not do anything to mitigate the vulnerability.

I don't know if it's an EEA vs. EES thing, or a version number thing. But either way, it is indeed possible to install ESET Inspect Connector in a way that truly is vulnerable.

Personally, I think that if ESET Inspect Connector contains a vulnerability, then that product itself should get the attention it needs to mitigate it, without relying on another product to mitigate it.