Jump to content

cutting_edgetech

ESET Insiders
  • Content Count

    264
  • Joined

  • Last visited

  • Days Won

    1

cutting_edgetech last won the day on February 18 2018

cutting_edgetech had the most liked content!

Profile Information

  • Gender
    Male
  • Location
    USA

Recent Profile Visitors

664 profile views
  1. I assume if I don't get a reply from Eset soon then I will have to contact their sales department.
  2. Very simple, I have 2 PCs which I use Eset on. Students these days use multiple devices for school. Also, i'm an InfoSec Major so I need 2 or more computers at the very minimum. I have Linux on my Laptop or I would need 3.
  3. I'm trying to use my student discount for Eset Internet Security for 2 devices for 1 year, and it is trying to charge me an incorrect price. Eset Advertises 50% off for students, and Eset says regular price is $59.99. The problem is Eset is attempting to charge me $44.99 with the discount. That is definitely not equal to 50% off. The sale price should be $30.00 off the original price which is equal to $29.99. Does Eset honor their 50% off advertising which can be found here? https://www.eset.com/us/offers/students/
  4. I'm still waiting on a top notch behavior blocker, or a more usable HIPS like itman has also requested. I would like to see a behavior blocker that can be tuned to different levels of sensitivity. If Eset is worried about it causing false positives, especially in test like AV comparatives then just leave it disabled by default.
  5. hxxp://www.eset.com/int/about/technology/#advanced-memory-scanner "Advanced Memory Scanner complements Exploit Blocker, as it is also designed to strengthen protection against modern malware. In an effort to evade detection, malware writers extensively use file obfuscation and/or encryption. This causes problems with unpacking and can pose a challenge for common anti-malware techniques, such as emulation or heuristics. To tackle this problem, the Advanced Memory Scanner monitors the behavior of malicious processes and scans them once they decloaks in the memory. This allows for effective detection of even heavily obfuscated malware. Unlike Exploit Blocker, this is a post-execution method, which means that there is a risk that some malicious activity could have been performed already. However, it steps into the protection chain when everything else fails." I assume you had something like Emsisoft's Behavior Blocker in mind when you made this request. Just wanted to mention the purpose of AMS and what it does. hxxp://static3.esetstatic.com/fileadmin/Images/INT/Docs/Other/ESET-Technology-Overview.pdf Edit: This PDF literally explains the ins and outs of the software itself and what happens behind the scene on the back-end systems. Every customer/user that is interested in this kind of geek information (it is very informative) should take time and read through the whole PDF. Sorry for the late reply. I have not been on the forum in a while. I didn't think I was going to get a reply to my post. Thank you for the .pdf manual. I will have to look more at AMS, but I don't think it is the same as something like Emsisoft's BB. Marcos said AMS only triggers a memory scan here. https://forum.eset.com/topic/5283-behavior-blocker/So the question is if it only triggers a memory scan then is it only looking for already blacklisted executables.
  6. It would be nice to see Eset incorporate a Behavior Blocker into their products. If something slips through then the behavior blocker can help detect the malware when it executes. They could have the feature disabled by default if they are worried about it causing false positives when being tested by independent test organizations.
  7. I think you misunderstand my request. I'm requesting an option to log all dropped/blocked packets per application that violates any packet filter rule that comes preset with ESS. Many rules come by default. I don't want to just log blocked packets for a rule I have created. The only option currently is to log all traffic for an application. Logging allowed traffic consumes the log file, and makes it hard to find what I'm looking for. It probably also makes ESS a little heavier on the system.
  8. It's already there. Just click on "configure HIPS" and you'll get a huge rules editor where you can add very specific rules. HIPSOptions_ConfigureMarked.pngHIPSRulesEditor.png Thank you! I had already looked at that, and overlooked the tab for the source application. I just hope they continue to add more options on what to monitor like physical memory access, remote code, remote data modification, use DNS API, keyboard access, etc.. Yes, that's expected. But nobody forces you to use the interactive mode. And if you create some rules (e.g. with the learning mode like you did) then you get less prompts. That's the whole point I made though. Learning Mode did not do anything to eliminate the prompts. I used learning mode for about 1 1/2 hours, and ran all my applications while in learning mode. I also used learning mode while rebooting 3 times. I received 15 minutes of none stop prompts before I had to give up trying to use interactive mode. I actually clicked the allow button for 15 straight minutes. Interactive mode was useless on my system. That's why I say they need to use whitelisting with interactive mode to make it more usable. If a rule was correctly created then it shouldn't be blocked. If it still does then it surely wasn't created correctly or only a similar rule was created which doesn't cover the actions the application did later. For troubleshooting this we would need to know the exact application, HIPS rule(s) and more information about how you If the rules were not created correctly then it was not due to any error on my part. I used learning mode to create the rules. I did not make a list of the applications that were being blocked in policy based mode, but I do remember Tor Browser being one of them. I ran all the applications that were being blocked in learning mode multiple times. Policy Mode behaved more like an AE than a HIPS. Policy Mode would have been great if it prompted me for an action instead of blocking the application. Yes, this is expected in the policy-based mode. In this mode HIPS only applies the rules and blocks every other action. And again if you want to receive a prompt you have to use the interactive mode of course. Well, I just responded to this one above. Great, so you found the mode(s) which fit's to you. That's the sense of these modes. Use the one you like. And as you complained about the crowd of messages from interactive mode I would have recommend you the Smart mode anyway. There you have a huge "whitelist", so you will only be prompted for very suspicious actions. Smart Mode is actually not the Mode that fits me. It does not provide the leak protection I am looking for. Smart Mode is the only mode I found usable other than Automatic Mode With Rules.
  9. Rug, I can't get this forum to allow me to multiquote you to specifically address each one of your responses. I'm not sure why. I just tried multiple time, and lost my post for all my trouble. I'm so tired of loosing my post on this forum. I multiquote on other forums all the time without any problems. If someone could tell me how I would appreciate it. The multipquote button is not working. It's like it is not giving me the option since you already multiquoted me.
  10. The HIPS needs to be made more configurable. I think the user should be able to select their applications from a list, and choose what permissions their applications have. Also make better use of white listing for harmless system executions. I tried using interactive, and policy based mode. Interactive mode is unusable without better whitelisting. I was prompted to death. I could no use my computer for anything due to answering prompts the entire time I was on my computer. I used my computer in learning mode while running all my applications, and booting in learning mode several times. I then tried using policy-based mode, and the HIPS still blocked some of my applications even though I used those applications while in learning mode. The HIPS did not give me any option to allow them by prompt so the HIPS behaved more like an ant-executable in policy-based mode. Automatic mode with rules, and Smart Mode are the only modes that I have found useable. I have never received any prompt from either mode though so it's not like any HIPS I have ever used.
  11. Thanks for the update Foneil! I better bookmark those links now so I want have to look for them later on. I always try to send new threats to Eset, and Webroot since I use their products.
×
×
  • Create New...