Jump to content

cutting_edgetech

ESET Insiders
  • Content Count

    276
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by cutting_edgetech

  1. I'm still waiting on a top notch behavior blocker, or a more usable HIPS like itman has also requested. I would like to see a behavior blocker that can be tuned to different levels of sensitivity. If Eset is worried about it causing false positives, especially in test like AV comparatives then just leave it disabled by default.
  2. hxxp://www.eset.com/int/about/technology/#advanced-memory-scanner "Advanced Memory Scanner complements Exploit Blocker, as it is also designed to strengthen protection against modern malware. In an effort to evade detection, malware writers extensively use file obfuscation and/or encryption. This causes problems with unpacking and can pose a challenge for common anti-malware techniques, such as emulation or heuristics. To tackle this problem, the Advanced Memory Scanner monitors the behavior of malicious processes and scans them once they decloaks in the memory. This allows for effective detection of even heavily obfuscated malware. Unlike Exploit Blocker, this is a post-execution method, which means that there is a risk that some malicious activity could have been performed already. However, it steps into the protection chain when everything else fails." I assume you had something like Emsisoft's Behavior Blocker in mind when you made this request. Just wanted to mention the purpose of AMS and what it does. hxxp://static3.esetstatic.com/fileadmin/Images/INT/Docs/Other/ESET-Technology-Overview.pdf Edit: This PDF literally explains the ins and outs of the software itself and what happens behind the scene on the back-end systems. Every customer/user that is interested in this kind of geek information (it is very informative) should take time and read through the whole PDF. Sorry for the late reply. I have not been on the forum in a while. I didn't think I was going to get a reply to my post. Thank you for the .pdf manual. I will have to look more at AMS, but I don't think it is the same as something like Emsisoft's BB. Marcos said AMS only triggers a memory scan here. https://forum.eset.com/topic/5283-behavior-blocker/So the question is if it only triggers a memory scan then is it only looking for already blacklisted executables.
  3. It would be nice to see Eset incorporate a Behavior Blocker into their products. If something slips through then the behavior blocker can help detect the malware when it executes. They could have the feature disabled by default if they are worried about it causing false positives when being tested by independent test organizations.
  4. I think you misunderstand my request. I'm requesting an option to log all dropped/blocked packets per application that violates any packet filter rule that comes preset with ESS. Many rules come by default. I don't want to just log blocked packets for a rule I have created. The only option currently is to log all traffic for an application. Logging allowed traffic consumes the log file, and makes it hard to find what I'm looking for. It probably also makes ESS a little heavier on the system.
  5. It's already there. Just click on "configure HIPS" and you'll get a huge rules editor where you can add very specific rules. HIPSOptions_ConfigureMarked.pngHIPSRulesEditor.png Thank you! I had already looked at that, and overlooked the tab for the source application. I just hope they continue to add more options on what to monitor like physical memory access, remote code, remote data modification, use DNS API, keyboard access, etc.. Yes, that's expected. But nobody forces you to use the interactive mode. And if you create some rules (e.g. with the learning mode like you did) then you get less prompts. That's the whole point I made though. Learning Mode did not do anything to eliminate the prompts. I used learning mode for about 1 1/2 hours, and ran all my applications while in learning mode. I also used learning mode while rebooting 3 times. I received 15 minutes of none stop prompts before I had to give up trying to use interactive mode. I actually clicked the allow button for 15 straight minutes. Interactive mode was useless on my system. That's why I say they need to use whitelisting with interactive mode to make it more usable. If a rule was correctly created then it shouldn't be blocked. If it still does then it surely wasn't created correctly or only a similar rule was created which doesn't cover the actions the application did later. For troubleshooting this we would need to know the exact application, HIPS rule(s) and more information about how you If the rules were not created correctly then it was not due to any error on my part. I used learning mode to create the rules. I did not make a list of the applications that were being blocked in policy based mode, but I do remember Tor Browser being one of them. I ran all the applications that were being blocked in learning mode multiple times. Policy Mode behaved more like an AE than a HIPS. Policy Mode would have been great if it prompted me for an action instead of blocking the application. Yes, this is expected in the policy-based mode. In this mode HIPS only applies the rules and blocks every other action. And again if you want to receive a prompt you have to use the interactive mode of course. Well, I just responded to this one above. Great, so you found the mode(s) which fit's to you. That's the sense of these modes. Use the one you like. And as you complained about the crowd of messages from interactive mode I would have recommend you the Smart mode anyway. There you have a huge "whitelist", so you will only be prompted for very suspicious actions. Smart Mode is actually not the Mode that fits me. It does not provide the leak protection I am looking for. Smart Mode is the only mode I found usable other than Automatic Mode With Rules.
  6. Rug, I can't get this forum to allow me to multiquote you to specifically address each one of your responses. I'm not sure why. I just tried multiple time, and lost my post for all my trouble. I'm so tired of loosing my post on this forum. I multiquote on other forums all the time without any problems. If someone could tell me how I would appreciate it. The multipquote button is not working. It's like it is not giving me the option since you already multiquoted me.
  7. The HIPS needs to be made more configurable. I think the user should be able to select their applications from a list, and choose what permissions their applications have. Also make better use of white listing for harmless system executions. I tried using interactive, and policy based mode. Interactive mode is unusable without better whitelisting. I was prompted to death. I could no use my computer for anything due to answering prompts the entire time I was on my computer. I used my computer in learning mode while running all my applications, and booting in learning mode several times. I then tried using policy-based mode, and the HIPS still blocked some of my applications even though I used those applications while in learning mode. The HIPS did not give me any option to allow them by prompt so the HIPS behaved more like an ant-executable in policy-based mode. Automatic mode with rules, and Smart Mode are the only modes that I have found useable. I have never received any prompt from either mode though so it's not like any HIPS I have ever used.
  8. Thanks for the update Foneil! I better bookmark those links now so I want have to look for them later on. I always try to send new threats to Eset, and Webroot since I use their products.
  9. I love the new forum, and it's layout. It looks very professional, and it's easy to navigate. In my opinion it's very well organized, and provides easy access to whatever one may be looking for. Someone brand new to the forum should be able to navigate the site with ease. I do have some advice to provide an even better user experience. There should be a section on the forum with instructions on how to submit infected links, phishing sites, and malware samples to Eset. NOD 32 allows one to submit a suspicious file, false positive, or other sample from withing NOD 32 itself. Someone new to Eset may not know this though so list instructions for reporting suspicous files in the thread as well. All information related to reporting threats should be in one centralized location. Also list instructions for reporting infected links, and phishing sites to Eset. I see no where for doing this within NOD 32 itself. All instructions for reporting any type of threat should be in one centralized location. Not having this information easy to find will only hurt Eset. Allow your users / fan base to help you! We want to help you. I've been using Eset for many years, and I myself have much difficulty finding this information on the site. I looked for an address with instruction on how to submit a suspected infected site yesterday, but was unable to find it on Eset's website. I would like to see a dedicated section for this on the forum. Provide all this information in a thread, and then close the thread.
×
×
  • Create New...