-
Posts
242 -
Joined
-
Days Won
3
Kudos
-
persian-boy gave kudos to Marcos in Scheduled Scans
Actually advanced users love the ability to customize numerous settings. Common users don't need to go to the advanced setup at all since ESET products provide well-balanced protection out of the box.
-
-
persian-boy gave kudos to nexon in Scheduled Scans
Please add virtual keyboard for entering password on screen with mouse on vritual keyboard.
-
persian-boy gave kudos to jems in Scheduled Scans
separate scans for - a vulnerability scan AND a root-kit scan - ala - KTS
-
persian-boy gave kudos to itman in Scheduled Scans
Add option to realtime scanner to block obfuscated Powershell scripts. Option would be dependent upon Win 10 AMSI option enabled in the Eset GUI.
Justification
Microsoft added a like mitigation in the form of a Windows Defender Exploit Guard ASR mitigation effective with Win 10 1709. ASR mitigations are only effective if Windows Defender is enabled as the realtime scan engine.
Further justification is Eset's failure to detect malware in highly obfuscated PowerShell script in a Malware Research Group ad hoc test: https://www.mrg-effitas.com/research/current-state-of-malicious-powershell-script-blocking/
-
persian-boy gave kudos to itman in Scheduled Scans
Add a column showing PID number in the following logs after the noted existing log column headings:
1. HIPS - Application
2. Network - Source
This is necessary to properly identify the origin for multiple same process occurrences such as svchost.exe.
-
persian-boy gave kudos to Samet Chan in Scheduled Scans
Add - Dark Mode on ESET Nod32 would be great.
-
persian-boy gave kudos to Peter Randziak in Scheduled Scans
Hello guys,
Ransomware Shield is a behavioral protection feature utilizing data from the ESET LiveGrid reputation system.
Regards, P.R.
-
persian-boy gave kudos to Wolf Igmc4 in Scheduled Scans
Add a behavior blocker, based on the reputation system of Eset. Yes, I said this some time ago, but if Eset don't add it, in the future, this will be a big problem.
-
persian-boy gave kudos to itman in Scheduled Scans
It actually used to do this prior to ver. 11. I believe this has something to do with Microsoft's decree to AV vendors that they can't interfere with the boot process in Win 10 ver. 1709. I am actually surprised that Eset even processes an Ask HIPS use in ver. 11 and instead, just auto allows it. I know it is doing so because it will slightly delay your boot time; something I though wasn't supposed to happen on Win 10 ver. 1709.
Again it is a bit peculiar that the HIPS default action is allow. However, it always has been this way. To be honest, I seriously doubt Eset will change it to block mode.
A proper frame of reference for you is Eset first and foremost created the HIPS for its own internal use. As such, it really isn't designed to be user configurable other than to create a few exception rules. This is more so evident in the retail vers. of Eset. For example, Eset added file wildcard capability a while back for the Endpoint vers. but refuses to do so for the retail vers..
-
persian-boy gave kudos to itman in Scheduled Scans
I explained this once to you. Eset has internal default rules and those rules take precedence to any user created rules.
Also if an alert response is not received within a short period of time, Eset will auto allow the action. This comes into play for example with any ask rule that might be triggered during the boot process. Those will be allowed by the time the PC initializes, the desktop appears, and finally the Eset GUI is started.
-
persian-boy gave kudos to itman in Scheduled Scans
Nvidia in their "infinite security wisdom" created two .bat scripts they dumped in C:\Windows directory. Their startup service can run these .bat scripts if errors are encountered in their software as recovery procedures. So basically, you have to allow svchost.exe to run cmd.exe. Not the most secure thing to do if malware creates a malicious service. Hence my recommendation that file wildcard support is needed.
There is also the issue of why the HIPS hasn't been updated to reflect Win 10's current ability to uniquely identify an individual svchost.exe service by process id.
-
persian-boy gave kudos to eternalromance in Scheduled Scans
Description: Add option to enforce firewall rules created on the spot until the PC is rebooted
Detail: Please add an option to enforce firewall rules created on the spot until the PC is rebooted or powered off
-
-
persian-boy received kudos from Wolf Igmc4 in Scheduled Scans
Suggestion: Reputation scan
A costume scan that scans the whole hard drive with live grid and gets reputations for everything(Dll, Exe,...) on the machine.
-
persian-boy received kudos from Aryeh Goretsky in Scheduled Scans
suggestion: Separate export and import settings or Hips
-
persian-boy gave kudos to peteyt in Scheduled Scans
Description: More information in system cleaner
Detail: I have mentioned this previously. System cleaner is the new tool in version 11 that alerts you to system settings that have been changed from default the idea being that they could have been changed by malware.
The issue is they give no information on the actual setting just the type of setting. I tested this feature by clicking to change settings hoping I would be shown the changes and able to make a decision.
What would make more sense is having a way to see the actual changes and a way to ignore certain changes that the user wants to keep. Many people change things themselves e.g Windows tweakers and this feature could cause issues if they change things without realising. This could always be a more advanced option disabled by default.
If this cannot happen at least have a lot for this feature so that advanced users can see the changes made. If eset is changing a Windows option it shouldn't be too hard to log the change somewhere. Also an undo feature might be handy as when I tried it out hoping i would be given options eset just changed them and with no lot I have no idea what got changed
-
persian-boy gave kudos to itman in Scheduled Scans
Yeah, I know about this.
Just be careful with GitHub software. Being open source, it can be hacked. One of the major sources of nasty backdoors has been GitHub software.
-
persian-boy gave kudos to itman in Scheduled Scans
As far as anti-exec processing, there is a one built into Win 10 - native SmartScreen. I have tested with a couple of unknown reputation files and each time got an alert from it when they tried to run. Eset let the files run w/o issue. Neither file was malicious but I prefer an option to disallow execution in this instance.
The downside is native SmartScreen relies on "The Mark of the Web" remaining associated with the downloaded file. There are ways to "strip that off" of a download.
-
persian-boy gave kudos to itman in Scheduled Scans
I did some of my own testing in regards to this business about the HIPS not detecting Farber activity. For starters, I set the HIPS to Interactive mode and then ran Farbar.
To begin with, Farbar will load and begin execution because you started it manually. However, the first attempt by Farbar to perform any activity the HIPS monitors for will cause an alert as shown by the below screen shot.
Now if you create a .bat script and run Farbar by execution of the script, you will receive a HIPS alert about the startup of Farbar. Likewise, malware doesn't magically run by itself. Something has to execute it.
-
persian-boy gave kudos to itman in Scheduled Scans
I have run Farbar in the past and Eset HIPS in Auto or Safe mode will not alert because its a safe app.
Are you saying that the HIPS in Interactive or Policy mode is not throwing an alert at Farber startup time?
-
persian-boy gave kudos to Wolf Igmc4 in Scheduled Scans
ESET have sandbox, but we just can't access it. But I agree with you, I want to manage apps in a sandbox.
-
persian-boy received kudos from Wolf Igmc4 in Scheduled Scans
What about a sandbox? I guess it is much important than Anti-Theft I'm still waiting to see a purge button for not existing Rules in both Hips and firewall.
Also showing the command line when Hips alert for cmd!and provide a way to submit the FP from the Gui, not email :|
Also an option to let us sort the rules based on the directory.
-
persian-boy gave kudos to itman in Scheduled Scans
You will need to show an example of an .exe that Eset HIPS did not detect running in Interactive mode. The only way I know that could occur is if you inadvertently created an allow rule while running in Training mode or by manual creation.
One possibility for example is that an allow rule was created for a process to start another process. If the allow rule did not specifically state what process start up was allowed, then Eset will allow any child process startup from the parent process.
-
persian-boy gave kudos to Wolf Igmc4 in Scheduled Scans
You can add a vulnerability detection module, and something like the USB vacinne of Panda.