SeriousHoax

Description: Logging of dropped packets/blocked connections in Interactive Firewall mode Detail: When I deny access to something in Interactive firewall mode there's no way to later check what site that particular app tried to connect. It would be very useful if all the dropped packets can be log so that one can later check everything and do the research if required. This logging shouldn't be enabled by default but there should be an option to enable that when the user activate Interactive mode from advanced settings. Discussion moved to https://forum.eset.com/topic/23153-logging-of-dropped-packetsblocked-connections-in-interactive-firewall-mode/

Hmm right. This is upto Microsoft.

This is Firefox decision I think. They got tired of issues reported by the users about certificate error thing. Most of the issues were reported by Avast and Kaspersky users. Firefox's way was definitely safer. It maintains its own store and don't use windows certificate store before they decided to do change that partially to make it easy for average users I guess. Average users wouldn't know how to manually import certificate to Firefox. But I like the way Firefox still shows that it doesn't trust the certificate.

Haha no it wasn't malware testing related. This is a new installation of Windows. Maybe some sort of problem occurred after the installation of Eset. The link you shared is interesting. Malware installing fake certificate to make itself trusted.

I actually checked that already. I had only one certificate in the trusted authority and it was also the same one but for some reason it was still not working. But anyway I fixed it by manually deleting it from the windows store, restarted the system, a new certificate has been created by Eset automatically and now everything is working fine. Thanks

Your certificate is working fine. The message you're getting is expected. I got the new internet protection module after switching to pre-release module but my Eset certificate is still not working in Firefox.

I'm attaching the logs. Maybe Marcos can have a look and identify the issue. eis_logs.zip

I think it's necessary to do this only when it's manually imported to Firefox certificate store. With the "enterprise_root...." config automatically enabled by Eset, Firefox uses windows store certificates. Anyway, I just did that too but still not working.

Well I just noticed these logs in events section. It occurs if I disable and then enable the option "Add root certificate to all known browser"

My certificate isn't working on Firefox either. Everything seems to set nicely. Tried enabling, re-enabling this configs but still same. I also have another app named Phyrox which is an unofficial portable version of Firefox. It's not working there anymore either. This is a new installation of the newly released version of Eset. Working in other browser but not in any Firefox based one.

Does ESET have any defense against this except manually creating HIPS rules?

Any thoughts on this? https://www.bleepingcomputer.com/news/security/windows-explorer-used-by-mailto-ransomware-to-evade-detection/

I am not saying it's bad at this but saying I've seen it missing script malwares more than other types. I always email those samples to the ESET lab and they also response when they add those to the signatures. But haven't found any sort of serious misses in recent times like ransomwares but I will share here if I find such. I think @itman may have some examples of misses. Edit: Well I was right about him. He even has logs.

I think Trend Micro is one of the products that kind of does what you are suggesting and blocks most of the suspicious script executions by default. It may result in some false positives but it's very good against script based malwares where ESET is a bit weak in this department.

Yeah right. I usually use ask for most HIPS rules so personally troubleshooting what needs to allowed for certain modification would be better. Ok, thanks.

@Marcos What windows related processes should I allow if I want to allow manual modification of files in that folders like manually renaming, moving, pasting new files.

Oh, bummer 😕

@Marcos Hello, off topic: Before it was possible to see all the sigantures added to each updates from here: https://www.virusradar.com/en/update/info/ But it's been a while it's not there anymore. Is this a permanent change? Is it available anywhere else?

I know about the HIPS rules blocking script execution, etc and have set it on mine. Those are post execution rule and I even have better pre execution blocking rules set with the help of Hard_Configurator but anyway these are not for average users. I wouldn't say WD is better but it's enough for almost every home users and can be made better by enabling extra features but ESET has a lot more features and definitely the lightest. ESET has everything but a behavior blocker that's why it struggles against unknown malware and specially against ransomwares. Good to see it was detected in Windows 10 with the help of AMSI so maybe WD would detect it too? I don't know. After the integration of Augur into the product I hoped to see it in action in such scenarios but personally haven't seen any.

ESET's protection modules didn't react to this ransomware as well. VT: https://www.virustotal.com/gui/file/b6e9eb3a56f495a13892859e3de26109cbc7950b1e8bd57d374e87c94c99c7e5/detection

This is interesting and very good to see. It would be nice if it's implemented in the beta version of consumer products so that beta testers can provide feedback.

That's where behavior protection module would kick in. Of course behavioral protection isn't going to be effective always and it behaves differently on different product. Like, Emsisoft has an excellent behavior blocker but that's extremely sensitive and false positive prone while Kaspersky has the best behavior blocker yet almost no false positives like ESET. ESET care too much about false positives and that's why they are behind than most other big guns in behavioral protection section. There's no logic behind still setting HIPS to Automatic by default. It should be set to Smart mode and should trigger when something suspicious is detected. ESET is excellent at detecting new variants of known malware but if it's something new it barely does anything to stop that. Sadly, Quick Heal an Indian AV which is pretty terrible has a better, effective behavioral blocker than ESET. Edit: Norton is implementing their Data Protector module. It's already available in some of their product and tested it against unknown binaries and it successfully detected. For both Norton and Kaspersky let that binary encrypt 3 files before stopping it. But none of the originals files were lost. Both were smart enough to detect massive unwanted encryption while ESET did nothing.

Ah this just reminded me I forgot to use VPN which I do for safety before testing any malware.

I agree, ESET has a lot of room for improvements in the proactive area. Bitdefender recently has put their AI into testing in Virustotal and it's doing really well. It would be great to see ESET's Augur in action. User "itman" even suggested this in another thread few weeks ago. Bitdefender probably after training their AI for a year or two will implement into their product which would greatly benefit them. After implementing Augur into version 13 there were lot of complain in the forum about ML/Augur detection. I wonder if ESET has toned downed the AI for now in later updates.

You know this isn't suitable for day to day use, at least not the way ESET is at the moment. I create this kind of rule in Kaspersky and in case of Kaspersky instead of only AppData I select the whole C drive and other important folders in other drives. It's practical in Kaspersky thanks to Appliation Manager and reputation info from KSN, there you can make rules to allow trusted programs automatically and ask permission when something else try to do any modification. ESET doesn't have anything similar to that but it's very much possible to implement something like this into the product as it already has LiveGrid.