Jump to content

rugk

Most Valued Members
  • Posts

    1,716
  • Joined

  • Last visited

  • Days Won

    54

Posts posted by rugk

  1. About the second article you linked we already had a topic here and there I showed that the statement with the AV certificates being not scanned is wrong (at least for ESET).

     

    I already know nod32 cannot handle HSTS, my own domain has HSTS activated, and firefox will refuse access to a HSTS server if the certificate doesn't match up, when it tries to access my domain and see's the nod32 cert it gets angry and I cannot browse my site.

    This sounds more like a certificate mismatch rather than something with HSTS. Can you explain it more in detail?

    According to the article you linked HSTS isn't used by ESET.

     

    [...] and revocation checks are carried out.

    Really? Does ESET use OCSP stapling?

     

    As for key pinning - yes it's a "known problem" and other vendors have also problems with it, but ESET could just implement it by itself. One could argue that this would even increase the security mechanism as HKPK is then used for all SSL/TLS connections - browser-independent.

     

     

    @chrcoluk

    However you have to decide whether you want to enable SSL scanning. Of course it's a "man-in-the-middling", but if you think ESETs implementation for checking HTTPS connections is secure enough and you want HTTPS connection to be scanned too then you can enable it.

    As for protocol scanning generally I would highly recommend to leave this enabled as it's a major protection layer as @Marcos explained above.

  2. As about WAIK - yes the article you linked is about ESET SysRescue Live, which is a newer (and completely different) version than ESET SysRescue which is included in the ESET products. Only ESET SysRescue required WAIK.

    However you can of course still create both version, so you can choose whether you want to use ESET SysRescue (Windows-based) or ESET SysRescue Live (Linux-based).

     

    So as for the files you see (Icon and autorun.inf) - these are just on one FAT32 partition. The important thing for ESET SysRescue is the ext3 partition, which Linux uses. As Windows doesn't support ext3 it isn't displayed.

    However the FAT32 partition is displayed and it's only purpose is that the USB stick or the CD/DVD looks nice in Windows.

    Okay, there is also another thing you can do with the FAT32 partition. As this partition uses nearly all remaining space of the USB you can use it like you use any USB - store files on it. You can read them on Windows and also on Linux, even if you're booting from the USB. :)

    Edit: In fact ESET SysRescue boots from another FAT32 partition as well, but this one isn't shown - it's around 600 MB large). Only the VSD updates are stored on an ext3 partition.

     

    BTW AFAIK ESET SysRescue should fit on a 1 GB USB (if it fits on a CD then any USB should be more than enough).

     

    BTW I think this topic should be moved to ESET Standalone Malware Removal Tools.

     

    Edit: Changed some information as the partitions are different than I thought...

  3. Maybe another rule (maybe even a pre-defined rule) has a higher priority, which e.g. allows SMB request in the whole trusted zone.

    If this is the case then you currently can only deactivate the rule which is "too general" or make your other rule more specific (e.g. by adding a port or an application).

     

    However in v9 of the home products you can set an order and ESS/NOD32 will evaluate rules based on this order.

     

    More information:

  4. So ESS just disappeared? :blink:

     

    So are there any files in C:\Program Files\ESET\ESET Smart Security? If so is there an (uninstall) entry in the Windows add/remove programs list?

    If there is no entry but the files exist then there was surely a problem with the uninstallation (which seems to be happen although you didn't noticed it :unsure:?).

     

    So I think the best way would be to uninstall ESS and reinstall it. If there is no entry for uninstalling in the control panel you can try another method with the latest option to use the safe mode uninstaller.

    After this reinstall ESS like you normally would.

     

    If you get messages about ESS not being installed during the uninstallation maybe also this fix can help you - although I have to admit that this is pure speculation.

  5. It's great to hear that you like ESS. However to use unofficial versions of ESS is very risky. You don't know what they modified.

    They can e.g. contain indeed malware or use inofficial (maybe modified) virus signature updates.

     

    I'm quite sure that you can catch a special offer or something like this if you keep your eyes open. You can also post your country here and describe why you can't afford to buy ESS.

    Maybe a local reseller or distributor will notice it and show you some special deals - we already had this in the past.

  6. Okay, but isn't RealDownloader a stand-alone program?

     

    Additionally if you don't need parental control you can disable it of course. And if they should be the culprit of your issue then you would also see this afterwards.

     

    I was talking about ESS firewall. I assume you use ESS firewall - if you do then you can't disable the Windows firewall anyway because ESS firewall integrates into Windows firewall.

     

    Or are you finally saying that your issue has nothing do with ESET, but with Firefox and Chrome?

  7. The master boot record (MBR) is a part of your disks. It contains some information about the partitions on the disk and the bootloader.

    As this bootloader can also be modified by malware ESET can scan the MBR.

     

    As for the issue with the "error opening" message - this generally means that ESS can't access the file (or data) and can't scan it. This can have many reasons - e.g. a file is blocked by a process which is actually using it.

    In this case this may be because ESS didn't have the necessary rights to read the MBR. So maybe scanning as administrator can prevent the message from appearing and everything will be scanned.

     

    Additionally it seems you're using an older version of ESS. As new versions of ESS contain enhanced security features I highly recommend you to upgrade to the latest version.

  8. If the license is a ESS license like you have then you can't use it for Android. Mobile devices and desktop are two different parts, but "inside" of these parts you can switch the ESET product like you want because of the unilicense system.

    Just keep in mind that EMS for Android is also much cheaper than ESS or NOD32 licenses.

     

    You can only switch completely freely (also between mobile and desktop devices) if you're using a multi-device license.

     

    However in your case I would contact your local support and ask them if they maybe can change your license or do something like this.

  9. Okay, but what exactly doesn't work with Realplayer? "Something has messed with it" is very general.

     

    And why exactly did you set up parental controls? Do you need them or did you just set them up because ESS informed you about this? And does this has something to do (or do you think it has something to do) with the issue you're experiencing?

     

    As for network issues of course also the firewall could be an issue. So you can try to disable it temporarily and look if this resolves your problem.

  10. What do you see if you start it from the metro screen? Do you see the splash window? (of course only if you have it activated)

    So if the tray icon is not shown - is egui.exe running? (check this in the task manager)

     

    Additionally can you please check whether the following key exists in your registry?

    "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\egui"

     

    Edit: You may also have a look at this KB article: The ESET icon disappeared—how do I bring it back?

  11. No real Windows Safe Mode. Just look at the KB article he linked. There one of the first steps is:


    So BTW if you 'do not ever remember ever seeing an "Advanced Memory Scanner" or "Exploit Blocker" option' then possibly HIPS wasn't working at all in the past, because these options are only displayed if HIPS is active.

    So maybe the first try would be to deactivate this HIPS checkbox, restart, activate it again and restart again.

     

    Edit: And if you want to test HIPS you can e.g. test the self-defense, which is a part of HIPS. To do this you e.g. try to kill ekrn.exe with the normal task manager or change the priority of it. In both cases it should return a "permission denied" message.

  12. What Eset should be doing is not unencrypting sites with EV certs. like Avast and Kapersky. Validate the cert pinning path and leave it at that. 

     

    If you can't trust a web site with an EV cert., you shouldn't be doing business there.

     

    Well... the researcher (alias the author of the blog post) mentioned that none of the AVs he tested would do this. So all would not scan EV certificates.

    As for ESET this is wrong as I showed in the topic I linked.

     

    However back to your suggestion. Even some guys who want to spread malicious files could register a EV-certificate. It would be quite expensive for them and they would maybe have to hide behind a (fake) company, but it could be possible.

    Or just think of the file hosters which use an EV certificate.

     

    However on the other hand of course sites which host static content (or at least no user-submitted files) could be excluded this way. So I would agree to have an option in the SSL scanning settings to exclude all EV certificates from SSL scanning, but not to do this automatically. The user should be able to choose whom he trusts and whom not.

  13. About Win32/Systweak.A - yes this has surely nothing to do with the Facebook block.

     

    Just some information about this detection anyway: It's detected as PUA, which is an optional detection, so it can be activated and deactivated by the user. As you can read in the KB article I linked a PUA isn't something malicious, but it may be more or less annoying or something similar - so basically it is potentially unwanted as the name suggests.

    About the specific detection it could be part of WinZip which includes some (again not surprising according to the detection name) system tweak tools. There were already a few topics about it:

    However as the detection name is a bit different it may also be another software.

×
×
  • Create New...