Utini

And another request that is actually allowed in the default rules but still asks for permission (port 123) ? @edit: Oh the standard rules say "trusted zone" only.

Yes, I think that's a good idea. Here is the rule + the request pop up.

I really have no clue. All I know is that it is effective and not causing much problems (atleast I haven't enocountered any troubles eventhough I like testing different piece of software, also unknown stuff, especially as I am coding myself and try little programs of others). How Comodo does it -> no idea It is not the best way of protection as it will only work when the file is already downloaded on the system and being executed (e.g. ESS mostly blocks the files before they are even fully downloaded onto the system) but it is an additional layer of protection that can be very useful without the cost of high ressources (atleast from the clients perspective).

Yes and annoy many users, which use not so well-known software... During two years of CIS usage I havent enountered a problem with that. Not even the anti-cheat system coded by a random polish guy for a random online fps made problems as CIS whitelisted even that. Besides that, when you get promped about an unknown file, you can upload the file and let Comodo check and eventually whitelist it

Assume that you have a legitimate application that is not signed. If the author updates it, how an antivirus program should know whether it was modified intentionally or by malware? Hmm dunno but Comodo has sorted that out. Btw I think this is also an "easy trick" for them to score high at reviews.... Block everything that isnt trusted/whitelisted automatically.

Let's send me such malware Advanced memory scanner scans already unpacked code in memory so obfuscating it with whatever packer shouldn't be a way to evade detection. Also I just don't understand how it would help ordinary users if HIPS queried cloud before executing a file. Would it tell the user that the file is not prevalent and may pose a risk? There are tons of legitimate applications that are not prevalent so how the user should know if it's ok to allow it or not? Mhh I have a password stealer and a trojan which are both 1-2 years old and the built in crypter still makes the malware.exe fully undedected to most anti virus (including ESET). As the malware builder is bound to my hardware id I can only provide the malware files itself if you wish but not the builder/client. Well what I am talking about is smth like app-phishing. E.g. I download ccleaner.exe or some other software and ESET will know the original ccleaner.exe and run it without a warning. How ever if the ccleaner.exe that I downloaded was manipulated (e.g. server.exe binding) then ESET will not know the file anymore as "trusted" and warn me. That way I will check again if the file is original, where it came from, etc. For example: there are "malware spreading techniques" where the malware.exe binds itself to a file you download so whenever you share that file with somwone else the other person will be infected too. So I download the original file but it will get manipulated by malware on my pc. ESET would notice that because when I open the manipulated.exe it is not in the "trusted database". Well thats how I imagine it and know it from Comodo

But it doesn't block or warn if it is unknown?

If you come across undetected malware, please submit it to ESET as per the instructions here. From my experience, new malware that I run into is usually already blocked by Live Grid or Advanced memory scanner upon execution. If not, a detection is added in the next update which cannot be said about most of other vendors whom it takes hours or even days or weeks to add a detection for the given malware. If there's really new completely unrecognized malware, it must be one that none of ESET's users around the world with Live Grid enabled has had on their machine. I can take any virus example that ESET currently dedects and obsfuscate/crypt it into 20 different files that will be undedected ti ESET. And tomorrow I will make 20 new ones. HIPS will probably dedect it but still it would be awesome if ESET checks a file onlinw before executing it (e.g. like comodo does and then automatically sandboxes unknown filea).

What about a "suggestions" overview / databse ? E.g. list all suggestion and how many people voted for it. And also which suggestions are in progress already? It would make everything easier and offer a better overview?

I agree, there are a view things (like the ones I quoted) that ESET could/should add to improve the product. Those features might already be state-of-the-art for other security vendors but then they lack other things that ESS offers. I am also an advanced user who has used a lot of security products and I have ended up with ESS. It is fast, lightweight and has the best interface I have seen so far. It's dedection rate is good enough (could be better with online check up of files and block unknown files ;P). I offer the features we need but doesn't bomb us with unneeded features. But I agree that there are a few things that (as an advanced users) I really wish for e.g. copy & paste IP's from notification pop ups or let us add DNS addresses instead of IP-only. If ESET fixes those things with the next release then I think ESS has hit the sweet spot for "unexperienced home users" and advanced users that want to get the last bit of juice out of ESS! Until then I will keep using ESS v8

hxxp://www.av-comparatives.org/wp-content/uploads/2014/12/avc_prot_2014b_en.pdf Comparison of real world testing from August through november. ESET constantly at the top 3-5 but I am sure with advanced settings it would be top 1-3 ! Didn't see this test ported in the forum yet so I thought I would share it. Well done ESET !

Maybe also do screenshots with available cameras when a wrong password was entered and windows logon / unlock ? I once coded my own program for that purpose but I wished ESET could do that too

The allowing rule allows: Local IP's and trusted zone IP's From local port UDP To remote port SNMP And the request is "router ip" from local UPD to SNMP. Anyway, I hope I will get anoter request and will then make a screenshot

You are right, there shouldn't be anything to worry about in a fresh installation. Wel lwhat if the network is already infected by other users of the network? I hope it is not the case but it could be ;P Basically I would not like to blindly allow something but first want to know what its purpose is. I might give it a try within the next few days to see what the learning mode creates on a fresh vm

If you really want this rules why don't make it yourself? Make it like you said, create a fresh VM, install a fresh copy of windows (and do not install any "integration components" or something like this), install ESS, do not install any other software at all and then you can create all the rules while using the VM. Before creating the rules I would suggest you to export the configuration, so you can compare it to the configuration later. Then you have to possibilities how to create these rules: Use interactive mode (and make it - more or less - manually) - but this would be very time-consuming... or configure a strict learning mode and use it to automatically create the needed rules - e.g. like this: 1ESS_FirewallStrictLearningMode.png After this you can export the configuration and compare the configuration files, so that you can "extract" only the created rules. Here is how you can do this: https://forum.eset.com/topic/3512-eset-passive-quiet-install-to-include-pua-detection/?p=20461 Okay if you don't want to do the last step you can also send me the XML files and I do this for you. Then you finally will have a configuration file which everyone can import who wants to have the pre-defined system rules you talk about here. Okay there would be one exception: The users would have to use exact the same OS (e.g. Windows 8.1 Pro, 64bit) otherwise there could be rules which are not needed or some rules are missing. I would even try - if you use the learning mode - to let it create rules over several days and try to use nearly all common windows features that use a connection. 1 Okay there is still something on which you should pay attention: Create a rule for Internet explorer manually (which allows the connection to any IP) - otherwise it would be very crazy. because you will get a rule for every website you visit and for every connection IE is accessing:ESS_FirewallManyInternetExplorerRules.png Or don't open the Internet Explorer at all. Maybe not do it as shown in my screenshot, so uncheck the box to include the local port for outgoing connection. Usually this is quite irrelevant and would only cause the creation of unnecessary rules. Additionally would suggest you to set the network mode to "public" so you won't create any rules with local IP addresses (because this local IP addresses may of course change in every new network and so the aren't the same for every ESET user) And when all rules are created you maybe even want to unify rules. E.g. a rule which allows "spoolsv.exe, outgoing connection to port 1234, IP: 12.34.567.89" and "spoolsv.exe, outgoing connection to port 4321, IP: 98.76.543.21" could be unified to "spoolsv.exe, outgoing connection to port 4321 and 1234, IP: 98.76.543.21 and 12.34.567.89" I have thought about that and might do that but it is time intensive in any case. Plus I am not sure about all the ports & connections. Eventhough it will be a "fresh windows" I would still want to make sure about the connections & ports but google doesn't really give me much information for most of the firewall requests :/

Mhh if I happen to get the request again I will make a screenshot. But basically it is UDP Out at port 161 to my routers local ip adress.

Disabling the "log blocked events" will also disable the spamming. But I actually want blocked events to be logged. How ever, not if every 2-3 seconds another event is getting logged :/

Where can I reach the local ESET office ? Btw I tried the same on my HTPC and the same problem occured. Will the SysInspector log help if I post it here in the forum? I am from Austria (Europe)

I did sort them by app and spoolsv.exe is allowed for trusted zone and local addresses. there is no ask rule for spoolsv :/ Still I get asked when my local router requests it.

Yep I have it enabled but the "No application listening on the port" is no blocking event?

Hey there, I know that the "No application listening on the port" firewall log is usually no problem but it gets spamed into the log file every 2 seconds with the following entry: 21.12.2014 8:58:47 PM No application listening on the port 192.168.0.1:45810 255.255.255.255:7437 UDP Is this really normal? Any way to disable this from getting logged (logging it every 2 seconds must cost ressources too? ) Thanks

So in summary, if ALL users actually need the SAME rule then I agree it should be added to the predefined set. If not, then I would prefer to build my own rule. I hope this clarifies the contention. Sounds good and possible i think

ESS v8 (latest) Windows 8.1 x64

This this bug get accepted by ESET or is this the wrong place to repot a bug ? Thanks

Here is a screenshot of all rules in "advanced view" toggeled. I sorted them by rules. So everything else is an "allow" rule. Those are my block or ask rules. I am not really understanding why svchost.exe still asks for port 161 (coming from my networks router) when I have it as allowed rule for trusted zone & local adresse.