Jump to content

Utini

Members
  • Posts

    96
  • Joined

  • Last visited

Everything posted by Utini

  1. Who cares HIPS, Advanced memory scanner (AMS) or Exploit blocker (EB) are not behavior monitors that would spring into action when a suspicious behavior is detected. Unless the code in memory is indeed malicious and resembles known malware, it will be detected and suspended by AMS which cannot be the case of a simulator. Likewise EB is triggered when malware attempts to exploit a known vulnerability which is again not the case of the simulator used in this case. Awesome The more I use ESS the more I like it
  2. Hmm I enabled logging but when I get asked and I press deny it will not be logged. There is no entry or "more" information about it in the log file? All I see are a lot of "no application listening to port) entries. Every 2 seconds a new one os popping up in the log file
  3. Obiously keeping your system up to date is one of the main things to do to keep malware out of your system. I am not going to argue if you or anyone else ever got infected (because 90% of people don't even realize when they got infected). And I will also not continue about how easy it is to get infected or what kind of malware exists because our experiences/opinions and maybe knowledge go different ways here. Privacy is a big factor but you can't tell ESET to block "privacy concerns with microsoft on windows". Because that could also break the system itself (altough I would love a pre-configured rule set that works and block privacy problems with windows & microsoft) ;P Actually I am having a problem and that is how to configure rules for those windows processes. And I hoped someone could help me with that and ESET could add that to their pre-defined rules just like they also did with svchost, winlogon, etc.
  4. Of course, the Internet is a dirty place every one knows that. But you are exaggerating the chance of getting infected. Finding malware that can bypass a product isn't hard if you go looking for them, but coming across malware during normal usage is pretty hard (unless you have some crazy habits) I have not come across malware in years. If you are that concerned then start using Linux until it becomes too popular and the malware for that platform will rise. So, Automatic is O.K for the average user hence it is the default. But it is not safe for you which is an above average user. You insist on using interactive mode so you are creating these annoyances that normally doesn't exist. We told you interactive mode is not that convenient to use because you said that you didn't want to be bombarded, but you don't listen. You make a very easy to use product look very inconvenient and annoying to use. It seems you think it is better to pack in as much pre-defined OS rules as possible, because you insist on using interactive mode from the start. And if that were to happen, then users like me should have to spend time going through all pre-defined rules after install to see if there is stuff we want to get rid of or not. If privacy really is that important to you then it's even more weird that you talk about all these pre-defined OS rules you want implemented. I really hope ESET does not follow your suggestion on this. Actually, if you now are that worried then maybe you should consider to invest in a UTM that will stop a lot of attacks and malware before they reach your network, computers, and other connected devices. I wonder how anyone knows that he didn't came across malware for years. I have high security habbits and I am not sure myself. A password stealer gets on your system via flash/java/frame drive-by or by opening a movie/office file as they are all or have all been vulnearble. The password stealer runs for a few seconds, sends all the information it wants and then removes itself from your system. All that in a few seconds. And malware these das is spreading very fast by self-spreading via torrent, communicators, ftp, filesharing, usb devices, local network etc... 1000 infections per hour are a normal rating. You don't have to particulary "search for an infection" to get infected. Someone in your local network with an infected laptop/usb stick is enough to get you infected too. Or a hidden drive-by on a random website. The possibilities are endless.. especially when you have 100$ to buy an exploit pack that puts multiple exploit (hidden) on a webpage and is able to infect you via more drive-bys than just java. But I don't want to talk about how dangerous and easymalware is these days Linux or Mac OSX is maybe even more dangerous. The same malware already exists for those OS just that their security products aren't as developed as it is in windows (in my opininon). There even is a trojaner that you can buy for 50$ where you can control all your infected mac osx bots via android/iOS. So yes, that's why "I didn't listen" and decided to use interactive mode. because nothing else comes into my mind when I think about a secure setup. You don't seem to udnerstand what I am asking for: I ask for pre-defined rules for system files (that every user has on his system). And pre-defines rules mean that what ever setup you use (automatic or interactive), you will never have to care about those files because the best rules already exist for them. The same already happend for svchot, winlogon and a few others. And no, ESET isn't that complicated to use. it is actually the easiest product I used so far and has the best interface I have seen yet. But there is room for doing better and I have suggestion for that. Besides that, even if I would have problems with ESET because interactive mode is complicated, isn't the forum here to help with such problems? ;P I am less worried about privacy than I am about malware.
  5. No, that's a wrong assumption. Pre-defined rules either allow or block certain communication, there's no pre-defined rule with the action set to ask. Yes you are right ofcourse Didnt have time today to enable logging but noticed that port 123 for svchost also gets askes. Although it is already allowed for trusted zone in a pre-defined rule. I am now thinking that my trusted zone might be configures wrong (i didnt touch that though). Will enable logging hopefully tonight :S
  6. Yes that is the big question and i am not sure myself (which is why i am asking for help with those rules). So i hoped the ESET pro's could help with that But I think there needs to be a safe port + protocol list for those files and a safe list of microsoft dns adresses. And with that information the rule can be created but i don't think i can say what is safe for those files. I would rather leave that so aomeone who is more experienced (hi ESET team ;P) @edit: maybe create a fresh windows, custom rule all the request of those files (that fresh windows will be without malware) and then we know how those files communicate? Or someone of ESET is in a position to ask microsoft about more information  The pre-defined rule for svchost are the best example. Everything that should be allowed is allowed. For everything else we get asked. But then I would already get suspicious about what svchost is trying to do
  7. Ofcourse...but first there has to be a rule for the file ;P a useful pre-defined rule for example
  8. If you are confident your system is clean you can stop worrying and create rules for all communication which occures with normal activity. ESS will conveniently tell you when each application tries to call out and if you can see no reason how the communication will help you, then block it. As for why does Microsoft store call home when you do not intend to use it, the answer is no doubt it helps Microsoft. Either it simplfies their code by not worrying about network traffic for non paying customers, or potentially increases their sales by data mining. Microsoft are trying to move all their software to an online rental model. No doubt they do not like customers using their software for an extended period without paying more. Either way your decision process it the same. ESS alerts you to the activity:- allow it, if it is OK (system clean and comfortable with that company having free access) block it, if you can't see how that communication helps you (you can always change it later if it breaks something) investigate what is being sent and why if you are curious Worrying about it is not a recommended option. Having everything allowed also does not make any sense as an option. If that is what you want use the automatic or learning modes. I beleive the communication these processes use varies with system configuration. How much is actually needed depends on what you are doing. Interactive mode encouges each user to make their system as tight or as loose as they want. However for users who want an easy setup, which allows normal traffic, and is reasonably safe, then automatic or learning modes are more appropriate And again: Automatic mode is userfriendly but not safe enough (atelast not for me). It basically allows everything to communicate to whereever it wants. Atleast system files should be configured for the ports they use and the connections the make (microsoft servers). I am one of those that don't want to have more pre-defined rules than what is needed. Like it is now, there is not too many pre-defined rules, only for what is necessary, and anyone that wants to add rules can do that as they wish. Instead of working hours with this, it would be much easier for you to use automatic mode, and simply create block rules for the apps that you think are calling home, if that is the only reason why you insist on using interactive mode. I feel you have taken water over your head. It doesn't work like Comodo does, we have the Automatic mode that works great, it's a shame you don't trust it. I don't trust automatic mode because it lets everything out, say hai to password stealers sending all your accounts. Those are original windows files, they are on the system out of the box and there for need configuration out of the box. So if you ask me, it is necessary for them to have pre-defined rules. I am not talking about rules for office or firefox or whatever. Simply what is running in the backround of every windows user out of the box and tries to open connections / communicates with other. Utini/zakazak I doubt you are going to get infected with some password stealing malware when you use ESS, MBAM Prem, and HMPA ? I thought you had higher hopes for your setup than that. Paranoid people does usually not trust anything at all, not even the OS, but you want to have allow rules for OS stuff even if they are not needed to begin with, only because they are part of the OS. I don't get that. I know I don't want any part of it anyway. "Patch" as laid it out very nicely above, that's the choices you have. ESET will not add rules unless they are necessary for the OS, if there are no rule for a connection even if it goes to MS then Automatic mode will take care of that as well. So there is no need to have them out of the box. (even if MS would be very pleased) The bottom line is that you are worrying way way too much, and you don't need to. Relax and enjoy your computer instead. There is enough malware, password stealers or rats (trojans) that can bypass this setup. They are fully undedected to AV, bypass HIPS and can even bypass FW's. And the black market is full of them starting at ~20%. So easy to use that every 13 year old can configure them. The bottom line is: I have seen to much malware and worked with too much malware to know how easy it is to infect a system. Or lets put it different: how easy it is to make malware bypass security products. All I am asking for a rule for system files that are running and used on every windows pc. Rules that allow those files to do what they do but nothing more. Allow rundl32.dll to connect to the 1-3 ports it needs and to the microsoft servers. Nothing else.
  9. Automatic mode creates rule in a way of "let EVERYTHING out but nothing in". That is not secure in my opinion. It is user friendly to home users but it is definitely not secure enough if you want to focus on privacy. Apps (especially windows services/files) should be restricted to what they do. They should be allowed to connect to every port and every server. They should be allowed to use the 3 ports that they usually use and the connect to the microsoft servers and that's it. Or do you want a trojan to inject in one of those files and connect to some random chinese botnet server? svchost is also a windows standard process and it has a pre-defined rules. Same with logonui.exe , services.exe and all the other system rules that are pre-defined. The above files are more files/services that should be added to the pre-defined rules as they are just like everything that is pre-defined so far out-of-the-box windows files/processes that in automatic mode could do what ever they want. They just vulnerable as svchost.exe and need to be take care of just like ESET did with svchost,winlogon,etc.
  10. I am one of those that don't want to have more pre-defined rules than what is needed. Like it is now, there is not too many pre-defined rules, only for what is necessary, and anyone that wants to add rules can do that as they wish. Instead of working hours with this, it would be much easier for you to use automatic mode, and simply create block rules for the apps that you think are calling home, if that is the only reason why you insist on using interactive mode. I feel you have taken water over your head. It doesn't work like Comodo does, we have the Automatic mode that works great, it's a shame you don't trust it. I don't trust automatic mode because it lets everything out, say hai to password stealers sending all your accounts. Those are original windows files, they are on the system out of the box and there for need configuration out of the box. So if you ask me, it is necessary for them to have pre-defined rules. I am not talking about rules for office or firefox or whatever. Simply what is running in the backround of every windows user out of the box and tries to open connections / communicates with other.
  11. Also please add default rules or description for the following windows files: So far, I have noticed that the following processes all want to make regular connections: Host Process for Windows Services (svchost.exe) Host Process for Setting Synchronization (SettingSyncHost.exe) User Account Control Panel Host (UserAccountBroker.exe) Windows Explorer (explorer.exe) Windows Host Process (rundll32.exe) Store Broker (WSHost.exe) Windows Driver Foundation - User-mode Driver Framework Host Process (WUDFHost.exe) Device Association Framework Provider Host (dasHost.exe) Host Process for Windows Tasks (taskhost.exe) For example, right now I am worried about WSHost.exe because I don't even use the windows store and still it wants to send data to microsoft? You are worrying about that programs you install may call "home", but you don't worry about that the OS (Windows) might call home to MS once in a while? Well WSHost.exe is part of the OS and a lot in the OS wants to connect to MS, but that doesn't mean you have to allow everything that's part of the OS to connect out, you can even block stuff from connection out without breaking the OS. If you Google around you can find more info about what is essential to be allowed and what isn't. IMO you are just making this harder for yourself, the pre-set rules that are in-place today should be enough out of the box, or else I assume ESET would have added rules for the ones in your list already if they are that essential. I think it is better to have a small pre-defined set out of the box like today, and users that want to add more rules can do so afterwards if they like, so no one have to spend time removing rules that they don't want right after install. The pre-defined rules are fine, and the Automatic mode will do the rest once users start using the computer. Again, there is a reason why Automatic mode is the default.... I know that you can block some stuff without breaking anything. And obviously I googled every of those files and hwat other people recommend. A lot seems to make "useless" connections (e.g. feedsync when u dont use it or windows store). Besides that: there should be a rule set which lets you use windows out of the box with interactive mode without much configuration to be needed. For everything non-windows related you need to worry on your own. But all the above files are originally from windows and need configuration in interactive mode.
  12. Hmm i am not sure if I fully understand the way it works. All the ask rules are either for other files or are pre-defined by ESET so that they cannot be changed. For spoolsv.exe there is a specific rule that allows trusted zone and local adresses. Anyway I will enable the log and try it out after work Thanks
  13. Thanks, I guess they come from the usage of different security products for a long time together with knowledge of malware/trojans/password stealer/etc. Alright, I just don't want my suggestions to be lost and forgotten ;P
  14. Also please add default rules or description for the following windows files: So far, I have noticed that the following processes all want to make regular connections: Host Process for Windows Services (svchost.exe) Host Process for Setting Synchronization (SettingSyncHost.exe) User Account Control Panel Host (UserAccountBroker.exe) Windows Explorer (explorer.exe) Windows Host Process (rundll32.exe) Store Broker (WSHost.exe) Windows Driver Foundation - User-mode Driver Framework Host Process (WUDFHost.exe) Device Association Framework Provider Host (dasHost.exe) Host Process for Windows Tasks (taskhost.exe) For example, right now I am worried about WSHost.exe because I don't even use the windows store and still it wants to send data to microsoft? Also: Let us sort rules in the rule editor up and down. I am curios in which way the rules get requested anyway, like first rule first, then second then third ,... until the needed rule was found? If that is the case let us sort the rules so we can sort the most used rules first in the rule editor.
  15. I use interactive mode so I get asked for everything that isn't in the standart ESET rules? I added pictures of my (relevant) rules below. Thanks
  16. Also please add default rules or description for the following windows files: So far, I have noticed that the following processes all want to make regular connections: Host Process for Windows Services (svchost.exe) Host Process for Setting Synchronization (SettingSyncHost.exe) User Account Control Panel Host (UserAccountBroker.exe) Windows Explorer (explorer.exe) Windows Host Process (rundll32.exe) Store Broker (WSHost.exe) Windows Driver Foundation - User-mode Driver Framework Host Process (WUDFHost.exe) Device Association Framework Provider Host (dasHost.exe) Host Process for Windows Tasks (taskhost.exe) For example, right now I am worried about WSHost.exe because I don't even use the windows store and still it wants to send data to microsoft?
  17. I need to bump this old thread because I think there SHOULD BE default rules for all this system files.Users worry about them, so give them default rules? Right now I am also asked about WSHost.exe.. but I don't even use the windows store. So why would it need an internet connection or send data to microsoft?
  18. I also find "Trusted Zone" doesn't work that reliably. I guess the problem is it is defined dynamically so may not be set up properly when it is initially used. As my computers are mostly on a network with a static IP range, adding this range appears to fix it for me. Yep that would fix it for me too, but adding "local" or "trusted" would be a lot more comfortable. Especially when using a laptop in different wlan/office networks
  19. Yes, you already said this. This could be an idea, but it can even be very bad if the DNS server is compromised or there is a kind of "DNS server malware" on your computer which redirected all DNS queries to a fake/another/bad/... DNS server. So to use IP addresses there is more secure. Yes great idea. I think you mean something like I described in post #149 in this topic[/topic]. Well, maybe this can be an idea. Although svchost.exe of course does much more than just Windows updates. What rules? Do you mean the firewall rules? I think it's quite good if not too much rules are created by default... Yes, that's a great idea! A search function would make it much easier if you want to find specific rules. Thanks! But also have a look on my update I added there. So you can make ESET already detect OpenCandy. Thanks too! I also think this could be a good idea. That's why I made the post. Allowing to add DNS is the only real way to e.g. allow windows update servers for svchost.exe. Their server IP's change daily so I would need to add update.microsoft.com as "allowed". Yep svchost.exe does a lot.. one if windows update and it should be allowed ;-) Well either allow or deny rules.. what ever is safe for those files. I don't what is safe but get asked by ESET ;P
  20. Hey there, I have disabled the "exclude trusted apps from modification detection" and added two exclusions myself. When I reboot the exclusions change to completely other files. E.g. instead of HitmanProAler.exe I had skype.exe instead of mbam.exe I had dnscrypt.exe Please fix that If you need a video / screenshots: let me know
  21. Hey there, I added for spoolsv.exe the following rule: Allow - UDP OUT - Port 161 - Trusted Zone + Local Adresses Still I get asked about an UDP 161 connection to 192.168.1.59 (which is a local adress and within my home network = trusted zone) ? Any suggestions? Thanks
  22. This: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-14#entry17761 Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones) Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window Also: Add windows update rule to the standard rule set of svchost.exe (port 80 & 443 and maybe restrict it to microsoft update servers only) Also: Add spoolsv.exe standard rules Also: Add rundll32.exe standard rules Also: Let us search within the rule editor... e.g for filenames Update: Make this a standard rule? https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-burning-rom-orbit-downloader-imgburn-dvdvideosoft-install-them-without-opencandy/ Also: https://forum.eset.com/topic/3437-poodle-attack-security-flaw-in-ssl-v3-eset-blocking/
  23. If you want this I think you would have to specify not only the port, but even the IP addresses and that is time consuming. I think I have configured about 50% of my system within an hour. But now I am having trouble with system specific rules and a few apps where I am not sure how to handle them. E.g. svchost.exe rundll32.dll spoolsv.exe etc For example I am wondering if I should allow port 80 and 443 for svchost.exe... according to google this is for windows update but ESET doesn't have a rule for it out of the box? And btw, I am already running interactive, thats why I have all those questions ;P
×
×
  • Create New...