Utini
-
Posts
96 -
Joined
-
Last visited
Posts posted by Utini
-
-
Hmm I enabled logging but when I get asked and I press deny it will not be logged. There is no entry or "more" information about it in the log file?
All I see are a lot of "no application listening to port) entries. Every 2 seconds a new one os popping up in the log file
-
I don't know what to tell to make you see some sense in all this.
Do you want to hear about my friend that uses outdated OS, browsers, flash, java...the lot, (despite what I tell him to do) and STILL manage to stay clean and have all the money left on their bank account. Or do you want to hear about another friend that is more like you with loads of security in-place but still managed to get infected not that long ago. (he blamed the failure on his security setup btw and not himself, hilarious) I tell you anything to calm your mind down a little.
Staying clean is not only about security software. You will come very far by keep everything up to date, not clicking on every link, and use your brain while browsing around.
And the USB or whatever the friend or co worker might give to you, don't connect it to your main system the first thing you do, and when a friend or family member wants to use your computer, say no.
"But I don't want to talk about how dangerous and easymalware is these days"
Too late, I think you just did that, again. You talk too much about what "could" happen even if the chance that it will happen to you is 0,001%.
"and I am not sure myself"
I agree, you are not sure about what you want, and you worry way too much, but what ever you do, don't become paranoid it will only make your life harder.
Yes some malware exists for Linux and OSX, but it's 98% less malware for those platforms than it is for windows. That percentage speaks for itself.
Same with iOS and Android if you stay in the "official" store the chance of getting a rotten egg is very small.
"You don't seem to udnerstand what I am asking for:"
Yes, I totally understand what you mean, but it is not needed due to the way the product works in the defaults.
"I am less worried about privacy than I am about malware."
Yeah I can see that. But these days it should be the other way around, or at least 50/50. And that's one reason why I don't want too many pre-defined rules.
"Besides that, even if I would have problems with ESET because interactive mode is complicated, isn't the forum here to help with such problems? ;P"
Yes, but you don't have any problems with it as far as I can see, you know exactly how the interactive mode works, but a normal recommendation for an interactive mode user that can't handle it or are tired of the popups would be to switch to the Automatic mode.
Obiously keeping your system up to date is one of the main things to do to keep malware out of your system. I am not going to argue if you or anyone else ever got infected (because 90% of people don't even realize when they got infected). And I will also not continue about how easy it is to get infected or what kind of malware exists because our experiences/opinions and maybe knowledge go different ways here.
Privacy is a big factor but you can't tell ESET to block "privacy concerns with microsoft on windows". Because that could also break the system itself (altough I would love a pre-configured rule set that works and block privacy problems with windows & microsoft) ;P
Actually I am having a problem and that is how to configure rules for those windows processes. And I hoped someone could help me with that and ESET could add that to their pre-defined rules just like they also did with svchost, winlogon, etc.
-
API hooking seemed to fail a bit with ESET but the rest look very very good?
-
There is enough malware, password stealers or rats (trojans) that can bypass this setup. They are fully undedected to AV, bypass HIPS and can even bypass FW's. And the black market is full of them starting at ~20%. So easy to use that every 13 year old can configure them.
The bottom line is: I have seen to much malware and worked with too much malware to know how easy it is to infect a system. Or lets put it different: how easy it is to make malware bypass security products. All I am asking for a rule for system files that are running and used on every windows pc. Rules that allow those files to do what they do but nothing more. Allow rundl32.dll to connect to the 1-3 ports it needs and to the microsoft servers. Nothing else.
Of course, the Internet is a dirty place every one knows that. But you are exaggerating the chance of getting infected. Finding malware that can bypass a product isn't hard if you go looking for them, but coming across malware during normal usage is pretty hard (unless you have some crazy habits) I have not come across malware in years. If you are that concerned then start using Linux until it becomes too popular and the malware for that platform will rise.
So, Automatic is O.K for the average user hence it is the default. But it is not safe for you which is an above average user.
You insist on using interactive mode so you are creating these annoyances that normally doesn't exist. We told you interactive mode is not that convenient to use because you said that you didn't want to be bombarded, but you don't listen. You make a very easy to use product look very inconvenient and annoying to use.
It seems you think it is better to pack in as much pre-defined OS rules as possible, because you insist on using interactive mode from the start.
And if that were to happen, then users like me should have to spend time going through all pre-defined rules after install to see if there is stuff we want to get rid of or not.
If privacy really is that important to you then it's even more weird that you talk about all these pre-defined OS rules you want implemented.
I really hope ESET does not follow your suggestion on this.
Actually, if you now are that worried then maybe you should consider to invest in a UTM that will stop a lot of attacks and malware before they reach your network, computers, and other connected devices.
I wonder how anyone knows that he didn't came across malware for years. I have high security habbits and I am not sure myself. A password stealer gets on your system via flash/java/frame drive-by or by opening a movie/office file as they are all or have all been vulnearble. The password stealer runs for a few seconds, sends all the information it wants and then removes itself from your system. All that in a few seconds. And malware these das is spreading very fast by self-spreading via torrent, communicators, ftp, filesharing, usb devices, local network etc... 1000 infections per hour are a normal rating. You don't have to particulary "search for an infection" to get infected. Someone in your local network with an infected laptop/usb stick is enough to get you infected too. Or a hidden drive-by on a random website. The possibilities are endless.. especially when you have 100$ to buy an exploit pack that puts multiple exploit (hidden) on a webpage and is able to infect you via more drive-bys than just java. But I don't want to talk about how dangerous and easymalware is these days
Linux or Mac OSX is maybe even more dangerous. The same malware already exists for those OS just that their security products aren't as developed as it is in windows (in my opininon). There even is a trojaner that you can buy for 50$ where you can control all your infected mac osx bots via android/iOS.
So yes, that's why "I didn't listen" and decided to use interactive mode. because nothing else comes into my mind when I think about a secure setup.
You don't seem to udnerstand what I am asking for:
I ask for pre-defined rules for system files (that every user has on his system). And pre-defines rules mean that what ever setup you use (automatic or interactive), you will never have to care about those files because the best rules already exist for them. The same already happend for svchot, winlogon and a few others. And no, ESET isn't that complicated to use. it is actually the easiest product I used so far and has the best interface I have seen yet. But there is room for doing better and I have suggestion for that. Besides that, even if I would have problems with ESET because interactive mode is complicated, isn't the forum here to help with such problems? ;P
I am less worried about privacy than I am about malware.
-
All the ask rules are either for other files or are pre-defined by ESET so that they cannot be changed.
No, that's a wrong assumption. Pre-defined rules either allow or block certain communication, there's no pre-defined rule with the action set to ask.
Yes you are right ofcourse
Didnt have time today to enable logging but noticed that port 123 for svchost also gets askes. Although it is already allowed for trusted zone in a pre-defined rule. I am now thinking that my trusted zone might be configures wrong (i didnt touch that though).
Will enable logging hopefully tonight :S
-
Ok, so the question is - if you were a firewall maker, how would you make the firewall work fully automatically without disturbing the user with prompt windows, without blocking desired communication with MS or other vendors' servers and block only malicious communication or applications that call home?
Yes that is the big question and i am not sure myself (which is why i am asking for help with those rules). So i hoped the ESET pro's could help with that
But I think there needs to be a safe port + protocol list for those files and a safe list of microsoft dns adresses. And with that information the rule can be created
but i don't think i can say what is safe for those files. I would rather leave that so aomeone who is more experienced (hi ESET team ;P)
@edit: maybe create a fresh windows, custom rule all the request of those files (that fresh windows will be without malware) and then we know how those files communicate? Or someone of ESET is in a position to ask microsoft about more information 
The pre-defined rule for svchost are the best example. Everything that should be allowed is allowed. For everything else we get asked. But then I would already get suspicious about what svchost is trying to do
-
If a file is modified for which there is a rules created and if the firewall is in interactive mode then you will see a question asking you whether you want to allow the connection with the modified version too.
And this refers to Windows files of course too.
So if a legitimate process is "injected" then you'll see a message about this when it is trying to connect to somewhere
Ofcourse...but first there has to be a rule for the file ;P a useful pre-defined rule for example
-
I think there SHOULD BE default rules for all this system files.Users worry about them, so give them default rules?
Right now I am also asked about WSHost.exe.. but I don't even use the windows store. So why would it need an internet connection or send data to microsoft?
If you are confident your system is clean you can stop worrying and create rules for all communication which occures with normal activity.
ESS will conveniently tell you when each application tries to call out and if you can see no reason how the communication will help you, then block it.
As for why does Microsoft store call home when you do not intend to use it, the answer is no doubt it helps Microsoft. Either it simplfies their code by not worrying about network traffic for non paying customers, or potentially increases their sales by data mining. Microsoft are trying to move all their software to an online rental model. No doubt they do not like customers using their software for an extended period without paying more.
Either way your decision process it the same. ESS alerts you to the activity:-
- allow it, if it is OK (system clean and comfortable with that company having free access)
- block it, if you can't see how that communication helps you (you can always change it later if it breaks something)
- investigate what is being sent and why if you are curious
Worrying about it is not a recommended option. Having everything allowed also does not make any sense as an option. If that is what you want use the automatic or learning modes.
Those are original windows files, they are on the system out of the box and there for need configuration out of the box. So if you ask me, it is necessary for them to have pre-defined rules. I am not talking about rules for office or firefox or whatever. Simply what is running in the backround of every windows user out of the box and tries to open connections / communicates with other.
I beleive the communication these processes use varies with system configuration. How much is actually needed depends on what you are doing. Interactive mode encouges each user to make their system as tight or as loose as they want. However for users who want an easy setup, which allows normal traffic, and is reasonably safe, then automatic or learning modes are more appropriate
And again: Automatic mode is userfriendly but not safe enough (atelast not for me). It basically allows everything to communicate to whereever it wants. Atleast system files should be configured for the ports they use and the connections the make (microsoft servers).
Why?
Again, if you don't like popups or know how to respond to them then use the automatic mode and rules will be created when needed, and not for everything.
I am a bit surprised that you that worries about some apps calling home even suggests this.
Why not have allow rules for the whole OS so everything OS related that want to connect to MS can connect out as they wish, it would probably help MS with their data mining as well.
Instead of asking for more default allow rules to be added consider what Aryeh (and myself) said above....
You can go ahead and try blocking the various communications via ESET Personal Firewall if you're concerned, however, I'm unsure of how this will affect the various services that expect to communicate with Microsoft, et al. I would recommend very carefully, though, in case blocking something leaves the system in a non-working state.I am one of those that don't want to have more pre-defined rules than what is needed. Like it is now, there is not too many pre-defined rules, only for what is necessary, and anyone that wants to add rules can do that as they wish.
Instead of working hours with this, it would be much easier for you to use automatic mode, and simply create block rules for the apps that you think are calling home, if that is the only reason why you insist on using interactive mode. I feel you have taken water over your head. It doesn't work like Comodo does, we have the Automatic mode that works great, it's a shame you don't trust it.
I don't trust automatic mode because it lets everything out, say hai to password stealers sending all your accounts.
am one of those that don't want to have more pre-defined rules than what is needed. Like it is now, there is not too many pre-defined rules, only for what is necessary, and anyone that wants to add rules can do that as they wish.
Those are original windows files, they are on the system out of the box and there for need configuration out of the box. So if you ask me, it is necessary for them to have pre-defined rules. I am not talking about rules for office or firefox or whatever. Simply what is running in the backround of every windows user out of the box and tries to open connections / communicates with other.
Utini/zakazak
I doubt you are going to get infected with some password stealing malware when you use ESS, MBAM Prem, and HMPA ? I thought you had higher hopes for your setup than that.
Paranoid people does usually not trust anything at all, not even the OS, but you want to have allow rules for OS stuff even if they are not needed to begin with, only because they are part of the OS. I don't get that. I know I don't want any part of it anyway.
"Patch" as laid it out very nicely above, that's the choices you have. ESET will not add rules unless they are necessary for the OS, if there are no rule for a connection even if it goes to MS then Automatic mode will take care of that as well. So there is no need to have them out of the box. (even if MS would be very pleased)
The bottom line is that you are worrying way way too much, and you don't need to. Relax and enjoy your computer instead.
There is enough malware, password stealers or rats (trojans) that can bypass this setup. They are fully undedected to AV, bypass HIPS and can even bypass FW's. And the black market is full of them starting at ~20%. So easy to use that every 13 year old can configure them.
The bottom line is: I have seen to much malware and worked with too much malware to know how easy it is to infect a system. Or lets put it different: how easy it is to make malware bypass security products. All I am asking for a rule for system files that are running and used on every windows pc. Rules that allow those files to do what they do but nothing more. Allow rundl32.dll to connect to the 1-3 ports it needs and to the microsoft servers. Nothing else.
-
"But all the above files are originally from windows and need configuration in interactive mode."
No, they don't "need" to be configured in interactive mode at all.
That is totally your choice, you chose to do it that way. But you don't have to.
How do you think rules are created for all those users that use Automatic mode? Probably 95%+ of the users.
Rules for those examples above would have been taken care of automatically in automatic mode, or else every singel user would popup in the forum and ask what they can allow and what they should block. And why the product is so annoying.
We don't need to have pre-defined rules for everything OS related out of the box except for stuff that is absolutely necessary, as Automatic mode will create rules automatically when needed (also for connections to MS) when the user is using their computer.
Automatic mode creates rule in a way of "let EVERYTHING out but nothing in". That is not secure in my opinion. It is user friendly to home users but it is definitely not secure enough if you want to focus on privacy. Apps (especially windows services/files) should be restricted to what they do. They should be allowed to connect to every port and every server. They should be allowed to use the 3 ports that they usually use and the connect to the microsoft servers and that's it. Or do you want a trojan to inject in one of those files and connect to some random chinese botnet server?
svchost is also a windows standard process and it has a pre-defined rules. Same with logonui.exe , services.exe and all the other system rules that are pre-defined. The above files are more files/services that should be added to the pre-defined rules as they are just like everything that is pre-defined so far out-of-the-box windows files/processes that in automatic mode could do what ever they want. They just vulnerable as svchost.exe and need to be take care of just like ESET did with svchost,winlogon,etc.
-
Why?
Again, if you don't like popups or know how to respond to them then use the automatic mode and rules will be created when needed, and not for everything.
I am a bit surprised that you that worries about some apps calling home even suggests this.
Why not have allow rules for the whole OS so everything OS related that want to connect to MS can connect out as they wish, it would probably help MS with their data mining as well.
Instead of asking for more default allow rules to be added consider what Aryeh (and myself) said above....
You can go ahead and try blocking the various communications via ESET Personal Firewall if you're concerned, however, I'm unsure of how this will affect the various services that expect to communicate with Microsoft, et al. I would recommend very carefully, though, in case blocking something leaves the system in a non-working state.I am one of those that don't want to have more pre-defined rules than what is needed. Like it is now, there is not too many pre-defined rules, only for what is necessary, and anyone that wants to add rules can do that as they wish.
Instead of working hours with this, it would be much easier for you to use automatic mode, and simply create block rules for the apps that you think are calling home, if that is the only reason why you insist on using interactive mode. I feel you have taken water over your head. It doesn't work like Comodo does, we have the Automatic mode that works great, it's a shame you don't trust it.
I don't trust automatic mode because it lets everything out, say hai to password stealers sending all your accounts.
am one of those that don't want to have more pre-defined rules than what is needed. Like it is now, there is not too many pre-defined rules, only for what is necessary, and anyone that wants to add rules can do that as they wish.
Those are original windows files, they are on the system out of the box and there for need configuration out of the box. So if you ask me, it is necessary for them to have pre-defined rules. I am not talking about rules for office or firefox or whatever. Simply what is running in the backround of every windows user out of the box and tries to open connections / communicates with other.
-
This: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-14#entry17761
Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones)
Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window
Also: Add windows update rule to the standard rule set of svchost.exe (port 80 & 443 and maybe restrict it to microsoft update servers only)
Also: Add spoolsv.exe standard rules
Also: Add rundll32.exe standard rules
Also: Let us search within the rule editor... e.g for filenames
Update:
Make this a standard rule? https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-burning-rom-orbit-downloader-imgburn-dvdvideosoft-install-them-without-opencandy/
Also: https://forum.eset.com/topic/3437-poodle-attack-security-flaw-in-ssl-v3-eset-blocking/
Also please add default rules or description for the following windows files:
So far, I have noticed that the following processes all want to make regular connections:Host Process for Windows Services (svchost.exe)Host Process for Setting Synchronization (SettingSyncHost.exe)User Account Control Panel Host (UserAccountBroker.exe)Windows Explorer (explorer.exe)Windows Host Process (rundll32.exe)Store Broker (WSHost.exe)Windows Driver Foundation - User-mode Driver Framework Host Process (WUDFHost.exe)Device Association Framework Provider Host (dasHost.exe)Host Process for Windows Tasks (taskhost.exe)For example, right now I am worried about WSHost.exe because I don't even use the windows store and still it wants to send data to microsoft?You are worrying about that programs you install may call "home", but you don't worry about that the OS (Windows) might call home to MS once in a while? Well WSHost.exe is part of the OS and a lot in the OS wants to connect to MS, but that doesn't mean you have to allow everything that's part of the OS to connect out, you can even block stuff from connection out without breaking the OS. If you Google around you can find more info about what is essential to be allowed and what isn't.
IMO you are just making this harder for yourself, the pre-set rules that are in-place today should be enough out of the box, or else I assume ESET would have added rules for the ones in your list already if they are that essential. I think it is better to have a small pre-defined set out of the box like today, and users that want to add more rules can do so afterwards if they like, so no one have to spend time removing rules that they don't want right after install. The pre-defined rules are fine, and the Automatic mode will do the rest once users start using the computer.
Again, there is a reason why Automatic mode is the default....
I know that you can block some stuff without breaking anything. And obviously I googled every of those files and hwat other people recommend. A lot seems to make "useless" connections (e.g. feedsync when u dont use it or windows store).
Besides that: there should be a rule set which lets you use windows out of the box with interactive mode without much configuration to be needed. For everything non-windows related you need to worry on your own. But all the above files are originally from windows and need configuration in interactive mode.
-
There are many "ask" rules. To find out which one is triggering the window with action selection, tick the "Log" box so that applying a particular rule is logged in the firewall log. It seems there's another rule that is stronger than the rule allowing communication on port 161.
Hmm i am not sure if I fully understand the way it works. All the ask rules are either for other files or are pre-defined by ESET so that they cannot be changed. For spoolsv.exe there is a specific rule that allows trusted zone and local adresses.
Anyway I will enable the log and try it out after work
Thanks
-
Decent suggestion you made, but could you please avoid full-quotes.
You don't have to repeat every time what you said.
Thanks, I guess they come from the usage of different security products for a long time together with knowledge of malware/trojans/password stealer/etc.
Alright, I just don't want my suggestions to be lost and forgotten ;P
-
This: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-14#entry17761
Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones)
Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window
Also: Add windows update rule to the standard rule set of svchost.exe (port 80 & 443 and maybe restrict it to microsoft update servers only)
Also: Add spoolsv.exe standard rules
Also: Add rundll32.exe standard rules
Also: Let us search within the rule editor... e.g for filenames
Update:
Make this a standard rule? https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-burning-rom-orbit-downloader-imgburn-dvdvideosoft-install-them-without-opencandy/
Also: https://forum.eset.com/topic/3437-poodle-attack-security-flaw-in-ssl-v3-eset-blocking/
Also please add default rules or description for the following windows files:
So far, I have noticed that the following processes all want to make regular connections:Host Process for Windows Services (svchost.exe)Host Process for Setting Synchronization (SettingSyncHost.exe)User Account Control Panel Host (UserAccountBroker.exe)Windows Explorer (explorer.exe)Windows Host Process (rundll32.exe)Store Broker (WSHost.exe)Windows Driver Foundation - User-mode Driver Framework Host Process (WUDFHost.exe)Device Association Framework Provider Host (dasHost.exe)Host Process for Windows Tasks (taskhost.exe)For example, right now I am worried about WSHost.exe because I don't even use the windows store and still it wants to send data to microsoft?Also: Let us sort rules in the rule editor up and down. I am curios in which way the rules get requested anyway, like first rule first, then second then third ,... until the needed rule was found? If that is the case let us sort the rules so we can sort the most used rules first in the rule editor.
-
I use interactive mode so I get asked for everything that isn't in the standart ESET rules?
I added pictures of my (relevant) rules below.
Thanks
-
This: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-14#entry17761
Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones)
Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window
Also: Add windows update rule to the standard rule set of svchost.exe (port 80 & 443 and maybe restrict it to microsoft update servers only)
Also: Add spoolsv.exe standard rules
Also: Add rundll32.exe standard rules
Also: Let us search within the rule editor... e.g for filenames
Update:
Make this a standard rule? https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-burning-rom-orbit-downloader-imgburn-dvdvideosoft-install-them-without-opencandy/
Also: https://forum.eset.com/topic/3437-poodle-attack-security-flaw-in-ssl-v3-eset-blocking/
Also please add default rules or description for the following windows files:
So far, I have noticed that the following processes all want to make regular connections:Host Process for Windows Services (svchost.exe)Host Process for Setting Synchronization (SettingSyncHost.exe)User Account Control Panel Host (UserAccountBroker.exe)Windows Explorer (explorer.exe)Windows Host Process (rundll32.exe)Store Broker (WSHost.exe)Windows Driver Foundation - User-mode Driver Framework Host Process (WUDFHost.exe)Device Association Framework Provider Host (dasHost.exe)Host Process for Windows Tasks (taskhost.exe)For example, right now I am worried about WSHost.exe because I don't even use the windows store and still it wants to send data to microsoft? -
Since installing Windows 8.1, I have been absolutely stunned with the amount of outgoing traffic to Microsoft. It really is astonishing.I was wondering if ESET or any other users on here have any advice on what to block and whether it has any consequences in the day to day running of the system please?So far, I have noticed that the following processes all want to make regular connections:Host Process for Windows Services (svchost.exe)Host Process for Setting Synchronization (SettingSyncHost.exe)User Account Control Panel Host (UserAccountBroker.exe)Windows Explorer (explorer.exe)Windows Host Process (rundll32.exe)Store Broker (WSHost.exe)Windows Driver Foundation - User-mode Driver Framework Host Process (WUDFHost.exe)Device Association Framework Provider Host (dasHost.exe)Host Process for Windows Tasks (taskhost.exe)I appreciate that some traffic will be related to updating background apps and live tiles etc but I have opted out of the ceip and disabled checking for updates for Windows and drivers so I'm a little unsure on what a lot of this traffic is all about.There's also a lot of connections to Akamai, CloudFlare and Edgecast CDNs. In light of the ongoing heartbleed attacks, I'm a little uneasy about the traffic so any advice or suggestions would be good.Plus many of the processes above will call home to my ISP too.If the firewall was in automatic mode, how much of this traffic would it be letting through?Thanks.
I need to bump this old thread because I think there SHOULD BE default rules for all this system files.Users worry about them, so give them default rules?
Right now I am also asked about WSHost.exe.. but I don't even use the windows store. So why would it need an internet connection or send data to microsoft?
-
Still I get asked about an UDP 161 connection to 192.168.1.59 (which is a local adress and within my home network = trusted zone) ?
Any suggestions?
I also find "Trusted Zone" doesn't work that reliably.
I guess the problem is it is defined dynamically so may not be set up properly when it is initially used. As my computers are mostly on a network with a static IP range, adding this range appears to fix it for me.
Yep that would fix it for me too, but adding "local" or "trusted" would be a lot more comfortable. Especially when using a laptop in different wlan/office networks
-
Yes, you already said this.
Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones)
This could be an idea, but it can even be very bad if the DNS server is compromised or there is a kind of "DNS server malware" on your computer which redirected all DNS queries to a fake/another/bad/... DNS server.
So to use IP addresses there is more secure.
Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window
Yes great idea. I think you mean something like I described in post #149 in this topic[/topic].
What rules? Do you mean the firewall rules?
I think it's quite good if not too much rules are created by default...
A search function would make it much easier if you want to find specific rules.
But also have a look on my update I added there. So you can make ESET already detect OpenCandy.
I also think this could be a good idea. That's why I made the post.
Yep svchost.exe does a lot.. one if windows update and it should be allowed ;-)
-
Hey there, I have disabled the "exclude trusted apps from modification detection" and added two exclusions myself. When I reboot the exclusions change to completely other files.
E.g. instead of HitmanProAler.exe I had skype.exe
instead of mbam.exe I had dnscrypt.exe
Please fix that
If you need a video / screenshots: let me know
-
Hey there,
I added for spoolsv.exe the following rule:
Allow - UDP OUT - Port 161 - Trusted Zone + Local Adresses
Still I get asked about an UDP 161 connection to 192.168.1.59 (which is a local adress and within my home network = trusted zone) ?
Any suggestions?
Thanks
-
Very good suggestion !
-
This: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-14#entry17761
Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones)
Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window
Also: Add windows update rule to the standard rule set of svchost.exe (port 80 & 443 and maybe restrict it to microsoft update servers only)
Also: Add spoolsv.exe standard rules
Also: Add rundll32.exe standard rules
Also: Let us search within the rule editor... e.g for filenames
Update:
Make this a standard rule? https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-burning-rom-orbit-downloader-imgburn-dvdvideosoft-install-them-without-opencandy/
Also: https://forum.eset.com/topic/3437-poodle-attack-security-flaw-in-ssl-v3-eset-blocking/
-
You have also the possibility to activate the interactive mode. Then you will get a allow/deny-question when an application is trying to connect somewhere and there you can also create rules and specify all the things you like (when you expand it with "show advanced options")...
ESS_InteractiveFirewallQuestion_advancedOptions.pngThere you even have a button "custom rule" where you get the "normal" window for adding a rule - just with the difference that the settings you set in the notification will be shown there too and you can "fine-tune" them.
ANd also with HIPS (in interactive mode) you have a similar possibility:
ESS_InteractiveHIPSQuestion_advancedOptions.pngI tzhink this way you can see not only what ports (and other things) are used/needed, but also create the rules easier and faster.
Hmm I am not happy with automatic mode as this will basically allow all home calling. I would like to allow everything that is safe to the connection that are safe. That way, even when something gets exploited, it will only be allowed to "call home" to the save connection that I allowed and not send my passwords and data to whoever it wants ?
If you want this I think you would have to specify not only the port, but even the IP addresses and that is time consuming.
I think I have configured about 50% of my system within an hour. But now I am having trouble with system specific rules and a few apps where I am not sure how to handle them.
E.g. svchost.exe
rundll32.dll
spoolsv.exe
etc
For example I am wondering if I should allow port 80 and 443 for svchost.exe... according to google this is for windows update but ESET doesn't have a rule for it out of the box?
And btw, I am already running interactive, thats why I have all those questions ;P
ESET Smart Security performance in the MRG Effitas 360 Assessment & Certification Programme Q2 2014
in ESET Internet Security & ESET Smart Security Premium
Posted
Awesome
The more I use ESS the more I like it 