Utini

Hmm I am not happy with automatic mode as this will basically allow all home calling. I would like to allow everything that is safe to the connection that are safe. That way, even when something gets exploited, it will only be allowed to "call home" to the save connection that I allowed and not send my passwords and data to whoever it wants ? @edit: also why is no http/https rule for svchost.exe as pre-rule in FW ? There are a lot of standard rules for svchost.exe like dns/dhcp but not for http/https?

Yes I did that, but what other ports should I allow ? e.g. 443 for https. In general I think it would we usefull to add such "specific" rules as standart rule set for "new users" ? Or even automatically apply suche rules to specific categories of apps (e.g. browser) ? And as I am currently creating a few rule sets: I used this "guide" for creating a torrent.exe ruleset with my previous firewall. If I follow this guide with ESS FW, will it work too? Only that "destination" is "remote" and "source" is "local" ? Doesn't look like it works as it is supposed to do. I still get asked about some "UDP in" although it is with in the allowed port range. In general I shouldn't get any notification anymore as every should get blocked except what is allowed in the rules. But I still get some few notifications.

Hey there, I know from CIS and KIS that they have certain Predefined Rulesets that you can use for firefox,chrome,.... E.g. they have "browser" or "installer" or "system app". The "browser" rule set would automatically limit the app that uses this rule set to allow only http,https communication (so only the specific ports) where "installer" or "system app" would have different settings. Is there any KB entry or guide on how to do this with ESS? Or any "guidelinies" on how to configure those specific categories of apps? I don't want to allow my browser to use "all communication" it gets. In a custom rule it would only allow the communication to the specific IP that is requesting. It is not much work to delete the IP in the custom rule so that the rule is port specific but still it would be more secure/user friendly to tell the users on how to configure the rules for their apps the best? Thanks

Deny where? It appears only in interactive mode of firewall and HIPS but selecting Deny automatically would not only render interactive mode useless but would also cause too many troubles if every action/communication was denied without asking the user. The rules say "allow on failure".. I think what mar122999 meant is that "block on faliure" is more secure?

Hey there, I see differences in filesize and "creation timestamp" between both setup files. What's the differences between the US-Live-installer.exe and the AT-Live-installer.exe ? md5 of US setup: 3AC4063D2D7F2AE8F1DAA8D039C6F00C md5 of AT setup: 1507EB03E05D799071A5D8C31C64DD35 Thanks Also, is there an offline installer? I don't want to go online without a firewall e.g. in my case: Uninstall CIS Install ESET and configure FW Go online Without an offline installer I would: Uninstall CIS Go online Install ESET and configure FW

Yep I had those options enabled I don't want to just block everything. That could break some apps without me even realizing it

Yep, today I did a few more tests with ESS and compared it to CIS (which is the product I used for the last 1-2 years): ESS seems to have the better AV and HIPS compared to CIS. How ever, CIS has the advanted of blocking & notifying me for every "unknown" file that I execute. This way I get the chance to validate the file e.g. on virustotal. I will also be notified that this file might not be original (e..g. if I download ccleaner.exe but I get a block & notification, I will know this can't be the original ccleaner.exe). In the end this little advantage of CIS gave better dedection & block results. ESS has advantages over CIS (and other security produtcs) but I believe that one (major?) disadvantage is to not have an "online backround check" of apps.

Already read those links I bought an ESS license for ~13$ today on amazon. I will uninstall CIS and use ESS for the next few months (or longer if I like it). Smart Mode HIPS made "good" results today. 2 toolbars were able to install and one .exe file was executed without any warning. How ever, MBAM and HitmanPro didn't dedect them either.. I still have them installed on my vbox and will see if they get dedected within a few weeks (or maybe they aren't even malware). Anyway, as I use the FW with "interactive" I was able to block the Home-Calling of those files and atleast got one pop up that notified me about some random.exe trying to send data. I will take the time to create an FW rule for every app on my system. Everything new will be added if its trustworthy. AV wise and HIPS wise ESS seems to be better than CIS. How ever, CIS has the advantage of blocking every "unknown" file with a pop up. This alerts me and tells me that the file I just downloaded might not be original or very unknown. There for I can check the file on e.g. virustotal before I finally execute it on my system. Thanks for your help, I might come back with a few question soon ! ;P

Yep I still have CIS installed. Not sure if the uninstaller will completely remove everything from CIS but I guess so. Well CIS is free ;-) HMPA is free for me as I beta tested it. And with MBAM Pro I have the lifetime license But I guess when I find a discounted offer I can live with a few € a year. I didn't mention Comodo because I thought you knew why it is free, one reason is because of their cert business. ;-P But HMPA can also worth paying for for non license holders, buy HMPA get HMP for free, buy HMP get HMPA for free. Nice deal IMO. Yes I know, but you wouldn't be able to get your hands on a lifetime license today for MBAM as they don't sell them anymore. I tried Comodo couple years ago...never again! Not sure how good their uninstaller is these days, you can always check manually afterwards for left-overs like drivers etc... It's very easy to find good deals for ESET in the U.S when for example Newegg almost give away licenses....but in Europe it can be a bit trickier. But if you look hard enough you might find some. Who knows if other companies aren't int othe same "cert business". Just because we caught one company doing it doesn't mean the others won't do it as well. I would wonder anyway how many AV-Companies would open their doors when NSA knocks (altough according to some tests CIS was the only one who blocked NSA spyware) ;-) Mhh any ideas what the best way is to find leftover of CIS ? Should I rather use some "uninstaller app" ?

Yep I still have CIS installed. Not sure if the uninstaller will completely remove everything from CIS but I guess so. Well CIS is free ;-) HMPA is free for me as I beta tested it. And with MBAM Pro I have the lifetime license But I guess when I find a discounted offer I can live with a few € a year.

Not completely I will do a few more test with smart mode in a vbox tomorrow. Also i will look for the best way to completely remove CIS (if there is one). If everything looks fine I will wait until I find a decent discounted offer (i generally don't like to pay for software, especially not yearly. mbam pro is the only exception as i have a lifetime license). In the mean time I will play around with Emsisoft. Thanks for your help!

Yes you are right, HIPS in Smart Mode with FW in interactive could be the fine line that I could live with. How ever, isn't the HIPS faster when there are rules for an app defined instead of it having to analyze it over and over again (smart mode checks the bevahviour every time I run an app) ? Emsisoft gets my vote as it comes from the same country I live in (Austria) ;P But it surely doesn't seem to be as lightweight. Also I prefer the interface of ESET.

Thanks for sharing that even if you don't like Comodo. I am currently looking into Emsisoft Internet Security. I think performance wise it is better to use one suite instead of different products from different companies. I already use MBAM Pro and HitmanPro Alert as realtime protection so that is more than enough crossing between companies ;P Maybe I can find my way into using ESS with a rule for every app on my system. And when something new gets installed I will just add a new rule for that.

I use interactive firewall mode. You do not need a large rule set and it does not appreciably slow ESS down. You will get notifications when an application starts accessing the internet (recently installed or otherwise). If this is not what you want, then don't use interactive mode. Rules can be a specific or general as you want. A relatively easy way of generating specific rules is to get ESS to remember and allow each specific attempt during a "training phase". Then look a the rules generated and create general rules covering all likely use requirements (using lists, ranges, and masks as appropriate). You will find similar applicatons need similar access (web browsers, email clients, office applications etc). As I do not have that many applications, it isn't actually as hard as it sounds. I thought when I "allow an app and remember as rule" it would be safed in the "rules" so I could edit them later? That way I would create a rule for each APP in FW and HIPS. How ever, I can't find the HIPS/FW app-specific rules anywhere?

This !

Leaving filrewall in "automatic" is for my understanding very unsecure. I want to know and disable home calling. Especially when some random.exe does that. Smart mode from wiki: Smart mode: Only suspicious system events trigger a notification beyond the set of pre-defined rules in Automatic mode (operations such as system registry, active processes and programs). So I tried smart mode with malware files from "malcode.com" and found out that from ~15 links 1 was able to come through. Not that "splendid" i think. So if you ask me the chance if there and not even that small for malware to pass through all the layers which means I would need to use interactive mode. But then I will end up with many many notifications I wished there was a rule set like smart mode just with the addition of online whitelisting. So basically it would check rules, if no rule for the app exists check with the app is safe or known via online whitelisting. If not - bomb me with notifications please When I said splendid I obviously meant in a real-world usage situation, not hammer the product with malware link after malware link. But thanks for your test 15 nailed out of 16 is very good. No, I still stand by my word that the chance is small in real-world usage situations. My friend is what you call a high risk user or a "happy clicker/downloader" and he doesn't managed to get infected with ESET during normal usage, but if I would tell him "go to malc0de and click on every link that you see, and execute each file that you are able to download"...then the usage situation is totally different. He's not a AV tester but a normal (maybe a bit extreme) computer user. If it would be "very unsecure" to leave the firewall in the Automatic mode do you really think it would be the default mode or even exist in the product? I mentioned alternatives incase you don't want to use the Automatic as well. In interactive you will be notified when something calls home, but it is not the most convenient mode that you seem to be asking for. But if you know how to respond to every FW notifications then try it, and if you don't like it, change to another mode. But if you really don't trust these modes, then maybe you should put both the HIPS and Firewall in Learning mode for a few days while you use your computer, after that try interactive and the "bombarding" on you should be considerably less than if you started with interactive mode right away. But you will not be able to allow or deny anything in these modes, the automatic firewall mode is actually much more secure than learning mode that won't block anything but "learn" your system and apps. Personally, I am no big downloader so having the Firewall in policy based-mode suite me perfectly, I have allow rules for everything I need, and I will not be notified to allow or deny anything at all as everything is denied and blocked by default unless there is an existing allow rule. And I love this mode, I call it "dead quiet mode". Hmm I think 1 out of 15 is pretty bad.with KIS and CIS i had like 0 out of 200. And as a "brain" user I want peotection just against that 1% of malware which is unknown and injects through some XSS or java drive by hidden on some exploited website or similiar. Because evrrything else is no matter to me as I know how to prevent it and already act correctly. In the end I think interactive with a big rule set is what I need to use with ESS. Will a big rule set slow down ESS or the System? That was the case with KIS. Btw I think the standart settings are just like with every other security product meant to be user friendly and easy to use. Thanks If you would have had the HIPS in interactive mode, you would most likely have seen a popup for the sample that sneaked by. You can make the HIPS very tight compared to the default or the smart mode if that's what you're looking for. It's possible to do that, but it's not going to be as convenient as you would like it to be I guess. Yes the default is the best for the majority of the user base, a good balance between protection and system performance. I have never tried to use a big ruleset as I don't see a need for it, the only way to find out if a big ruleset will slow things down or not is if you try it yourself. There is a "known safe" cloud white list in Live Grid but it is not used as a detection mechanism today, e.g detection of non known safe files. But it is used in other ways during scanning for example. And also to block bad files that no signature has been created for yet. I don't know exactly what you had in mind, but I posted a future suggestion that could work based on that if the user wants to. You can read the post to see if it is something similar to what you have in mind: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/?p=17761 Yes your suggestion sounds pretty much what I am looking for. Until that I will play around a little with interactive mode or stay with CIS. Thanks for your help ! @edit: One more thing though: Smart mode has: rules, ask on suspicious, allow on failure. Why not block on failure ? That would be safer? And what I also don't understand, lets sa I use interactive and create rules for every application. Where do I find those rules for HIPS? E.g. each app and it's permissions ?

I am sure ESS is strong in its different security layers that it provides ! So far ESS has a lot that I like. I just don't really like it's rule system. I believe some "online check" which validates if the app is legit or not would be a very nice addition. Especially in terms of user friendliness. Not to allow the app or act based on it's signature. but only to let the user know that the "ccleaner.exe" or "winzip.exe" is actually a valid file and not some "fake" or "manipulated" file. Is interactive mode with a big rule set tested already? Any performance loss?

Leaving filrewall in "automatic" is for my understanding very unsecure. I want to know and disable home calling. Especially when some random.exe does that. Smart mode from wiki: Smart mode: Only suspicious system events trigger a notification beyond the set of pre-defined rules in Automatic mode (operations such as system registry, active processes and programs). So I tried smart mode with malware files from "malcode.com" and found out that from ~15 links 1 was able to come through. Not that "splendid" i think. So if you ask me the chance if there and not even that small for malware to pass through all the layers which means I would need to use interactive mode. But then I will end up with many many notifications I wished there was a rule set like smart mode just with the addition of online whitelisting. So basically it would check rules, if no rule for the app exists check with the app is safe or known via online whitelisting. If not - bomb me with notifications please When I said splendid I obviously meant in a real-world usage situation, not hammer the product with malware link after malware link. But thanks for your test 15 nailed out of 16 is very good. No, I still stand by my word that the chance is small in real-world usage situations. My friend is what you call a high risk user or a "happy clicker/downloader" and he doesn't managed to get infected with ESET during normal usage, but if I would tell him "go to malc0de and click on every link that you see, and execute each file that you are able to download"...then the usage situation is totally different. He's not a AV tester but a normal (maybe a bit extreme) computer user. If it would be "very unsecure" to leave the firewall in the Automatic mode do you really think it would be the default mode or even exist in the product? I mentioned alternatives incase you don't want to use the Automatic as well. In interactive you will be notified when something calls home, but it is not the most convenient mode that you seem to be asking for. But if you know how to respond to every FW notifications then try it, and if you don't like it, change to another mode. But if you really don't trust these modes, then maybe you should put both the HIPS and Firewall in Learning mode for a few days while you use your computer, after that try interactive and the "bombarding" on you should be considerably less than if you started with interactive mode right away. But you will not be able to allow or deny anything in these modes, the automatic firewall mode is actually much more secure than learning mode that won't block anything but "learn" your system and apps. Personally, I am no big downloader so having the Firewall in policy based-mode suite me perfectly, I have allow rules for everything I need, and I will not be notified to allow or deny anything at all as everything is denied and blocked by default unless there is an existing allow rule. And I love this mode, I call it "dead quiet mode". Hmm I think 1 out of 15 is pretty bad.with KIS and CIS i had like 0 out of 200. And as a "brain" user I want peotection just against that 1% of malware which is unknown and injects through some XSS or java drive by hidden on some exploited website or similiar. Because evrrything else is no matter to me as I know how to prevent it and already act correctly. In the end I think interactive with a big rule set is what I need to use with ESS. Will a big rule set slow down ESS or the System? That was the case with KIS. Btw I think the standart settings are just like with every other security product meant to be user friendly and easy to use. Thanks

Leaving filrewall in "automatic" is for my understanding very unsecure. I want to know and disable home calling. Especially when some random.exe does that. Smart mode from wiki: Smart mode: Only suspicious system events trigger a notification beyond the set of pre-defined rules in Automatic mode (operations such as system registry, active processes and programs). So I tried smart mode with malware files from "malcode.com" and found out that from ~15 links 1 was able to come through. Not that "splendid" i think. So if you ask me the chance if there and not even that small for malware to pass through all the layers which means I would need to use interactive mode. But then I will end up with many many notifications I wished there was a rule set like smart mode just with the addition of online whitelisting. So basically it would check rules, if no rule for the app exists check with the app is safe or known via online whitelisting. If not - bomb me with notifications please

In ESS, this can be accomplished by switching the firewall to policy-based. In fact, there are pre-set rules that cannot be removed completely from the list and it's only possible to disable them, if needed for whatever reasons.We recommend using automatic mode which allows all outbound communication and blocks all non-initiated inbound communication. If you want to use rules, you can switch to learning mode until all necessary rules are created automatically or interactive mode which will enable you to create rules ad-hoc. No. Let's assume that malware gets injected into a clean system process. In such case, the firewall would consider such process safe as it would look for cloud information about the clean system process and allow the communication. But going into interactive mode to create a big rule set will slow down the system? I don't like allowing all outgoing connections as I want to see what which apps are "home calling" as well as I like to be notifed when "random.exe" tries to send some data So my best option for HIPS and FW is to create a big rule set for all my apps. This will slow down the system or not? Also I will get bombed with notifications when ever I install or run a new app for the first time ? What I like about "online whitelistening" is to simply see if the file I try to run is "known" and "secure" or "original" and not some "setup.exe" which has a trojan bound to it. With ESS I can only hope that the AV knows he threat or that the HIPS will warn me correctly + me understanding and acting correctly? Thanks for your help. So far I really like the inerface of ESS !

Hey there, I have been using Kaspersky Internet Security and Comodo Internet Security for years and now want to switch to ESET Smart Security. I have a few question concerning the settings (rules): In KIS I had to define rules for EVERYTHING. When I had all my rules I had no more pop ups (HIPS and FW). But it made the whole security suite slow as by the time the rule set grew a lot. In CIS everything was checked online. If the application was whitelisted online, HIPS or FW didn't bother me and allowed to app. If the app wasn't whitelist or not known, I would get asked what to do with it. No rules to slow down the suite, no disturbing pop ups, but still when I downloaded e.g. "ccleaner.exe" but it wasn't the original one I would get asked what to do with it. So how does ESS work? From what I could find out in my virtualbox malware test it seems to need a rule for everything too? Will that slow down the system when the rule set grows? Why isn't there a rule pre-set "rule, ask, block on failure" ? I only see rules with "allow on failure". That seems a bit insecure? So there is no "online check" for whitelisting and automatically creating rules? Thanks in advance !