[Serious Flaw/bug in Eset Firewall Troube Shooting Wizard]

One additional comment about Eset's Network Trouble Shooting Wizard. You should not be relying on this as your primary method to block unwanted inbound network traffic. The Wizard was actually designed primarily to automated firewall rule creation for internal apps that are being blocked for some reason. And as far as I am concerned, it creates very permissive rules.

If your router does not employ a stateful firewall that will block any incoming unsolicited network traffic, you should seriously consider purchasing one that does. The router is the point where you want to block any unwanted inbound traffic.

[Serious Flaw/bug in Eset Firewall Troube Shooting Wizard]

1 hour ago, cutting_edgetech said:

Many of my Network attacks don't get logged since they get blocked when there is not an allow rule to allow their attempts to access my network.

Set the logging severity to "Warning" for all existing Eset firewall "Block" rules. This includes the default ones. This will result in a log entry always being created.

1 hour ago, cutting_edgetech said:

Is there a way to make Eset Log access attempts that get blocked for when there is no allow rule, and no specific block rule? 

Not that I am aware of. The HIPS has such capability; but only for blocked activity.

On the other hand, Network Wizard shown "Blocked" activity is primarily a result of existing Eset firewall block rules. Hopefully by modifying logging severity as noted above, you will be provided with most of the detail you desire.

[Machine Learning Module]

I believe what we are talking about here is the difference between machine learning and deep learning as noted in this article: https://www.zendesk.com/blog/machine-learning-and-deep-learning/ .

Quote

Basic machine learning models do become progressively better at whatever their function is, but they still some guidance. If an ML algorithm returns an inaccurate prediction, then an engineer needs to step in and make adjustments. But with a deep learning model, the algorithms can determine on their own if a prediction is accurate or not.

Eset has employed machine learning for years. I assume with the inclusion of the "advanced machine learning" module, they are introducing established and proven AI algorithms into the Augur engine.

[Very slow browsing - SSL\TLs protocol filtering]

3 hours ago, Buco said:

I don't see anything labeled Web control. Is Web access protection the same thing? Disabling that didn't change the browser loading speed.

Then your slow web page loading issue is not due to Eset.

[Very slow browsing - SSL\TLs protocol filtering]

What browser/s is this slow loading activity occuring on?

[ESET blocking systemrequirementslab in AMD Catalyst]

Check this out as an alternative: https://community.spiceworks.com/topic/1403966-any-alternative-to-www-systemrequirementslab-com

Alternatively, just override Eset's PUA detection. Just don't download anything from that web site. I believe this is the activity Eset is objecting to.

[Brave Browser not protected by anti-phishing]

Hum ........ Not sure "You're out of the woods" on this browser and also Waterfox.

To begin, other things need to be in place for Eset's SSL/TLS browser protcol scanning to work properly. The browser must either use the Windows root CA store where Eset's root certificate is installed by default at installation time, or Eset's root certificate must be added to the browser's root CA store. The later is done by Eset automatically for browser's it officially supports; Chrome, Firefox. IE11, Edge, and possibly Opera use the Win root CA store.

The fact that you were able to pass the AMTSO phishing test by force enabling Eset SSL/TLS scanning for both, does not imply that it is functioning properly on both Brave and WaterFox.

[Serious Flaw/bug in Eset Firewall Troube Shooting Wizard]

Very strange behavior.

I use the Network Trouble Shooting feature all the time. In fact, as recently as last weekend. This last instance was because of some old deeply embedded malware that appears to related to a drive I have Win 7 installed on. I haven't accessed this drive directly in years but running a WD periodic scan must have triggered it somehow. It was a pretty ugly event with my assumption that my Win 10 1809 build on the same device was totally trashed. Turns out luckily it wasn't. Appears the malware injected explorer.exe but couldn't run properly from there on Win 10.

Anyway, prior to this I had created Eset firewall rules to monitor all outbound explorer.exe traffic. As I knew from years ago past experience with this malware, it attempted to connect to an IP address in Taiwan via port 21 that serves up the Conifiker worm of all things. Anyway when the Eset firewall alert appeared, I blocked it and had it create a firewall rule to block port 21 outbound traffic from explorer.exe. Thereafter, I monitored for any like outbound traffic using Eset's Network Wizard until the previous block connections shown timed out. 

From everything I have observed, Eset Network Troubleshooter is working w/o issue.

[ESET blocking systemrequirementslab in AMD Catalyst]

As far as what systemrequirementslab.com does:

Quote

A site that will check you systems specs and compare it to a specific games requirements.

I do not recommend it because it just compares to steam/wherever the specs to run are taken from and those are not always the best.

Yeah, minimum system requirements are more like the minimum/oldest the devs bothered to test the game on.

The site just checks boxes, for the GPU it only bothers to look at pixel and vertex shader versions and allocated vram and for the CPU the number of cores and boost frequency.

Checking Resident Evil 4, it says my laptop can't run it because its core m3 doesn't have 512mb vram and doesn't run at 2.4/2.8GHz, even though it can dynamically allocate 2GB and has 60-100% higher IPC than the listed minimum requirement CPUs. It can run it at 720p with HD textures and 30fps with no issues even with a TDP limit locked at 4W.

And one example of negative effects from using the site:

Quote

I tried the site. It checked for game, couldn't run it, (which I figured I couldn't but I wanted to try). To check it, I had to download a file from the site and run that. I did so.

Now, every time I start my computer, the website asks to save a cookie. So, apparently, this installed a program that repeatedly tries to connect my PC to them, and I cannot find this program.

I deleted the initial program that I downloaded, and could not find anywhere that it had installed anything.

So, at this point, I'd consider this malware. It's installed something on my computer that runs at startup, I can't find it to remove it, and it's connecting to an internet address that I cannot stop it from connecting to. https://cdn.discordapp.com/attachments/481911309504610314/503585896101314571/unknown.png

Ref.: https://www.reddit.com/r/lowspecgamer/comments/8jbwex/can_you_run_it_a_site_that_will_check_you_systems/

[Brave Browser not protected by anti-phishing]

13 hours ago, Sammo said:

I'm getting really ticked off with Eset not properly protecting some of my browsers. 😠

As far as I am aware of Eset IS,SS, and NOD32 Web Access protection filters all port 80 and 443 communication. It is therefore not restricted by browser used. Proof of this can be had by opening the Web and Email section in Advanced setup option of the Eset GUI. Then open the List of SSL/TLS filtered applications section. You will observed a number of apps listed that are not browser related.

What specific problems are you having with Anti-phishing protection?

[AV-Comparatives Real-World Protection Test February-June 2018]

5 hours ago, novice said:

Win 7/64, fully updated , admin account, UAC set to max, IE with SmartScreen filter enabled.

Assuming you have configured IE11 for max. protections including and most important EPM, AppContainer will protect you against most browser based non-user initiated downloaded malware. There is also the "security through obscurity"  factor. Since IE11 usage these days is in the single digit category, malware authors have turned their attention to Chrome and FireFox. Also although IE11 in its heyday topped the vulnerability charts, most of those have been resolved. Forget IE11 SmartScreen as a protection mechanism except for possibly unknown executables. I used IE11 for years and during that time had no more than two or three alerts from it.

UAC at maximum level is your biggest native protection since it will prevent most but not all hidden privileged escalation attempts.

Your biggest risks on these PCs are user initiated downloads and in-browser based Javascript malware such as coin miners. MSE PUA protection is for all practical purposes non-existent. Only recently in Windows Defender has it become reasonably effective and only if manually enabled. I certainly woundn't use these PCs for any e-commerce activities since AppContainer won't prevent IE11 banking Trojan web site injection. Finally, MSE lacking any web filtering capability will only increase the odds of being adversely impacted by web site/server in-browser based malware.

-EDIT- Go to this web site using one of your Win7/IE11/MSE PCs and see what the results are in regards to coin miner protection: https://cryptojackingtest.com/ . Note: if SmartScreen blocks access to the site, that's a false detection.

[AV-Comparatives Real-World Protection Test February-June 2018]

10 minutes ago, Rami said:

But in your case novicee , If I were you and I see that I am that mad at ESET, I would just change them If I were you, there is no point to keep arguing that there are better products at the market, I guess they are doing their best als

👍

[ESET blocking systemrequirementslab in AMD Catalyst]

Site looks clean to me. I checked with URLVoid and did a new scan at Quttera.

[AV-Comparatives Real-World Protection Test February-June 2018]

1 hour ago, novice said:

I have been using MSE  for over 6 years on certain computers and I never got infected, so what conclusion should I make????

Blanket statements like this are meaningless without a frame of reference. For example, none of those devices are used on a daily basis for Internet activities via browser. Do those devices employ supplemental security protection? If used for browser activities are those restricted to accessing know safe web sites? Etc., etc.

Overall, consider yourself very lucky. There is no way that using Win 7 and MSE equates to the protection provided by Win 10 and Windows Defender.

[AV-Comparatives Real-World Protection Test February-June 2018]

As far as Eset's 0-day detection capability goes, it is often overlooked that they have one of the best malware research organizations in the world. Case in point.

Microsoft published an article here: https://www.microsoft.com/security/blog/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/ where they were alerted to a double 0-day malware instance courtesy of Eset's malware research group.

[Am I having too many Edge connections?]

26 minutes ago, camelia said:

Please don not show me your Cortana HIPS rule

But can I add the same way I did with Edge, a HIPS rule to block Cortana start up? 😶

I never attempted to block Cortana using Eset HIPS. I use O&O ShutUp 10 to "harness" its activities.

[AV-Comparatives Real-World Protection Test February-June 2018]

1 hour ago, novice said:

That means the "LiveGrid" of 10 machines somewhere in the word reported this malware , hence the conclusion "has been seen"

Since you seem fixated on this point, we are referring to an incident that happened almost 2 years ago. I have previously posted the same did not occur with a malware submission I recently submitted. So move on to something else.

[Constant blocked address alerts]

45 minutes ago, tangoeset said:

I just had this same popup whilst browsing the Microsoft News app, in windows 10. (1809)

More details needed. Are you using the Win Store app? Or, did you download from Google store and it installed as an extension in Chrome for example.

[AV-Comparatives Real-World Protection Test February-June 2018]

Quote

It's already detected as Python/Filecoder.AM. It's a Chinese ranomware written in Python with Chinese instructions

I just checked the VirusRadar database and the signature for this variant was created on 7/28/2017.

It really appears what happened in this instance was the malware was not properly submitted for analysis. This is what caused the unusually long delay in signature creation.

One other thing that should be mentioned here. It is imperative that LiveGrid settings allow for submission of suspicious files for analysis. This is one of the primary methods Eset captures "in-the-wild" malware originating from Eset software installations.

[Time For Eset To Issue A-V Comparatives Realtime Test Transparency Reports]

Background

For some time, there have been forum postings regarding Eset's scoring in this test series. This has resulted in long and oftentimes mindless discussions on this issue. I am sure Eset has better use for its forum disk space.

Solution

Microsoft a while back adopted the use of published AV lab "transparency" reports to respond to its scoring in select AV lab tests. Their reports reflect typical Microsoft verbose detailing as only a concern with the resources it has to allocate to such an undertaking. Here's an example of a transparency report: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports .

I think it would be sufficient that Eset's report simply state the samples missed along with a brief explanation as to the cause for non-detection and corrective action implemented. Of course, there should be verbiage provided if Eset disputed the AV lab non-detection finding.  

[AV-Comparatives Real-World Protection Test February-June 2018]

4 minutes ago, novice said:

I do not think so. Morco's answer was very clear :" It's been seen on less than 10 machines in total "  which suggests that "10 machines with ESET"

@Marcos, care to clarify the above comment you made?

[Am I having too many Edge connections?]

1 hour ago, camelia said:

Failed to create the Eset HIPS rule 

Oh, my. This is one reason why I am always hesitant about showing my HIPS rules when asked. You should review HIPS rule creation using Eset built-in online help on the subject.

1. For the first screen shot. change the Rule name prefix from "CameRule:" to "User rule:" All user created rules should use this prefix. No need to log any events since you already know you're blocking Edge start up. Click the "Next" button.

2. As far as the second screen - Source applications, you ignored my previously posted instructions. Click on the down arrow next to where "Specific applications" is displayed and select "All applications." Click the "Next" button.

3. Your next screen displayed at this point should be Application operations. Deselect "All application operations." Select "Start new application." Click the "Next" button.

4. The next screen displayed should be "Applications." Click on the down arrow next to where "All applications" is displayed and select "Specific applications." Click on the "Add" tab. Now enter the full path name for Edge there. Warning - verify that the EDGE .exe is actually stored at that location. Remember what I posted previously is for ver. 1809. Click on the "Finish" button.

5. Click on any subsequent "OK" button shown to save your newly created HIPS rule.

6. Reopen the HIPS section and verify that your rule was created as specified.

Note this is my last instruction posting to you on how to create HIPS rules.

[Am I having too many Edge connections?]

2 hours ago, camelia said:

Hello @itman Could you please be so kind to post in this topic an screenshot of how do you block Edge start up with an Eset HIPS rule?

The Eset HIPS rule I monitor Edge execution with is shown below. Source applications setting for this rule is "All applications."

Note: This rule works for me using Win 10 x(64) 1809. I haven't validated that this is so on 1903 since I haven't installed it yet.

 

[AV-Comparatives Real-World Protection Test February-June 2018]

13 hours ago, novice said:

Still I did not get it: if ESET encountered 10 times a certain malware which otherwise was detected by a significant number of vendors, why did not add a rule or something to have that particular malware detected?

I guess you do still do not understand my previous reply on this occurrence. An "in-the-wild" occurance of 10 statistically equates to a near zero probability of capture, analysis, and mitigation using existing capture methods. The Eset forum response as to "10 times" was in regards to the "in-the-wild" instance of the malware; not how many times an Eset product detected it.

The OP's complaint at the time was that three days had elapsed since his posting about his detection and still no specific signature for it had been issued by Eset. I can't recollect if the OP actually official submitted the malware via Eset in-product method to do so. I just recently did so for a malware sample Eset wasn't detecting that also originated geographically from this region with a low "in-the-wild" count. Eset promptly responded with detection capability in a few hours; the exact elapsed time I don't know since I wasn't specifically monitoring for that.

[AV-Comparatives Real-World Protection Test February-June 2018]

6 minutes ago, BeanSlappers said:

Did you miss the question?  I didn't ask about microsoft, I didn't specifically ask about 0 day either.

Eset and other AV vendors get data from malware feeds and honeypots world-wide. The problem is that there are certain geographic areas such as China for example, where access to such data is restricted, filtered, or otherwise difficult to obtain in  a timely fashion. Of course, malware dispersion and frequency is a major factor in detection by the aforementioned. If only a few samples exist in the wild, their targets are restricted to a specific area or business concern, etc., the likelihood of quick detection by existing monitoring methods are quite low.