Jump to content

itman

Most Valued Members
  • Posts

    8,890
  • Joined

  • Last visited

  • Days Won

    215

Everything posted by itman

  1. That is good to know. Question though is if it will be of any benefit. I have played with third party Win firewall add-ons in the past that tried to do the same. Most didn't work right due to the fact that there are hidden services that are not shown via Admin -> Services that Win uses. Many of these are triggered by BITS. However, restricting svchost.exe access to MS servers or its proxies e.g. Akamai gives very good protection.
  2. Just verified that after setting firewall to interactive and having created a rule for iexplore.exe, I did indeed receive an alert about a program change for iexplore.exe upon access of it after the Sept. Win Updates were downloaded and applied.
  3. Try this. Note the comment about not being able to reactivate WD once disabled. Ref.: hxxp://www.tenforums.com/antivirus-firewalls-system-security/5879-permanently-disable-windows-defender.html Since this is a TP. The option to turn off/disable Windows Defender is grayed out. However, you can turn off by: Open Admin Command Prompt and type: gpedit.msc Manoeuver to: Computer Configuration->Administrative Templates->Windows Components->Windows Defender Double click on "Turn Off Windows Defender" and select "Enabled" then click "Apply" WARNING: After turn off "Windows Defender", you might not be able to turn it back on. I suggest before trying this, make a backup image so you can restore to the way it was. Last edited by topgundcp; 05 May 2015 at 02:51.
  4. Just started using the firewall in interactive mode. I do wish that Eset would either store the URL versus the IP address in the generated outbound firewall rule. Or, at least provide an option to store either one. This would be most beneficial for rules covering svchost.exe, rundll32.exe, and the like that connect to Microsoft using many different servers and IP addresses. Also these processes are frequently targeted by malware. Creating rules that allow all outbound activity for these processes is not very secure. Creating a separate firewall rule for every IP address svchost.exe uses when connecting to Microsoft will result in dozens of rules being generated. I also believe this would not be a major issue to implement since the Eset firewall alert already displays the URL used for the connection. As such, the URL is available to be stored in the resultant generated outbound firewall rule.
  5. Maybe I was right after all. The below is from the Endpoint user manual. Notice what I underlined. So I assume you would have to be running in interactive mode initially or manually create rules for all apps you want monitored. Application Modification Detection The application modification detection feature displays notifications if modified applications, for which a firewall rule exists, attempt to establish connections. This is useful to avoid abusing rules configured for some application by another application by temporarily or permanently replacing the original application's executable file with the other applications executable file, or by maliciously modifying the original application's executable file. Please be aware that this feature is not meant to detect modifications to any application in general. The goal is to avoid abusing existing firewall rules, and only applications for which specific firewall rules exist are monitored. Enable detection of application modifications – If selected, the program will monitor applications for changes (updates, infections, other modifications). When a modified application attempts to establish a connection, you will be notified by the Personal firewall. Allow modification of signed (trusted) applications – Don't notify if the application has the same valid digital signature before and after the modification. List of applications excluded from checking – This window lets you add or remove individual applications for which modifications are allowed without notification.
  6. Tried to duplicate what you did. Modified "Microsoft" copyright data to "Midosoft" in IE10 x64 and saved it. Program wouldn't run; something about a x86 x64 compatibility issue. So the question remains why I am getting any alerts. Does the signed check apply to WIndows apps? Obviously there have been many updates to those since I installed Eset. I have also manually updated RevoUninstaller Pro for example and never received any alerts on that. By manually, I mean I get an notice from the app upon start up that an update is available and I indicate that it is OK to download and install the update. Perhaps this only applies to apps that have been silently modified/updated during actual execution of the app?
  7. It's not clear how would you limit the firewall to monitor outbound or inbound communication separately. With the firewall enabled you should have received a notification with action selection. Of course, if firewall is disabled than network-aware applications won't be monitored for changes. Hum ........ didn't say correctly what I meant. It is my understanding the firewall needs to be set to interactive mode to receive program update alerts? As you can see from the below screen shot, mine is to set to the default automatic mode. And I have never received any update alert about signed or non-signed software. Note: I do all my updating manually. Does this feature only apply to automatic program updating?
  8. I have never received an alert about a file change and I have the "valid digital signature" option disabled. It is my understanding that this file change alerting only works if outbound firewall monitoring is enabled. Is this correct?
  9. So my questions are: - am I losing anything important if I do not turn on integration with outook? Per Eset Help: Integration of ESET Smart Security with email clients increases the level of active protection against malicious code in email messages. If your email client is supported, integration can be enabled in ESET Smart Security. When integration is activated, the ESET Smart Security toolbar is inserted directly into the email client, allowing for more efficient email protection. Integration settings are available through Setup > Enter advanced setup... > Web and email > Email client protection > Email client integration. Email clients that are currently supported include Microsoft Outlook, Outlook Express, Windows Mail, Windows Live Mail. For a complete list of supported email clients and their versions, refer to the following ESET Knowledgebase article. Select the check box next to Disable checking upon inbox content change if you are experiencing a system slowdown when working with your email client. This can occur when retrieving email from the Kerio Outlook Connector Store. Even if integration is not enabled, email communication is still protected by the email client protection module (POP3, IMAP). (Note that IMAPS/POPS e-mail is not protected since it is encrypted unless SSL protocol scanning is enabled.) - am I losing anything important if I do not turn on use imaps proocol checking for selected ports (which I can only do if I turn on always scan ssl protocol)? See above reply. - am I right that turning on always scan ssl protocol is generally a bad idea (which is why eset comes with that turned off by default)? Yes and no. Yes in that all encrypted communication, web and e-mail, will be scanned. You might not want that on certain web sites where you want your privacy maintained. You can however exclude those specific web sites from being unencrypted and scanned. No in that encrypted e-mail/attachments can contain malware. Also encrypted web sites can be hosting malware.
  10. A couple of things could be going on here. First, I don't use Outlook but instead use Thunderbird as my e-mail client. Below is a screen shot of Eset's default e-mail port settings: Note the default port settings for both IMAP and IMAPS. These must sync with your corresponding Outlook settings. If you are using IMAP which BTW does not support an encrypted SSL connection, then your Outlook same setting must be port 143. Also use of e-mail protocol is dictated by your ISP. For example, I can receive e-mail encrypted using IMAPS but have to send e-mail unencrypted using IMAP protocol. Additionally in Thunderbird, I need to set my email protocol to TLS/SSL for a IMAP connection. The SSL option is only supported for IMAPS. The Eset SSL protocol option determines whether or not your incoming encrypted e-mail i.e. IMAPS/POPS, will be unencrypted and scanned for malware. If SSL protocol scanning is turned on, the encrypted e-mail will be scanned; otherwise it will not be scanned. Using Thunderbird, this results in Eset inserting its root certificate in Thunderbird's root CA store. I believe Outlook might use Windows root CA store? If you received e-mail via IMAP, that e-mail will be automatically scanned by Eset w/o enabling Eset's SSL protocol scanning since it is unencrypted. Note enabling Eset's SSL protocol scanning will also result in all your Internet HTTPS connections being unencrypted and scanned for malware also. So be aware of that.
  11. Those IP addressess trace back to China so I would be vigilant. Also if you don't have a router with NAT & SPI plus a firewall, I would consider investing in one.
  12. Check out this posting: hxxp://www.sevenforums.com/windows-updates-activation/198811-windows-updates-windows-activation-error-code-80072efd.html Person did similar to you; reformat and OS reinstall. Below is what fixed it for him. Thank you Noel for your suggestions. Before I had a chance to try it though I was able to resolve the issue. I think I got one of those DNS changing viruses before my computer reformat. When I reset both the router and modem to factory settings, reset up my wireless network, and changed the usernames and passwords for both the modem and router I was able to access the windows update servers. I can't believe that after everything I tried I missed one of the easiest troubleshooting tasks! Thank you again for your help!
  13. As I stated previously in the "suggestions" thread, would like a tray option to disable/enable SSL protocol scanning on demand. Much more convenient would be a browser toolbar to do the same.
  14. Bump! I really need this feature folks to block crypto malware downloads. I have WIN 7 Home so I can't use SRP. I have created a HIPS rule to prevent startups in susceptible directories but that doesn't protect me against scripts, .scr, and the latest variant payloads, .exx. Also, I am a bit old fashioned in that I believe in that old truism, "An ouch of prevention is worth a pound of cure." Hence, my desire to block target file writes in susceptible directories. And yes, I know what I am doing. All HIPS rules I create like this are "ask" mode.
  15. Subnet? Like 255.255.255.0? Or the actual router 192.268.1.1 ? I turn off firewall, and I get Internet access… I turn it back on, and no internet.. What is the setting for NOT blocking my own router from in and outbound port 80??...seems to be a bug in the install process! Please advise Chas Try this: hxxp://support.eset.com/kb2888/
  16. I know this has been asked before and I thought it was supposed to be incorporated into NOD32 and Smart Security by now? Appears the Endpoint versions support *.exe, etc. in target files and applications HIPS rules. I suspect Eset locked out this feature for the consumer versions. Is there anyway to unlocked this feature perhaps by XML directive command? Or, is it possible to get a copy of the Endpoint .bin file?
  17. Emsisoft will be terminating Online Armor support in the near future since it no longer fits into their business development model. Would suggest Eset explore purchasing software licensing rites to it. Then incorporate it into NOD32 and Smart Security; at least the HIPS portion of it as replacement to the existing featureless HIPS Eset has in these two products. Or, offer it as an extra cost option.
  18. Actually having Google web pages served unencrypted not that big of a deal since I assume it makes scanning page content easier since it doesn't have to decrypted them. It is a bit odd though that this is occurring.
  19. Don't know if this has been commented on previously. When I search using Google, the first page displayed using IE10 is encrypted TLS 1.2. However, any subsequent searches including selecting a link on the initial web page and then returning, result in all pages being unencrypted? Yahoo search doesn't do this. The connection is still via port 443. It's as if Google is detecting the Eset cert. or something?
  20. I have thousands of the below audit-success event log messages being generated whenever SSL protocol scanning is enabled. Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 8/2/2015 7:17:41 PM Event ID: 5058 Task Category: Other System Events Level: Information Keywords: Audit Success User: N/A Computer: Don-PC Description: Key file operation. Subject: Security ID: S-1-5-18 Account Name: XXX-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: Not Available. Key Name: 7DC-55BEA51545534880-NodSSL Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\b6c6c7213437feb6b8b9338292709a1f_107b96bd-56dd-464d-92cc-0a5dd752abc5 Operation: Read persisted key from file. Return Code: 0x0 Event Xml: <Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>5058</EventID> <Version>0</Version> <Level>0</Level> <Task>12292</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2015-08-02T23:17:41.543324200Z" /> <EventRecordID>348334</EventRecordID> <Correlation /> <Execution ProcessID="696" ThreadID="4120" /> <Channel>Security</Channel> <Computer>Don-PC</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-18</Data> <Data Name="SubjectUserName">XXX-PC$</Data> <Data Name="SubjectDomainName">WORKGROUP</Data> <Data Name="SubjectLogonId">0x3e7</Data> <Data Name="ProviderName">Microsoft Software Key Storage Provider</Data> <Data Name="AlgorithmName">%%2432</Data> <Data Name="KeyName">7DC-55BEA51545534880-NodSSL</Data> <Data Name="KeyType">%%2499</Data> <Data Name="KeyFilePath">C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\b6c6c7213437feb6b8b9338292709a1f_107b96bd-56dd-464d-92cc-0a5dd752abc5</Data> <Data Name="Operation">%%2458</Data> <Data Name="ReturnCode">0x0</Data> </EventData> </Event>
  21. I will try to simplify as much as possible. On a recent NSS Labs test that was done ad hoc i.e. Eset did not sponsor or pay for the test, Eset's exploit protection against 32 bit exploits running on 32 bit WIN 7 was for all practical purposes 100%. You can read the details here: https://www.nsslabs.com/reports/consumer-endpoint-protection-test-report-eset-smart-security-exploits On another recent exploit test done by Malware Research Group against 32 and 64 bit exploits running on 64 bit WIN 7, Eset scored 80%. In comparison to other vendors tested, Eset ranked slightly below the middle. This test however was sponsored and paid for by Surfright for the purpose of specifically testing their HitmanPro Alert product. You can read details here: https://www.mrg-effitas.com/wp-content/uploads/2015/04/MRG_Effitas_Real_world_exploit_prevention_test.pdf Bottom line - I don't fully trust Eset's exploit blocker on a 64 bit OS running 64 bit software. Note that 64 bit exploits are rare but are increasing in frequency. Presently I personally am supplementing Eset with MBAE free since I run 64 bit WIN 7 and 64 bit IE10.
  22. My experience with the this test tool is as follows. First and most important, only do browser tests with the Surfright test tool. Eset's exploit protection only works for apps that are being monitored by protocol filtering. Eset will not block tests from the test tool itself. Both ekrn.exe and egui.exe must be excluded from Eset's protocol filtering. That done, Eset will block the test exploit payload i.e. calc.exe from executing. You will receive no alert or log entry from Eset. Additionally, the shell of the browser being tested will still be running after Eset has blocked the test exploit payload and delivery process i.e. the exploit test tool. There will be multiples of these browser shells if you do all the tests in one session. You will have to manually terminate those processes using Task Manager or Process Explorer/Hacker. Note the above behavior is running the x64 version of the test tool on a x64 WIN 7 OS. When I did 32 bit browser testing, I believe the 32 bit test tool actually allowed IE 10 x86 to open and close. All calc.exe test exploit payloads were blocked however.
  23. Does the exploit blocker protect x64 apps? Using SurfRight exploit test tool and x86 IE10, SS8 successfully blocks every x86 exploit test. Using x64 IE10 for x64 exploit test tool, SS fails every exploit test. I thought it might be a EPM issue, so turned that off and retested. SS 8 exploit blocker still failed every x64 exploit test.
×
×
  • Create New...