itman

A bit more info on what is wrong with the web site certificate. Make sure you are using the correct URL for the bank's logon web page: Error while checking the SSL Certificate!! The SSL Certificate we found on this site is not meant for bankhapoalim.co.il/, probably this is another site on the same server. We advise you not to submit any confidential or personal data to this website because a secure connection could not be established with this website. - SSL Certificate is not expired - Site is not listed in the certificate

I get a certificate error from IE11 on the link you posted. I am using ver. 8 .319 w/SSL protocol scanning enabled. In other words, Eset's banking mode protection is not being used. The browser is blocking the web site access. For the error given, appears to be a possible man-in-the-middle situation. So your problem has nothing to do with ver. 9 bank protection. Appears there is a problem with your bank's web site certificate or the URL you are using to access your bank's web site. I would contact the bank for guidance.

This brings up an issue I have noticed in other Eset protection areas. If you don't respond to an alert, the default action appears to be "allow?" This to me is a security risk and is contrary to other security software I have used where the default response is "deny." Also, most security software gives you an option on what you want the default response to be. I have not been able to find any such settings in Eset for this.

Think I found the culprit. This time I tried to simulate what you did. I tried to download from here: hxxp://www.piriform.com/speccy/download/standard . Got two PUA alerts for spsetup129.exe. I clicked on "No action" for both and the download in IE11 proceeded until 99% complete. Then I received another PUA alert with no option available that the download was automatically quarantined( I use strict cleaning option). Guess what Eset protection did that - Document Protection? 12/12/2015 11:47:34 AM Document protection file hxxp://download.piriform.com/spsetup129.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined XXX-XX\XXX(User name omitted) Per Eset help: The Document protection feature scans Microsoft Office documents before they are opened, as well as files downloaded automatically by Internet Explorer such as Microsoft ActiveX elements. -EDIT- The download BTW is in quarantine so it could be restored from there? You can also change the ThreatSense cleaning option for Document protection to "no cleaning." That will then result in an Eset popup for removal action and you can bypass any mitigation at that point. Or, just disable Document protection which I wouldn't recommend.

Yes, the download is successful if I disabled real-time protection. The download is also successful if I disable detection of PUA's. The problem is if I choose to allow the PUA when prompted the download fails anyways. Stackz above tried to download the same file using the same link with PUA enabled, and his download failed also despite him choosing to allow it when prompted. A .part file was detected in the first prompt. Below are the two prompts I receive. I allowed them both, but the download always fails. I'm using the latest version of Firefox 32bit. Try this. When you get the PUA alert, click on "Show advanced options." Checkmark the "exclude from detections" click box. Then click on the "No Action" click box. Note: This might create a permanent exclusion for Google Toolbar. Don't know if you want that to happen.

Did you try to disable PUA detection and then attempt to download again? Then enable PUA detection after the download completes. Sometimes this doesn't work however if Eset's web filter is blocking the IP address. Another way to get around this is to download a zip file if they offer one. Eset won't detect the PUA until the file is unzipped and the installer executed.

I was referring to the CleanWipe utility. Should be located in the installation cd/ISO directory named Tools. Don't know if that ver. works for WIN 10. You might want to contact Symantec on that.

I wouldn't trust Eset's uninstaller to remove all of Symantec EPP. Run any available Symantec EPP clean utility to uninstall it. Also I check to see if the Symantec EPP clean utility only works for currently installed EPP products. Some of these endpoint uninstallers don't remove left over remnants from a previous Windows add/remove programs initiated uninstall.

It is very possible you are a victim of cyber stalking. That is a crime in the U.S.; guess not in France. The third person in the conversation thing does sound a bit paranoid but has happened before. Moving on from that, it sounds like someone has hacked your web mail account. I would recommend you contact whomever is your e-mail provider and explain the situation. Request a new e-mail account and create another password. Or do it yourself, but only on a computer you know that is secure and malware free. Finally, request that your e-mail provider transfer all your existing e-mail to the new account user id. Of course, you will have to notify all concerned parties of your new e-mail address. Note: If your computer is infected with malware, your new e-mail user id/password could be immediately compromised again. So you need to get that taken care of right away. If you have Eset software installed, your should contact their customer service to help you.

How about providing a single license purchase option? I would like to switch to Endpoint product from Smart Security since the HIPS has options I need. I don't want to buy 5 licenses though to do so.

I had similar issues with T-bird and ver. 8. Originally, I had to manually import Eset root CA into T-Bird's root CA store. Then when testing SSL protocol scanning, I would turn it off and notice Eset root CA was still there in T-Bird's foot CA store. So I would manually delete it. Then later I would turn on SSL protocol scanning and Eset's new root CA would be automatically imported into T-Bird's root CA store. Never had a problem since on this issue. Appears Eset has some behavior learning features or it is just plain flakey at times. Also might have to do with the fact T-Bird is not an officially supported e-mail client.

This was posted pre ESS v9. (post #2 by Marcos) https://forum.eset.com/topic/5657-smart-security-vs-avast-free-antivirus-windows-firewall/?p=31325 The main enhancements Eset's firewall provides are in addition to what is said in the ref. link are an intrustion detection system(IDS). Also the ability to run in learning mode to create rules automatically and/or interactive mode to receive alerts for undefined inbound and outbound connections with the option to create a rule for same. Also an easy to access and read log of firewall events. Finally the ability to receive alerts for any modifications of applications for which a monitoring firewall rule has been created.

True. But the easiest way to create firewall rules is to switch to interactive mode and allow all your Internet facing apps for which you wish to receive application modification alerts. Application Modification Detection The application modification detection feature displays notifications if modified applications, for which a firewall rule exists, attempt to establish connections. This is useful to avoid abusing rules configured for some application by another application by temporarily or permanently replacing the original application's executable file with the other applications executable file, or by maliciously modifying the original application's executable file. Please be aware that this feature is not meant to detect modifications to any application in general. The goal is to avoid abusing existing firewall rules, and only applications for which specific firewall rules exist are monitored. Enable detection of application modifications – If selected, the program will monitor applications for changes (updates, infections, other modifications). When a modified application attempts to establish a connection, you will be notified by the Personal firewall. Allow modification of signed (trusted) applications – Don't notify if the application has the same valid digital signature before and after the modification. List of applications excluded from checking – This window lets you add or remove individual applications for which modifications are allowed without notification.

Logon on as Admin and see if Eset shows up.

In ver. 8, I had to set the firewall to interactive mode before I received any application modification alerts. I assume the same is true for ver. 9.

Based on my testing and issues encountered when using SS 9, I have no desire to reinstall in the near future. Will my SS 8 license key work for the Endpoint 6 product? Additionally the Endpoint 6 product has features I need and that are missing in the SS product such as full wildcard support for filenames in HIPS rules.

WIN 7 x64 SP1, IE 11, Eset Smart Security 8.0.319.0 This is a first. I run the firewall in interactive mode. I also have had no issues with the firewall alerting me of connection activity; until today that is. I also frequently check my WIN 7 security audit logs. I saw 20+ blocked outbound connections from IE to this IP address 63.245.216.133 using port 81 in my WIN 7 security audit log. The URL for that IP is zlb3.pub.phx1.svc.mozilla.com. I also use Thunderbird as my e-mail client. I believe I was reading an e-mail from a known personal source around the time of this outbound activity and clicked on a link in the e-mail. I have TBird set to always open my browser for that activity. So it is possible that the connection to mozzilla.com was initiated by TBird although I have never seen any previous connection to that IP address and never for port 81. The question is why didn't Eset's firewall alert for this activity? I assume Eset's firewall blocked the connection since I only allow outbound connections for ports 80,443, 3128, and 8080 for IE. Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 11/6/2015 12:24:54 PM Event ID: 5157 Task Category: Filtering Platform Connection Level: Information Keywords: Audit Failure User: N/A Computer: xxxxxx Description: The Windows Filtering Platform has blocked a connection. Application Information: Process ID: 3080 Application Name: \device\harddiskvolume3\program files\internet explorer\iexplore.exe Network Information: Direction: Outbound Source Address: 192.168.1.XX Source Port: 50919 Destination Address: 63.245.216.133 Destination Port: 81 Protocol: 6 Filter Information: Filter Run-Time ID: 190300 Layer Name: Connect Layer Run-Time ID: 48 Event Xml: <Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>5157</EventID> <Version>1</Version> <Level>0</Level> <Task>12810</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2015-11-06T17:24:54.779356500Z" /> <EventRecordID>670003</EventRecordID> <Correlation /> <Execution ProcessID="4" ThreadID="60" /> <Channel>Security</Channel> <Computer>Don-PC</Computer> <Security /> </System> <EventData> <Data Name="ProcessID">3080</Data> <Data Name="Application">\device\harddiskvolume3\program files\internet explorer\iexplore.exe</Data> <Data Name="Direction">%%14593</Data> <Data Name="SourceAddress">192.168.1.XX</Data> <Data Name="SourcePort">50919</Data> <Data Name="DestAddress">63.245.216.133</Data> <Data Name="DestPort">81</Data> <Data Name="Protocol">6</Data> <Data Name="FilterRTID">190300</Data> <Data Name="LayerName">%%14611</Data> <Data Name="LayerRTID">48</Data> <Data Name="RemoteUserID">S-1-0-0</Data> <Data Name="RemoteMachineID">S-1-0-0</Data> </EventData> </Event>

I would recommend that you purchase a router with a good built-in firewall. Just ensure it has IDS protection; most do. This way any IDS attacks are stopped at the router before they even reach your PC. Also, hardware firewalls are much harder to hack and bypass. Repeated port scanning like you are experiencing is usually a prelude to a major attack on your system. -EDIT- From a posting over at www.bleepingcomputer.com, Didier Stevens who is a security guru confirms what I previously posted: If your machine was the target of a port scan, I guess your machine has a public IP address. Is this your choice, or is it the default way of working of your ISP? If you don't need a public IP address for your machine, I recommend you use a NAT-router. This way, your machine will have a private IP address in stead of a public IP address, and it won't be the target of port scans anymore. Your NAT-router will have a public IP address, and it will issue a private IP address to your machine. Of course, your NAT-router will be port scanned, but it has a much smaller attack surface than your Windows machine. Didier Stevens hxxp://blog.DidierStevens.com hxxp://DidierStevensLabs.com SANS ISC Handler Microsoft MVP 2011-2015 Consumer Security

You should first try to determine why you're getting port scanned in the first place. Do you connect to the Internet using a router or a router/modem combo with an integrated firewall? That device should prevent any kind of port scanning activity. Do you use a third party DNS provider like VeriSign, Norton, Google, etc.? How could i do that? I'm just using internet as usual. Not using anything special. just a browser. Not using any third party DNS provider. Just like you said it seems like a known spamming source. I just have to figure out how to block that IP in ESS9. Next time you receive the alert, click on "Change handling of this threat." It should open up an "IDS Exception" screen as shown below - not sure on this since I never have received an IDS alert from Eset Smart Security. Also note that the screen shown is for ver. 8. I believe ver. 9 options are the same but formatted differently due to the new ver. 9 GUI. If some reason the "IDS Exception" screen is not displayed, then cancel out of whatever is displayed. You will have to then manually create the IDS Exception using the rule details I have shown. This will prevent the alert from being displayed but still block the activity. I also checked to "log" the action so you have a record of the activity in your Eset log file. You can also use this rule to add other IP addresses for like alerts. Note: you still should try to determine why your PC is being port scanned.

You should first try to determine why you're getting port scanned in the first place. Do you connect to the Internet using a router or a router/modem combo with an integrated firewall? That device should prevent any kind of port scanning activity. Do you use a third party DNS provider like VeriSign, Norton, Google, etc.?

A known spamming source. An interesting read here: hxxp://dnsamplificationattacks.blogspot.com/2013/06/ecatel-big-source-of-directedatasia.html I would just permanently block that IP address and be done with it.

Thanks for the confirmation. My testing of ver. 8 HIPS rule based memory protection shows it is very good. For example, it has blocked reflective dll injection attempts into both active and suspended protected processes. I haven't tested it against process memory "hollowing" methods yet.

Actually there is a simple solution to the rule ordering issue in ver. 9. Modify the HIPS GUI to allow rules to be positioned manually by the user. Most HIPS's past and present have this feature. Also add the same feature to the firewall.

Yes, I stated that previously. Can't give you screen shots since I no longer have ver. 9 installed. Someone on Wilder's stated the same behavior also exists on ver. 8 where dup. rules were created in learning mode. I never ran learning mode on ver. 8 so can't vouch for that. Of much greater concern to me is the rules behavior change where all allow rules no longer precede all block rules.

Will add that I have just encounter the exact opposite situation to the previous screen shots I posted. That is the issuing root CA cert. is displayed for the web page but path details show that the actual root CA is Eset's! So I can summarize that I have seen every conceivable permutation and combination in the handling of browse root certifications for the SSL protocol scanning in ver. 9. Since I don't trust this release anymore, I will be restoring my system back to ver. 8 from an image taken previous to the ver. 9 install. I consider ver. 8 to be a "rock solid" product. My advice is add online banking protection to it; make that the new ver. 9 release; and dump the current ver. 9 release if Eset wants to retain their existing customer base.