itman

Well, this explains why I haven't been receiving any Thunderbird updates since I installed Eset. Below is what I excluded when accessing update functions within Thunderbird. Only one I didn't exclude was for Google analytics since I assumed that was for tracking by Google. Is this enough to now start getting update notifications from Mozilla?

Norton by default allows both inbound and outgoing access for browsers. Why woudn't you recommend these settings? By the way, my settings are set to automatic. If Eset firewall filtering mode is set to Automatic, then all outbound traffic is allowed as far as Eset is concerned. By any chance did you every change the WIN firewall default settings in the past? Like along the lines of enabling outbound firewall processing? And additionally creating any rules there for your browsers? Is the WIN firewall set to the Home or to the Public profile? Also is the only outbound traffic that is being blocked for your browsers or is all outbound app traffic being blocked? Finally, did you uninstall all other security software and run their respective clean utilities prior to installing Eset? Are you running any other security software besides Eset?

Perhaps the firewall filtering mode got set to Interactive versus the default Automatic mode? In Automatic mode, all outbound traffic is allowed. I have run with Public profile since day 1 and never had an issue with outbound traffic with firewall set to Automatic mode. Perhaps the issue is with inbound traffic to your browsers for some reason? If so, this might be DNS related. Hopefully, you did not create firewall rules to allow inbound traffic to the browsers?

That is good to know. Question though is if it will be of any benefit. I have played with third party Win firewall add-ons in the past that tried to do the same. Most didn't work right due to the fact that there are hidden services that are not shown via Admin -> Services that Win uses. Many of these are triggered by BITS. However, restricting svchost.exe access to MS servers or its proxies e.g. Akamai gives very good protection.

Just verified that after setting firewall to interactive and having created a rule for iexplore.exe, I did indeed receive an alert about a program change for iexplore.exe upon access of it after the Sept. Win Updates were downloaded and applied.

Try this. Note the comment about not being able to reactivate WD once disabled. Ref.: hxxp://www.tenforums.com/antivirus-firewalls-system-security/5879-permanently-disable-windows-defender.html Since this is a TP. The option to turn off/disable Windows Defender is grayed out. However, you can turn off by: Open Admin Command Prompt and type: gpedit.msc Manoeuver to: Computer Configuration->Administrative Templates->Windows Components->Windows Defender Double click on "Turn Off Windows Defender" and select "Enabled" then click "Apply" WARNING: After turn off "Windows Defender", you might not be able to turn it back on. I suggest before trying this, make a backup image so you can restore to the way it was. Last edited by topgundcp; 05 May 2015 at 02:51.

Just started using the firewall in interactive mode. I do wish that Eset would either store the URL versus the IP address in the generated outbound firewall rule. Or, at least provide an option to store either one. This would be most beneficial for rules covering svchost.exe, rundll32.exe, and the like that connect to Microsoft using many different servers and IP addresses. Also these processes are frequently targeted by malware. Creating rules that allow all outbound activity for these processes is not very secure. Creating a separate firewall rule for every IP address svchost.exe uses when connecting to Microsoft will result in dozens of rules being generated. I also believe this would not be a major issue to implement since the Eset firewall alert already displays the URL used for the connection. As such, the URL is available to be stored in the resultant generated outbound firewall rule.

Maybe I was right after all. The below is from the Endpoint user manual. Notice what I underlined. So I assume you would have to be running in interactive mode initially or manually create rules for all apps you want monitored. Application Modification Detection The application modification detection feature displays notifications if modified applications, for which a firewall rule exists, attempt to establish connections. This is useful to avoid abusing rules configured for some application by another application by temporarily or permanently replacing the original application's executable file with the other applications executable file, or by maliciously modifying the original application's executable file. Please be aware that this feature is not meant to detect modifications to any application in general. The goal is to avoid abusing existing firewall rules, and only applications for which specific firewall rules exist are monitored. Enable detection of application modifications – If selected, the program will monitor applications for changes (updates, infections, other modifications). When a modified application attempts to establish a connection, you will be notified by the Personal firewall. Allow modification of signed (trusted) applications – Don't notify if the application has the same valid digital signature before and after the modification. List of applications excluded from checking – This window lets you add or remove individual applications for which modifications are allowed without notification.

Tried to duplicate what you did. Modified "Microsoft" copyright data to "Midosoft" in IE10 x64 and saved it. Program wouldn't run; something about a x86 x64 compatibility issue. So the question remains why I am getting any alerts. Does the signed check apply to WIndows apps? Obviously there have been many updates to those since I installed Eset. I have also manually updated RevoUninstaller Pro for example and never received any alerts on that. By manually, I mean I get an notice from the app upon start up that an update is available and I indicate that it is OK to download and install the update. Perhaps this only applies to apps that have been silently modified/updated during actual execution of the app?

It's not clear how would you limit the firewall to monitor outbound or inbound communication separately. With the firewall enabled you should have received a notification with action selection. Of course, if firewall is disabled than network-aware applications won't be monitored for changes. Hum ........ didn't say correctly what I meant. It is my understanding the firewall needs to be set to interactive mode to receive program update alerts? As you can see from the below screen shot, mine is to set to the default automatic mode. And I have never received any update alert about signed or non-signed software. Note: I do all my updating manually. Does this feature only apply to automatic program updating?

I have never received an alert about a file change and I have the "valid digital signature" option disabled. It is my understanding that this file change alerting only works if outbound firewall monitoring is enabled. Is this correct?

So my questions are: - am I losing anything important if I do not turn on integration with outook? Per Eset Help: Integration of ESET Smart Security with email clients increases the level of active protection against malicious code in email messages. If your email client is supported, integration can be enabled in ESET Smart Security. When integration is activated, the ESET Smart Security toolbar is inserted directly into the email client, allowing for more efficient email protection. Integration settings are available through Setup > Enter advanced setup... > Web and email > Email client protection > Email client integration. Email clients that are currently supported include Microsoft Outlook, Outlook Express, Windows Mail, Windows Live Mail. For a complete list of supported email clients and their versions, refer to the following ESET Knowledgebase article. Select the check box next to Disable checking upon inbox content change if you are experiencing a system slowdown when working with your email client. This can occur when retrieving email from the Kerio Outlook Connector Store. Even if integration is not enabled, email communication is still protected by the email client protection module (POP3, IMAP). (Note that IMAPS/POPS e-mail is not protected since it is encrypted unless SSL protocol scanning is enabled.) - am I losing anything important if I do not turn on use imaps proocol checking for selected ports (which I can only do if I turn on always scan ssl protocol)? See above reply. - am I right that turning on always scan ssl protocol is generally a bad idea (which is why eset comes with that turned off by default)? Yes and no. Yes in that all encrypted communication, web and e-mail, will be scanned. You might not want that on certain web sites where you want your privacy maintained. You can however exclude those specific web sites from being unencrypted and scanned. No in that encrypted e-mail/attachments can contain malware. Also encrypted web sites can be hosting malware.

A couple of things could be going on here. First, I don't use Outlook but instead use Thunderbird as my e-mail client. Below is a screen shot of Eset's default e-mail port settings: Note the default port settings for both IMAP and IMAPS. These must sync with your corresponding Outlook settings. If you are using IMAP which BTW does not support an encrypted SSL connection, then your Outlook same setting must be port 143. Also use of e-mail protocol is dictated by your ISP. For example, I can receive e-mail encrypted using IMAPS but have to send e-mail unencrypted using IMAP protocol. Additionally in Thunderbird, I need to set my email protocol to TLS/SSL for a IMAP connection. The SSL option is only supported for IMAPS. The Eset SSL protocol option determines whether or not your incoming encrypted e-mail i.e. IMAPS/POPS, will be unencrypted and scanned for malware. If SSL protocol scanning is turned on, the encrypted e-mail will be scanned; otherwise it will not be scanned. Using Thunderbird, this results in Eset inserting its root certificate in Thunderbird's root CA store. I believe Outlook might use Windows root CA store? If you received e-mail via IMAP, that e-mail will be automatically scanned by Eset w/o enabling Eset's SSL protocol scanning since it is unencrypted. Note enabling Eset's SSL protocol scanning will also result in all your Internet HTTPS connections being unencrypted and scanned for malware also. So be aware of that.

Those IP addressess trace back to China so I would be vigilant. Also if you don't have a router with NAT & SPI plus a firewall, I would consider investing in one.

Check out this posting: hxxp://www.sevenforums.com/windows-updates-activation/198811-windows-updates-windows-activation-error-code-80072efd.html Person did similar to you; reformat and OS reinstall. Below is what fixed it for him. Thank you Noel for your suggestions. Before I had a chance to try it though I was able to resolve the issue. I think I got one of those DNS changing viruses before my computer reformat. When I reset both the router and modem to factory settings, reset up my wireless network, and changed the usernames and passwords for both the modem and router I was able to access the windows update servers. I can't believe that after everything I tried I missed one of the easiest troubleshooting tasks! Thank you again for your help!

Pls hurry. Thank you.

As I stated previously in the "suggestions" thread, would like a tray option to disable/enable SSL protocol scanning on demand. Much more convenient would be a browser toolbar to do the same.

Bump! I really need this feature folks to block crypto malware downloads. I have WIN 7 Home so I can't use SRP. I have created a HIPS rule to prevent startups in susceptible directories but that doesn't protect me against scripts, .scr, and the latest variant payloads, .exx. Also, I am a bit old fashioned in that I believe in that old truism, "An ouch of prevention is worth a pound of cure." Hence, my desire to block target file writes in susceptible directories. And yes, I know what I am doing. All HIPS rules I create like this are "ask" mode.

Subnet? Like 255.255.255.0? Or the actual router 192.268.1.1 ? I turn off firewall, and I get Internet access… I turn it back on, and no internet.. What is the setting for NOT blocking my own router from in and outbound port 80??...seems to be a bug in the install process! Please advise Chas Try this: hxxp://support.eset.com/kb2888/

I know this has been asked before and I thought it was supposed to be incorporated into NOD32 and Smart Security by now? Appears the Endpoint versions support *.exe, etc. in target files and applications HIPS rules. I suspect Eset locked out this feature for the consumer versions. Is there anyway to unlocked this feature perhaps by XML directive command? Or, is it possible to get a copy of the Endpoint .bin file?

Emsisoft will be terminating Online Armor support in the near future since it no longer fits into their business development model. Would suggest Eset explore purchasing software licensing rites to it. Then incorporate it into NOD32 and Smart Security; at least the HIPS portion of it as replacement to the existing featureless HIPS Eset has in these two products. Or, offer it as an extra cost option.

Actually having Google web pages served unencrypted not that big of a deal since I assume it makes scanning page content easier since it doesn't have to decrypted them. It is a bit odd though that this is occurring.

Perhaps this has something to do with Google's move to using HSTS protocol?

Don't know if this has been commented on previously. When I search using Google, the first page displayed using IE10 is encrypted TLS 1.2. However, any subsequent searches including selecting a link on the initial web page and then returning, result in all pages being unencrypted? Yahoo search doesn't do this. The connection is still via port 443. It's as if Google is detecting the Eset cert. or something?

I have thousands of the below audit-success event log messages being generated whenever SSL protocol scanning is enabled. Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 8/2/2015 7:17:41 PM Event ID: 5058 Task Category: Other System Events Level: Information Keywords: Audit Success User: N/A Computer: Don-PC Description: Key file operation. Subject: Security ID: S-1-5-18 Account Name: XXX-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: Not Available. Key Name: 7DC-55BEA51545534880-NodSSL Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\b6c6c7213437feb6b8b9338292709a1f_107b96bd-56dd-464d-92cc-0a5dd752abc5 Operation: Read persisted key from file. Return Code: 0x0 Event Xml: <Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>5058</EventID> <Version>0</Version> <Level>0</Level> <Task>12292</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2015-08-02T23:17:41.543324200Z" /> <EventRecordID>348334</EventRecordID> <Correlation /> <Execution ProcessID="696" ThreadID="4120" /> <Channel>Security</Channel> <Computer>Don-PC</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-18</Data> <Data Name="SubjectUserName">XXX-PC$</Data> <Data Name="SubjectDomainName">WORKGROUP</Data> <Data Name="SubjectLogonId">0x3e7</Data> <Data Name="ProviderName">Microsoft Software Key Storage Provider</Data> <Data Name="AlgorithmName">%%2432</Data> <Data Name="KeyName">7DC-55BEA51545534880-NodSSL</Data> <Data Name="KeyType">%%2499</Data> <Data Name="KeyFilePath">C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\b6c6c7213437feb6b8b9338292709a1f_107b96bd-56dd-464d-92cc-0a5dd752abc5</Data> <Data Name="Operation">%%2458</Data> <Data Name="ReturnCode">0x0</Data> </EventData> </Event>