itman

If I have a HIPS rule that protects a target process against "Modify state of another application", will it protect against these memory injection methods: VirtualAllocEx/VirtualFreeEx WriteProcessMemory CreateRemoteThread I believe it does but just want to verify.

Yes, Eset cert. is installed in Thunderbird. However, that is not the issue since that cert. is only used for web site validation. In default installation mode, Thunderbird will install the Mozilla Maintenance service and use that to perform silent background updating. In other words, it is using svchost.exe to connect to the Mozilla update servers. Since Eset's SSL protocol scanning is enabled for all port 443 communication, I assume the cert. being sent to those servers to establish a TLS session is the Eset root certificate from the Windows root CA store? I assume the Mozilla update servers would reject that cert. just like it does for a Firefox update? One solution is to just disable svchost.exe from all SSL protocol scanning. I just might do that since I believe there is also an issue with Adobe's ARM service and God knows what else. On the other hand if a malware service was to get installed, it could send encrypted ###### un-scanned and undetected. As far as Thunderbird goes, I now realize that using Mozilla's Maintenance service and allowing silent updating is a big security risk. In this mode, all UAC elevated prompting is bypassed. I have changed the update option in Thunderbird to "notify about updates." This method allows for updating via the thunderbird.exe process with elevated UAC prompt and the Mozilla Maintenance service is never started or used. Again I assume that thunderbird.exe will initiate the update server TLS handshake using the Eset root CA OS certificate and it will in turn be rejected. I have therefore excluded the following Mozilla certificates from SSL protocol scanning. The test will be when Mozilla serves up its next Thunderbird update. -EDIT- Further risks associated with using Mozilla Maintenance service noted here: https://wizzley.com/mozilla-maintenance-service-a-security-issue/ . Note that according to this article you have to either disable the service or uninstall it to actually prevent update downloads from the service.

::1 is IPv6 address for localhost. Also MS could be using IPv6 addresses if your router and ISP support IPv6.

Ref. https://forum.eset.com/topic/5556-new-malware-got-past-nod32/ Interesting. I had something similar happen but with a different twist. I use Thunderbird as my e-mail client. Recently I had Thunderbird open reading my e-mail and I received a pop-up about Thunderbird having blocked an invalid update. Posted this on the Mozilla TBird forum and mods there had no clue as to what that error message was or where it originated. And it gets stranger .......... I just recently discovered there is an issue with Mozilla updates for Firefox, Thunderbird, etc. if Eset SSL protocol filtering is enabled. Appears Mozilla rejects Eset's root certificate and no connection is allowed for updating and the like. Checking my Thunderbird update logs indeed showed I had not had an update since Eset had been installed. Fix is to exclude Mozilla certificates from Eset SSL protocol filtering which I have subsequently done. So either this failed update message was bogus; or an attempt had been made to actually update Thunderbird, the update was bogus, and thankfully Thunderbird rejected it. The referenced thread and my experience makes me wonder if perhaps a man-in-the-middle attack can occur when Eset's SSL protocol filtering does not work properly? Also of concern is that no diagnostic message from Eset is displayed when there is an issue with a web site accepting Eset's root certificate.

Eset Advanced setup -> Tools -> System updates -> No updates

Well, this explains why I haven't been receiving any Thunderbird updates since I installed Eset. Below is what I excluded when accessing update functions within Thunderbird. Only one I didn't exclude was for Google analytics since I assumed that was for tracking by Google. Is this enough to now start getting update notifications from Mozilla?

Norton by default allows both inbound and outgoing access for browsers. Why woudn't you recommend these settings? By the way, my settings are set to automatic. If Eset firewall filtering mode is set to Automatic, then all outbound traffic is allowed as far as Eset is concerned. By any chance did you every change the WIN firewall default settings in the past? Like along the lines of enabling outbound firewall processing? And additionally creating any rules there for your browsers? Is the WIN firewall set to the Home or to the Public profile? Also is the only outbound traffic that is being blocked for your browsers or is all outbound app traffic being blocked? Finally, did you uninstall all other security software and run their respective clean utilities prior to installing Eset? Are you running any other security software besides Eset?

Perhaps the firewall filtering mode got set to Interactive versus the default Automatic mode? In Automatic mode, all outbound traffic is allowed. I have run with Public profile since day 1 and never had an issue with outbound traffic with firewall set to Automatic mode. Perhaps the issue is with inbound traffic to your browsers for some reason? If so, this might be DNS related. Hopefully, you did not create firewall rules to allow inbound traffic to the browsers?

That is good to know. Question though is if it will be of any benefit. I have played with third party Win firewall add-ons in the past that tried to do the same. Most didn't work right due to the fact that there are hidden services that are not shown via Admin -> Services that Win uses. Many of these are triggered by BITS. However, restricting svchost.exe access to MS servers or its proxies e.g. Akamai gives very good protection.

Just verified that after setting firewall to interactive and having created a rule for iexplore.exe, I did indeed receive an alert about a program change for iexplore.exe upon access of it after the Sept. Win Updates were downloaded and applied.

Try this. Note the comment about not being able to reactivate WD once disabled. Ref.: hxxp://www.tenforums.com/antivirus-firewalls-system-security/5879-permanently-disable-windows-defender.html Since this is a TP. The option to turn off/disable Windows Defender is grayed out. However, you can turn off by: Open Admin Command Prompt and type: gpedit.msc Manoeuver to: Computer Configuration->Administrative Templates->Windows Components->Windows Defender Double click on "Turn Off Windows Defender" and select "Enabled" then click "Apply" WARNING: After turn off "Windows Defender", you might not be able to turn it back on. I suggest before trying this, make a backup image so you can restore to the way it was. Last edited by topgundcp; 05 May 2015 at 02:51.

Just started using the firewall in interactive mode. I do wish that Eset would either store the URL versus the IP address in the generated outbound firewall rule. Or, at least provide an option to store either one. This would be most beneficial for rules covering svchost.exe, rundll32.exe, and the like that connect to Microsoft using many different servers and IP addresses. Also these processes are frequently targeted by malware. Creating rules that allow all outbound activity for these processes is not very secure. Creating a separate firewall rule for every IP address svchost.exe uses when connecting to Microsoft will result in dozens of rules being generated. I also believe this would not be a major issue to implement since the Eset firewall alert already displays the URL used for the connection. As such, the URL is available to be stored in the resultant generated outbound firewall rule.

Maybe I was right after all. The below is from the Endpoint user manual. Notice what I underlined. So I assume you would have to be running in interactive mode initially or manually create rules for all apps you want monitored. Application Modification Detection The application modification detection feature displays notifications if modified applications, for which a firewall rule exists, attempt to establish connections. This is useful to avoid abusing rules configured for some application by another application by temporarily or permanently replacing the original application's executable file with the other applications executable file, or by maliciously modifying the original application's executable file. Please be aware that this feature is not meant to detect modifications to any application in general. The goal is to avoid abusing existing firewall rules, and only applications for which specific firewall rules exist are monitored. Enable detection of application modifications – If selected, the program will monitor applications for changes (updates, infections, other modifications). When a modified application attempts to establish a connection, you will be notified by the Personal firewall. Allow modification of signed (trusted) applications – Don't notify if the application has the same valid digital signature before and after the modification. List of applications excluded from checking – This window lets you add or remove individual applications for which modifications are allowed without notification.

Tried to duplicate what you did. Modified "Microsoft" copyright data to "Midosoft" in IE10 x64 and saved it. Program wouldn't run; something about a x86 x64 compatibility issue. So the question remains why I am getting any alerts. Does the signed check apply to WIndows apps? Obviously there have been many updates to those since I installed Eset. I have also manually updated RevoUninstaller Pro for example and never received any alerts on that. By manually, I mean I get an notice from the app upon start up that an update is available and I indicate that it is OK to download and install the update. Perhaps this only applies to apps that have been silently modified/updated during actual execution of the app?

It's not clear how would you limit the firewall to monitor outbound or inbound communication separately. With the firewall enabled you should have received a notification with action selection. Of course, if firewall is disabled than network-aware applications won't be monitored for changes. Hum ........ didn't say correctly what I meant. It is my understanding the firewall needs to be set to interactive mode to receive program update alerts? As you can see from the below screen shot, mine is to set to the default automatic mode. And I have never received any update alert about signed or non-signed software. Note: I do all my updating manually. Does this feature only apply to automatic program updating?

I have never received an alert about a file change and I have the "valid digital signature" option disabled. It is my understanding that this file change alerting only works if outbound firewall monitoring is enabled. Is this correct?

So my questions are: - am I losing anything important if I do not turn on integration with outook? Per Eset Help: Integration of ESET Smart Security with email clients increases the level of active protection against malicious code in email messages. If your email client is supported, integration can be enabled in ESET Smart Security. When integration is activated, the ESET Smart Security toolbar is inserted directly into the email client, allowing for more efficient email protection. Integration settings are available through Setup > Enter advanced setup... > Web and email > Email client protection > Email client integration. Email clients that are currently supported include Microsoft Outlook, Outlook Express, Windows Mail, Windows Live Mail. For a complete list of supported email clients and their versions, refer to the following ESET Knowledgebase article. Select the check box next to Disable checking upon inbox content change if you are experiencing a system slowdown when working with your email client. This can occur when retrieving email from the Kerio Outlook Connector Store. Even if integration is not enabled, email communication is still protected by the email client protection module (POP3, IMAP). (Note that IMAPS/POPS e-mail is not protected since it is encrypted unless SSL protocol scanning is enabled.) - am I losing anything important if I do not turn on use imaps proocol checking for selected ports (which I can only do if I turn on always scan ssl protocol)? See above reply. - am I right that turning on always scan ssl protocol is generally a bad idea (which is why eset comes with that turned off by default)? Yes and no. Yes in that all encrypted communication, web and e-mail, will be scanned. You might not want that on certain web sites where you want your privacy maintained. You can however exclude those specific web sites from being unencrypted and scanned. No in that encrypted e-mail/attachments can contain malware. Also encrypted web sites can be hosting malware.

A couple of things could be going on here. First, I don't use Outlook but instead use Thunderbird as my e-mail client. Below is a screen shot of Eset's default e-mail port settings: Note the default port settings for both IMAP and IMAPS. These must sync with your corresponding Outlook settings. If you are using IMAP which BTW does not support an encrypted SSL connection, then your Outlook same setting must be port 143. Also use of e-mail protocol is dictated by your ISP. For example, I can receive e-mail encrypted using IMAPS but have to send e-mail unencrypted using IMAP protocol. Additionally in Thunderbird, I need to set my email protocol to TLS/SSL for a IMAP connection. The SSL option is only supported for IMAPS. The Eset SSL protocol option determines whether or not your incoming encrypted e-mail i.e. IMAPS/POPS, will be unencrypted and scanned for malware. If SSL protocol scanning is turned on, the encrypted e-mail will be scanned; otherwise it will not be scanned. Using Thunderbird, this results in Eset inserting its root certificate in Thunderbird's root CA store. I believe Outlook might use Windows root CA store? If you received e-mail via IMAP, that e-mail will be automatically scanned by Eset w/o enabling Eset's SSL protocol scanning since it is unencrypted. Note enabling Eset's SSL protocol scanning will also result in all your Internet HTTPS connections being unencrypted and scanned for malware also. So be aware of that.

Those IP addressess trace back to China so I would be vigilant. Also if you don't have a router with NAT & SPI plus a firewall, I would consider investing in one.

Check out this posting: hxxp://www.sevenforums.com/windows-updates-activation/198811-windows-updates-windows-activation-error-code-80072efd.html Person did similar to you; reformat and OS reinstall. Below is what fixed it for him. Thank you Noel for your suggestions. Before I had a chance to try it though I was able to resolve the issue. I think I got one of those DNS changing viruses before my computer reformat. When I reset both the router and modem to factory settings, reset up my wireless network, and changed the usernames and passwords for both the modem and router I was able to access the windows update servers. I can't believe that after everything I tried I missed one of the easiest troubleshooting tasks! Thank you again for your help!

Pls hurry. Thank you.

As I stated previously in the "suggestions" thread, would like a tray option to disable/enable SSL protocol scanning on demand. Much more convenient would be a browser toolbar to do the same.

Bump! I really need this feature folks to block crypto malware downloads. I have WIN 7 Home so I can't use SRP. I have created a HIPS rule to prevent startups in susceptible directories but that doesn't protect me against scripts, .scr, and the latest variant payloads, .exx. Also, I am a bit old fashioned in that I believe in that old truism, "An ouch of prevention is worth a pound of cure." Hence, my desire to block target file writes in susceptible directories. And yes, I know what I am doing. All HIPS rules I create like this are "ask" mode.

Subnet? Like 255.255.255.0? Or the actual router 192.268.1.1 ? I turn off firewall, and I get Internet access… I turn it back on, and no internet.. What is the setting for NOT blocking my own router from in and outbound port 80??...seems to be a bug in the install process! Please advise Chas Try this: hxxp://support.eset.com/kb2888/

I know this has been asked before and I thought it was supposed to be incorporated into NOD32 and Smart Security by now? Appears the Endpoint versions support *.exe, etc. in target files and applications HIPS rules. I suspect Eset locked out this feature for the consumer versions. Is there anyway to unlocked this feature perhaps by XML directive command? Or, is it possible to get a copy of the Endpoint .bin file?