itman
-
Posts
12,836 -
Joined
-
Last visited
-
Days Won
337
Posts posted by itman
-
-
If these queries are in regard to BPP not working with 1Password, Marcos already stated that Smart Security doesn't officially support it: https://forum.eset.com/topic/9754-banking-protection-with-1password-browser-problems/?p=50544
-
Also second good way is to enable learning mode for 2 weeks, use your PC as much as you can, and then set HIPS to interactive mode. Then every prompt by HIPS should be considered as a potential danger.
The best was to use HIPS interactive mode is right after an OS installation. In this status, you are insured that your PC is free of any malware.
Remember that when running a HIPS in interactive mode, any activities by 0-day malware for example will be allowed. So it is essential any potential risky activities including Internet ones be restricted during the training period.
Finally, there were initial duplicate rule creation issues with interactive mode when ver. 9 was released. Don't know if those were ever fully resolved.
-
I set the SSL/TLS Protocol Filtering to 'Interactive Mode', rebooted and then started Windows Updates again. Shortly thereafter an Eset window popped up asking about granting access to Microsoft (Yes! that's what I wanted!).
This doesn't make any sense. Eset SSL protocol scanning will only scan processes that you tell to do so; e.g. web browsers, e-mail clients, etc.. Windows Updating is performed using a like svchost.exe service. That web traffic is not scanned in ver. 9 unless in was manually added.
Now I never tried to do Win Updating via IE11 when I was using Win 7. So using method, it may be possible that Win Update downloads are being scanned.
-
and then read the article "Online Tracking". I followed the advice to shut down all the reporting back to Microsoft options including disabling Cortana and everything now works again...
I agree this has nothing to do with BPP functionality. I have Cortana telemetry disabled via policy settings using OOSU10. I still can't access banking sites via normal IE11 browser mode.
-
Is it possible to add custom rules in HIPS settings to improve ransomware protection? Or maybe Smart mode is enough? I'm asking because I've seen Youtube video, where user was testing ESET 10 Beta on default settings and it didn't protect OS from zero-day ransomware sample.
Below is a .pfd link to an Eset tech paper produced by their Romanian distributer I beleive.
The article was written for Eset Endpoint but you can "glean enough" details to create corresponding rules for Smart Security HIPS and firewall. Basically, the rules are to block script and PowerShell execution or dialing out. I would also make the HIPS rules "ask" versus "block" so that you don't auto block some necessary app or system process that uses cscript, wscript, or Powershell. I personally have never received alerts from any of these processes.
Note that there is a separate rule for explorer.exe of monitored processes. That is due to the way explorer.exe can be launched as a hidden process e.g. RegCleaner, SpywareBlaster, etc..
It is also possible like default HIPS rules have been created in ver. 10 since Eset states it now has script protection. Comment on this Marcos?
-
Thankfully, no problems with BPP in Win 10 after this month's cumulative update other than the existing issues I commented on in another posting.
-
I've found HIPS settings posted by an user, it includes MBR protection (that's what his post says) https://malwaretips....48/#post-150572
Are these settings good?
Yes. Those settings were copied from a security configuration guide for an earlier ver. of Eset, ver. 6 I believe, that is posted also on the malwaretips.com web site. Many of the rules in the guide now exist as default HIPS rules such as the monitoring of the registry "run" keys.
As I warned previously, any monitoring of drive direct access by the HIPS will cause issues with some existing Windows processes. The one most affected is shadow volume copying since it runs in the background. As such, you may not be present to respond to any alert with the result being a borked system backup occurring. So use of this type of HIPS monitoring is at the user's risk.
I also have yet to try such monitoring in Win 10. I also use Emsisoft's Antimalware and its behavior blocker does monitor for direct/low level disk access.
-
can not find how protect the MBR , where is the option ?
You can create an "ask" HIPS rule to monitor low level disk access on the drive where your OS is installed.
Warning: This will cause issues with some OS processes such as shadow volume copy, defrag, etc. and the rule will have to be monitored closely. One possible work around is to also create an identical "allow" HIPS rule to allow low level disk access for all exe's in C:\Windows\System32\*.*. I would also disabled the "ask" rule when doing any Win 10 release upgrades.
-
Hello itman,
I tried the mentioned websites in IE11 on Windows 10 and they were correctly detected and redirected to the secured browser.
Can you please send me a PM with your specific OS build and IE build and the exact error message (if any), along with output from ESET Log Collector for further analysis?
Also, please specify whether the behavior is the same in all browsers on your computer and whether the same happens for other banking websites as well.
Thanks
Just sent you the Eset logs. Only use one browser - IE11.
Like I posted, I tried three banking web sites including Swedbank and none opened in a BPP secured browser window from IE11. For my own banking web site, I previously just added it manually to list of protected sites in BPP.
-EDIT- I do have advanced EPM enabled in IE 11 x64, so IE is running in AppContainer. This doesn't seem to impact my own bank site fron starting BPP from IE11 but again it was manually added. This might have something to do with accessing the internal bank whitelist perhaps with advanced EPM enabled?
-
Eset said two years ago the feature would be added to a "future release." I guess that meant some release in the next decade since the feature still hasn't been added. Perhaps someone running ver. 10 can check if the HIPS now allows the use of the "*" wildcard for file names e.g. *.exe, etc..
-
Also see this posting: https://forum.eset.com/topic/9323-poweeshell-as-virus-after-update/
As an interim solution, you might want to create a HIPS "ask" rule to monitor the startup of powershell.exe in both the C:\Windows\System32\WindowsPowershell and C:\Windows\SysWOW64\WindowsPowershell folders. Make sure you enable "log the event" and that you select deny when the alert appears. This should point you to the malware process most likely running a powershell script.
-
Also you might want to be careful and not use your PC till this is resolved. There is a strong possibility this is ransomware connected. See this posting: hxxp://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-10 . You might want to check if your files have already been encrypted.
-EDIT- Also it appears to me that there is a strong possibility the malware has installed a backdoor or rootkit on your PC. As such, it will keep downloading the Trojan after Eset removes it. So you need some professional malware assistance on this on.
-
There is an issue with BPP. Using IE11 under Win 10, I tried Swedbank, Wells Fargo, and Chase. None opened in BPP automatically.
-
I have this problem too. First it was just the secure browser often not working, but Firefox would still work. Now it won't let me log in to PayPal in Firefox - it redirects to https://help.eset.co...onfig_alert.htm
Just delete the PayPal web site from the list of protected web site for BPP. Then it won't open in BPP.
The PayPal web site doesn't open up automatically in BPP; I just accessed the site in IE11. So, I assume you added it manually. No need to totally disable BPP.
-
I assume this is a Win HomeGroup setup? If so, make sure "Windows HomeGroup" option is enabled in ver. 9 IDS and advanced options section.
-
I assume you did a custom scan using the Network drives option as shown below?
-
Do those network drives require logon credentials? If so, did you specify those when you mapped the drives?
-
And it is normal that i dont have the folder?
Yes,that's normal.As of v10,the epfwlwf driver is not used anymore.
So what is ver. 10 using to filter web traffic? Win 10 antivirus mini filter?
-
A there any ways to block root CA in Eset Smart security?
Prior to doing the below steps, you're going to have to export the intermediate root CA you wish to block to a file. Then when you get to step 4., you will select "File." Then select the file where you exported the root CA. Finally, select "block" as the action in step 5.
Your can also just set Wo-Sign and StartCom intermediate root CA certificates as "untrusted" using certmgr.msc. Of course, you will have to save the certifcates in a file and then import same as an untrusted publisher. The procedure to do this is here: hxxp://blogs.msmvps.com/alunj/2016/05/26/untrusting-the-blue-coat-intermediate-ca-from-windows/ . Note this was for a Bluecoat certificate but method is the same for any intermediate root CA certificate. -EDIT- Also Eset's SSL protocol scanning uses the Windows root CA certificate store for certificate validation. As such if your purpose is to block all web sites with certificates issued by Wo-Sign or Startcom, the only way to do so is using the certmgr.msc method when using SSL protocol scanning. Or, block each individual web site certificate using Eset's certificate exclusion feature.
Or, just wait. Apple has already blocked these intermediate root CA certificates. Hopefully, Microsoft will be doing the same shortly.
-
Try this: hxxp://support.eset.com/kb537/?locale=en_US
Also make sure the time is correct on the PC.
-
Finally got this one figured out and it is not an Eset firewall issue.
Today mysteriously the local scope i.e. fec0::/16 addresses showed up again in the firewall DNS zone; namely fec0:0:0:ffff::1, fec0:0:0:ffff::2, and fec0:0:0:ffff::3. This lead me to re-examining IPv6 DNS local scope processing.
First, again I am using a 2Wire/Pace IPv4 router/gateway with AT&T hacked firmware to allow for IPv6 address resolution via 6to4RD tunneling. Appears AT&T also set up a IPv6 local scope DNS server although use of local scope IPv6 was deprecated years ago. So I dug into the old IEFT specification here: https://tools.ietf.org/html/draft-ietf-ipv6-dns-discovery-06Basically IPv6 local scope DNS actually uses IPv6 DHCP to resolve to a remote ISP DNS server address. This explains those DHCP requests I originally posted above. I further muddied up the works by attempting to connect to third party IPv6 DNS servers which somehow did work but as I now have observed with a huge browser rendering impact.
-EDIT-
I guess I should also explain what the problem was as given in this IEFT excerpt:
This example will show how DHCPv6 and well known site local unicast
addresses cooperate to enable the internal nodes to access DNS.
The customer router CPE is configured on its internal interface with
one of the reserved site local addresses and listen for DNS queries.
It would act as a DNS forwarder, as in 5.2, forwarding those queries
to the DNS resolver pointed out by the ISP in the DHCPv6 exchange.As observed, the first request is a IPv6 DHCP request that returns the address of my ISP's IPv6 DNS server. This address is stored in the router and is used to as the destination remote address for any subsequent local scope based IPv6 DNS requests. As such, it is not possible to effectively use third party IPv6 DNS servers since the router is not equipped to handle such addresses.
This router does have DHCPv6 server capability but it is not activated. To do so, I would have to pay for a static IP address.
-
I will also proceed to install the Spanish version of the program to verify this, but with the 349 version in English even happened that after restarting both firewalls were activated.
And again that does not happen with version 8.There are many changes in the v9 firewall. For instance, it can honor Windows firewall rules. However, I couldn't reproduce the situation when the Action center reports both firewalls active. This happened only after installing recent Windows updates but after a computer restart only ESS firewall was reported as active.
I have been able to duplicate this issue multiple times. It occurs in ver. 9 whenever there is a change in network adapter status. For example, an ipconfig /release or /release6 and ipconfig /renew or /renew6 or winsock reset will cause it. The only remedy I have found to fix is to do an Eset repair.
This is the first third party firewall I have ever used that exhibits such behavior.
Just "dawned on me" that I suspect Eset's firewall needs to be suspended or turned off prior to any network adapter status changes?
-
Interesting.
I did some testing. I first reverted back to using my router's DNS server instead of using third party IPv4 & 6 DNS servers via network adapter settings. Now upon resume from standby, the firewall's default "allow all connections within the computer" rule will allow outbound DNS i.e. port 53 request(multiple) from my PC to the router's DNS server. This same address also happens to be the one for the DHCP server. So I assume the activity being allowed for svchost.exe is for DHCP and not DNS. I can't tell for sure since Eset's firewall logger does not record what service is being used. In any case, at least the activity is somewhat legit outbound activity and not "convoluted" as was occurring previously.
Note the following. I believe the "bug" in the firewall processing is that Eset considers any IP listed in the DNS Servers zone to be a valid local connection. Obviously, third party DNS server IP addresses are not "local connections." Then there is the question why that default firewall exists in the first place in ver. 9. In ver. 8, it existed in the IDS section which is where it should belong in my opinion.
Finally, there is still a timing issue with firewall initialization upon resume from standby since the "allow all connections within the computer" rule should only be allowing local host activity.
-
I have had this issue ever since I have had Eset SS installed. That is originally in ver. 8 running on Win 7 x64 and continuing in ver. 9 and Win 10 AU x64. I couldn't get a complete "grip on it" in ver. 8 but with the improved ver. 9 diagnostics, I have been able to nail it down.
Upon resume from standby, the Eset firewall is alerting on inbound UDP traffic, to port 53, to my third party DNS server - only primary IPv4 one - from my PC IP address, any port, originating from svchost.exe DHCP service. If you think about this for a minute, appears the Eset firewall is not initializing fast enough and when it does, it borks whatever is in process from the Win firewall. In this case, it appears to be svchost.exe DHCP activity. Again svchost.exe DHCP is only for ports 67/68 and 546/547.
Continuous popup Win32/TrojanDownloader.Waucho detects
in Malware Finding and Cleaning
Posted
This is why I suspect this incident is ransomware related. The malware will disable this service so it can delete the shadow volume copies that could be used to possibly restore the encrypted files from.
If I were the OP, I would be copying all my personal files to off-line storage and keep that storage device disconnected from the infected PC/network until this matter is resolved.