[Scheduled Scans]

ESET Live Grid, ESET's cloud technology, received a major update for the current version of the software, v6, and is updated continually as new and existing customers participate in it.

On execution emulation for files bigger than aprox. 4 MB..etc

+ Mapping <big+upx> executables ---> on-access LiveGrid whitelisting ! file skipping ! local cache similar to PrevX º Webroot fastest lookups

---- speeds between those of code analysis and code emulation

[Real-time protection enable "Advanced heuristics/DNA/Smart signatures"]

&nbsp;

Enabling advanced heuristics on file access may have impact on system performance as code emulation is a time and resource consuming process. Therefore, advanced heuristics is only used for newly created and modified files as well as for file that are executed. Files whitelisted by ESET will not be scanned again if you have Smart optimization and LiveGrid enabled.

&nbsp;

Good, now switch back to Core Performance of the product (e.g. v5)

To what degree of security can be reduced the product by disabling "Advanced heuristics On EXECUTION" but leaving the work in Memory Level to "HIPS Advanced Memory Scanner"

Next Performance Test for Security Suites is about to Start, ESET should recover their lightest performance

[PROOF that NOD32 v7 is a resource hog]

The most noticeable change in Performance with respect to previous versions

is the AdvHeuristics option turned on for File Execution

 

However, even if you tell the program should enable adv heuristic when a file execution occurrs,

it seems to me both options in RealTime protection Advanced setup

--> Scan on File Open

--> Scan on File Execution

 

Are scanned based on a opened file handle, other AVs use File Mapping to intercept the Execution

 

Obviously this doesnt occurs for write operations as files are scanned upon close

[Future changes to ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security Premium and ESET Ultimate Security]

Removable media insertion

• Add "Quick scan | Superficial scan" option in the notification prompt
• "Profile selector" in Advanced setup

[Scheduled Scans]

Does ESET SysInspector | ESETOnlineScanner have these features for better LiveGrid tracking?
 
 

 

 the snapshot of the running processes has to contain information extracted by the following three components:

The file information component extracts information such as Portable Executable structure abnormalities, entropy, whether or not the file is digitally signed with a valid digital signature, imported functions, etc. are all helpful in determining whether a file is suspicious.

The memory information component analyses the in-memory image of modules. Since the modules are already executing, it is safe to assume that, at this stage, most modules are decrypted/decompressed and we have access to their unencrypted memory image. Among information retrieved, we mention:

• Exploits and shellcode.
• Embedded executables (particularly device drivers!).
• Strings used by various protocols, interesting registry keys, etc.
• Whether the in-memory code section exactly matches the on-disk code section (of course, after we apply relocation information).

The System information component analyses the way the module interfaces with the system, and possibly other systems, by taking in consideration the following:

• A hidden process, or a hidden module within a process, is a warning sign.
• A process that waits on a specific port, or is connected to a server on a specific port may be a warning sign, depending on the port, server address and other flags.
• A process with multiple valid and visible windows may be considered less suspicious than a process with no windows, or with windows outside the viewing area of the screen.
• PI hooking, although used in legitimate software as well, is mostly used by malware, typically by injecting unconditional branches to the new handler function.
•  A presence in a ‘hot’ area of the file system (the Windows or System32 directories, Startup, Temporary Folder, etc.) or presence of an executable in a file’s list of streams, may represent a warning sign, depending on other factors.
• Different ways of loading a DLL into the system are important flags in determining whether a file is suspicious.

• The way a process is started may reveal interesting information. A process automatically started via an autorun registry key may receive a different score compared to a process manually started by the user

[trojan passed by eset av]

SweX, on 29 Dec 2013 - 12:38 PM, said:

Yes in V7, Advanced Heuristics on execution is enabled by default.

 

And Advanced Heuristics during realtime scanning is disabled by default.

 

And IMO there's no real need to enable AH under real-time scanning. But it's important to keep it enabled for "on execution".

This is true but I think there is a potential internall bug in the scanner modulle

 

Malware is detected without need of executing it-----even if you uncheck FileOpen scanning-

[HIPS Questions]

Dont know what that means with predefined rules

But you can count Self-Defense as a set of predefined rules for sure

[another false positive - winrar sfx]

wow, ESET stepping into script malware

It happened to me sòme LockScreens compiled/embedded in AutoIt bypassed some protection layers

[ESET and Keyloggers]

 

Here a detection/removal of a Running Keylogger

with Realtime Filesystem protection Disabled

[Can we ever dream of a light NOD32?]

It often happens that products that appear light in tests have a big system footprint in real life and vice-versa. If you asked ESET's users about their opinion, I think they would completely agree with me.

I dont know but those products seems to use some type of logon persistent cache locally stored for objects that are present in cloud whitelists, That could explain the additional speedup,,,,

[Number of scanned objects is not the same with the number of files,that you want to scan.]

Usually I`ve seen WMA files downloading codecs when playing the audio file

Its the first time I hear of an MP3 file with such features

[Malwarebytes no longer runs scheduled scans]

@Neilyum

 

Are you positive in that files scanned/accesed by MalwareBytes will be scanned/accesed by ESET then anyway?

You are only telling ESET to ignore scanning of MBAM files

[V4 and XP - upgrade?]

No problems with my USB hard drives here;

Also the new added Advanced Memory Scanner (current version) is the most notable of all core features I´ve seen since v2.7

[Scheduled Scans]

factors such as:

 

- File has a digital signature

- The source of the file

- How long the file has been created

- Amount of users with the file

- Where the file has been downloaded from

 

Low prevalent and rare files with suspicious packed PE --> Query reputation data after successfully downloaded such file

Also, I think AMS possibly could benefit speed from the whitelist

[Environment variable exclusions]

System variables will resolve but user variables not as they are not available in the context of the local system account in which ekrn.exe runs.

S0, That is the reasn why %temp% cannt be used in exclusins

[program updates]

Regularly check for latest product update needs to be checked, and i think its off by default.

 

If y0u are unsure, An additi0nal Rgularly check f0r Pr0gram C0mp0nents task can be added in the Scheduler

 

Seems t0 me the Standard scheduled task f0r Update already check f0r PCU

[HIPS Questions]

What I am trying to achieve is simply to reduce the number of popups by HIPS.

 

I am looking for something like "trust all files signed by microsoft" or "trust all files in this folder".

Just switch t0 Aut0matic M0de,

  Checksums/Digital Signatures are n0t supp0rted

 

Thats why I have created s0me few "Ask" - Rules similar t0 Wind0ws UAC

[Mini-Bugs]

In additin t0 Marc0s excellent reply, the "L0g all 0bjects" 0pti0n apply t0 infected archives in the realtime pr0tecti0n

D0uble clicking a archive l0g in the detected threats page will 0pen a wind0w with all files inside

[Virus signature updates]

Users with older signature db are now prioritized and are able to update even at times of a high load. The product actually connects to the server and receives information about the current version being served by the server, hence it evaluates the situation and correctly tells that the database is current.

I'd like to note that base updates like this occurs about 1-2 times per year so it's not common that you couldn't update on the first attempt.

 

I know the update mechanism could be smart on the server side, but on the client side there are many scenarios which possibly couldnt be tested thoroughly

 

Once the update mechanism is stuck into errors like "Update database is not needed" or "Activation error" or "Invalid username/password" or invalid data in Nup/ver files, the way to solve the problem is probably the cause of the problem, too. (Changing Update settings mainly | Internet connection interrupted unexpectedly)

[HIPS Questions]

I would feel completely safe only to have enabled Advanced Memory Scanner

 

Now if you decide to use the filtering rules you ought to make you think any rule with the action "Ask" ----- leaving the mode to "Automatic"

 

Full documentation here  hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN2908

[Scheduled Scans]

Automatic mode allows almost all (if not all) requests automatically. So it defeats the purpose of having a HIPS in the first place.

 

 

Turn On the new  HIPS Advanced Memory Scanner, it is a post-execution detection layer

It is available in version 7

[New module?]

How does one interface with this new module, if any ?   Rapid Response module: 3361 (20131128)  

From hxxp://www.eset.com/int/about/technology/#anti-phishing

and hxxp://www.eset.com/int/about/technology/#livegrid

 

The <*>  database is updated by ESET regularly (users’ computers receive data about new <*> threats every 20 minutes) and this database includes information from our partners as well.

 

Such Rapid Response database would be a complement to Reputation System

 

This reputation system allows for effective detection of malware samples even before their signatures are delivered to user’s computer in via updated virus database (which happens several times a day).

[Install ESET EndPoint in D:\ Directory]

Installation via the above mentioned batch file worked fine on Windows XP. Couldn't it be a problem of rights / UAC as administrator rights are required for installation?

Local setup installed the Endpoint Client with some errors in components

ADMINCFG propertty was ignored or ????

This under Windows 8

[Unable to Uninstall with tool... GREAT JOB.. NOW FORMAT AND INSTALL WINDOWS AGAIN.]

Most common cause of rollback is usually corrupt BFE service (if Vista/7) and may indicate infection.

If you open command prompt and type "sc query BFE" what does that return? Alternatively check for Sirefef infection using this article hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN2895&ref=tw

This should be the most probable cause, because installation seems to be conflicting when installing FIREWALL components and then the rollback occurs

 

Temporary Workaround -----

 

Use the ESET uninstaller tool in Safe Mode

Install Smart Security 7

 

Dont install new versions!

 

No visible problems in EAV

[ESET Developers, Realtime Alert Notifications are Totally inaccessible to Screen Readers]

your UI has mostly adhered to Windows standards and has been quite accessible.

 

Marcos, probably he refers to new TOAST notifications