-
Posts
165 -
Joined
-
Last visited
-
Days Won
5
Posts posted by toxinon12345
-
-
Enabling advanced heuristics on file access may have impact on system performance as code emulation is a time and resource consuming process. Therefore, advanced heuristics is only used for newly created and modified files as well as for file that are executed. Files whitelisted by ESET will not be scanned again if you have Smart optimization and LiveGrid enabled.
Good, now switch back to Core Performance of the product (e.g. v5)
To what degree of security can be reduced the product by disabling "Advanced heuristics On EXECUTION" but leaving the work in Memory Level to "HIPS Advanced Memory Scanner"
Next Performance Test for Security Suites is about to Start, ESET should recover their lightest performance
-
The most noticeable change in Performance with respect to previous versions
is the AdvHeuristics option turned on for File Execution
However, even if you tell the program should enable adv heuristic when a file execution occurrs,
it seems to me both options in RealTime protection Advanced setup
--> Scan on File Open
--> Scan on File Execution
Are scanned based on a opened file handle, other AVs use File Mapping to intercept the Execution
Obviously this doesnt occurs for write operations as files are scanned upon close
-
Removable media insertion
- Add "Quick scan | Superficial scan" option in the notification prompt
- "Profile selector" in Advanced setup
-
Does ESET SysInspector | ESETOnlineScanner have these features for better LiveGrid tracking?
the snapshot of the running processes has to contain information extracted by the following three components:
The file information component extracts information such as Portable Executable structure abnormalities, entropy, whether or not the file is digitally signed with a valid digital signature, imported functions, etc. are all helpful in determining whether a file is suspicious.
The memory information component analyses the in-memory image of modules. Since the modules are already executing, it is safe to assume that, at this stage, most modules are decrypted/decompressed and we have access to their unencrypted memory image. Among information retrieved, we mention:
- Exploits and shellcode.
- Embedded executables (particularly device drivers!).
- Strings used by various protocols, interesting registry keys, etc.
- Whether the in-memory code section exactly matches the on-disk code section (of course, after we apply relocation information).
The System information component analyses the way the module interfaces with the system, and possibly other systems, by taking in consideration the following:
- A hidden process, or a hidden module within a process, is a warning sign.
- A process that waits on a specific port, or is connected to a server on a specific port may be a warning sign, depending on the port, server address and other flags.
- A process with multiple valid and visible windows may be considered less suspicious than a process with no windows, or with windows outside the viewing area of the screen.
- PI hooking, although used in legitimate software as well, is mostly used by malware, typically by injecting unconditional branches to the new handler function.
- A presence in a ‘hot’ area of the file system (the Windows or System32 directories, Startup, Temporary Folder, etc.) or presence of an executable in a file’s list of streams, may represent a warning sign, depending on other factors.
- Different ways of loading a DLL into the system are important flags in determining whether a file is suspicious.
- The way a process is started may reveal interesting information. A process automatically started via an autorun registry key may receive a different score compared to a process manually started by the user
-
This is true but I think there is a potential internall bug in the scanner modulleSweX, on 29 Dec 2013 - 12:38 PM, said:
Yes in V7, Advanced Heuristics on execution is enabled by default.
And Advanced Heuristics during realtime scanning is disabled by default.
And IMO there's no real need to enable AH under real-time scanning. But it's important to keep it enabled for "on execution".
Malware is detected without need of executing it-----even if you uncheck FileOpen scanning-
-
Dont know what that means with predefined rules
But you can count Self-Defense as a set of predefined rules for sure
-
wow, ESET stepping into script malware
It happened to me sòme LockScreens compiled/embedded in AutoIt bypassed some protection layers
-
-
It often happens that products that appear light in tests have a big system footprint in real life and vice-versa. If you asked ESET's users about their opinion, I think they would completely agree with me.
I dont know but those products seems to use some type of logon persistent cache locally stored for objects that are present in cloud whitelists, That could explain the additional speedup,,,,
-
Usually I`ve seen WMA files downloading codecs when playing the audio file
Its the first time I hear of an MP3 file with such features
-
@Neilyum
Are you positive in that files scanned/accesed by MalwareBytes will be scanned/accesed by ESET then anyway?
You are only telling ESET to ignore scanning of MBAM files
-
No problems with my USB hard drives here;
Also the new added Advanced Memory Scanner (current version) is the most notable of all core features I´ve seen since v2.7
-
factors such as:
- File has a digital signature
- The source of the file
- How long the file has been created
- Amount of users with the file
- Where the file has been downloaded from
Low prevalent and rare files with suspicious packed PE --> Query reputation data after successfully downloaded such file
Also, I think AMS possibly could benefit speed from the whitelist
-
System variables will resolve but user variables not as they are not available in the context of the local system account in which ekrn.exe runs.
S0, That is the reasn why %temp% cannt be used in exclusins
-
Regularly check for latest product update needs to be checked, and i think its off by default.
If y0u are unsure, An additi0nal Rgularly check f0r Pr0gram C0mp0nents task can be added in the Scheduler
Seems t0 me the Standard scheduled task f0r Update already check f0r PCU
-
What I am trying to achieve is simply to reduce the number of popups by HIPS.
I am looking for something like "trust all files signed by microsoft" or "trust all files in this folder".
Just switch t0 Aut0matic M0de,
Checksums/Digital Signatures are n0t supp0rted
Thats why I have created s0me few "Ask" - Rules similar t0 Wind0ws UAC
-
In additin t0 Marc0s excellent reply, the "L0g all 0bjects" 0pti0n apply t0 infected archives in the realtime pr0tecti0n
D0uble clicking a archive l0g in the detected threats page will 0pen a wind0w with all files inside
-
Users with older signature db are now prioritized and are able to update even at times of a high load. The product actually connects to the server and receives information about the current version being served by the server, hence it evaluates the situation and correctly tells that the database is current.
I'd like to note that base updates like this occurs about 1-2 times per year so it's not common that you couldn't update on the first attempt.
I know the update mechanism could be smart on the server side, but on the client side there are many scenarios which possibly couldnt be tested thoroughly
Once the update mechanism is stuck into errors like "Update database is not needed" or "Activation error" or "Invalid username/password" or invalid data in Nup/ver files, the way to solve the problem is probably the cause of the problem, too. (Changing Update settings mainly | Internet connection interrupted unexpectedly)
-
I would feel completely safe only to have enabled Advanced Memory Scanner
Now if you decide to use the filtering rules you ought to make you think any rule with the action "Ask" ----- leaving the mode to "Automatic"
Full documentation here hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN2908
-
Automatic mode allows almost all (if not all) requests automatically. So it defeats the purpose of having a HIPS in the first place.
Turn On the new HIPS Advanced Memory Scanner, it is a post-execution detection layer
It is available in version 7
-
How does one interface with this new module, if any ? Rapid Response module: 3361 (20131128)
From hxxp://www.eset.com/int/about/technology/#anti-phishing
and hxxp://www.eset.com/int/about/technology/#livegrid
The <*> database is updated by ESET regularly (users’ computers receive data about new <*> threats every 20 minutes) and this database includes information from our partners as well.Such Rapid Response database would be a complement to Reputation System
This reputation system allows for effective detection of malware samples even before their signatures are delivered to user’s computer in via updated virus database (which happens several times a day). -
Installation via the above mentioned batch file worked fine on Windows XP. Couldn't it be a problem of rights / UAC as administrator rights are required for installation?
Local setup installed the Endpoint Client with some errors in components
ADMINCFG propertty was ignored or ????
This under Windows 8
-
Most common cause of rollback is usually corrupt BFE service (if Vista/7) and may indicate infection.
If you open command prompt and type "sc query BFE" what does that return? Alternatively check for Sirefef infection using this article hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN2895&ref=tw
This should be the most probable cause, because installation seems to be conflicting when installing FIREWALL components and then the rollback occurs
Temporary Workaround -----
Use the ESET uninstaller tool in Safe Mode
Install Smart Security 7
Dont install new versions!
No visible problems in EAV
-
your UI has mostly adhered to Windows standards and has been quite accessible.
Marcos, probably he refers to new TOAST notifications
Scheduled Scans
in ESET Internet Security & ESET Smart Security Premium
Posted
On execution emulation for files bigger than aprox. 4 MB..etc
+ Mapping <big+upx> executables ---> on-access LiveGrid whitelisting ! file skipping ! local cache similar to PrevX º Webroot fastest lookups
---- speeds between those of code analysis and code emulation