Utini 1 Posted December 11, 2014 Share Posted December 11, 2014 ... is a great idea! (link to original post) Yep, today I did a few more tests with ESS and compared it to CIS (which is the product I used for the last 1-2 years): ESS seems to have the better AV and HIPS compared to CIS. How ever, CIS has the advanted of blocking & notifying me for every "unknown" file that I execute. This way I get the chance to validate the file e.g. on virustotal. I will also be notified that this file might not be original (e..g. if I download ccleaner.exe but I get a block & notification, I will know this can't be the original ccleaner.exe). In the end this little advantage of CIS gave better dedection & block results. ESS has advantages over CIS (and other security produtcs) but I believe that one (major?) disadvantage is to not have an "online backround check" of apps. Quote Link to comment Share on other sites More sharing options...
mar122999 1 Posted December 11, 2014 Share Posted December 11, 2014 Description: Default Deny Detail: Incorporate a default deny for people wanting rock hard protection. (EX: Kaspersky Trusted Application Mode and Avast Hardened Mode Aggressive). Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,267 Posted December 11, 2014 Administrators Share Posted December 11, 2014 Description: Default Deny Detail: Incorporate a default deny for people wanting rock hard protection. (EX: Kaspersky Trusted Application Mode and Avast Hardened Mode Aggressive). Deny where? It appears only in interactive mode of firewall and HIPS but selecting Deny automatically would not only render interactive mode useless but would also cause too many troubles if every action/communication was denied without asking the user. Quote Link to comment Share on other sites More sharing options...
Utini 1 Posted December 12, 2014 Share Posted December 12, 2014 Description: Default Deny Detail: Incorporate a default deny for people wanting rock hard protection. (EX: Kaspersky Trusted Application Mode and Avast Hardened Mode Aggressive). Deny where? It appears only in interactive mode of firewall and HIPS but selecting Deny automatically would not only render interactive mode useless but would also cause too many troubles if every action/communication was denied without asking the user. The rules say "allow on failure".. I think what mar122999 meant is that "block on faliure" is more secure? Quote Link to comment Share on other sites More sharing options...
Utini 1 Posted December 14, 2014 Share Posted December 14, 2014 (edited) This: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-14#entry17761 Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones) Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window Also: Add windows update rule to the standard rule set of svchost.exe (port 80 & 443 and maybe restrict it to microsoft update servers only) Also: Add spoolsv.exe standard rules Also: Add rundll32.exe standard rules Also: Let us search within the rule editor... e.g for filenames Update: Make this a standard rule? https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-burning-rom-orbit-downloader-imgburn-dvdvideosoft-install-them-without-opencandy/ Also: https://forum.eset.com/topic/3437-poodle-attack-security-flaw-in-ssl-v3-eset-blocking/ Edited December 14, 2014 by Utini Quote Link to comment Share on other sites More sharing options...
mar122999 1 Posted December 15, 2014 Share Posted December 15, 2014 Description: Default Deny Detail: Incorporate a default deny for people wanting rock hard protection. (EX: Kaspersky Trusted Application Mode and Avast Hardened Mode Aggressive). Deny where? It appears only in interactive mode of firewall and HIPS but selecting Deny automatically would not only render interactive mode useless but would also cause too many troubles if every action/communication was denied without asking the user. I am reffering to the antivirus part of ESET. All files will be checked against a whitelist (maybe through Live Grid). If the file is unknown, not certified...whatever, then the file is blocked. Quote Link to comment Share on other sites More sharing options...
rugk 397 Posted December 15, 2014 Share Posted December 15, 2014 This: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-14#entry17761 Yes, you already said this. Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones) This could be an idea, but it can even be very bad if the DNS server is compromised or there is a kind of "DNS server malware" on your computer which redirected all DNS queries to a fake/another/bad/... DNS server. So to use IP addresses there is more secure. Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window Yes great idea. I think you mean something like I described in post #149 in this topic[/topic]. Also: Add windows update rule to the standard rule set of svchost.exe (port 80 & 443 and maybe restrict it to microsoft update servers only) Well, maybe this can be an idea. Although svchost.exe of course does much more than just Windows updates. Also: Add spoolsv.exe standard rules Also: Add rundll32.exe standard rules What rules? Do you mean the firewall rules? I think it's quite good if not too much rules are created by default... Also: Let us search within the rule editor... e.g for filenames Yes, that's a great idea! A search function would make it much easier if you want to find specific rules. Make this a standard rule? https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-burning-rom-orbit-downloader-imgburn-dvdvideosoft-install-them-without-opencandy/ Thanks! But also have a look on my update I added there. So you can make ESET already detect OpenCandy. Also: https://forum.eset.com/topic/3437-poodle-attack-security-flaw-in-ssl-v3-eset-blocking/ Thanks too! I also think this could be a good idea. That's why I made the post. Quote Link to comment Share on other sites More sharing options...
rugk 397 Posted December 15, 2014 Share Posted December 15, 2014 I am reffering to the antivirus part of ESET. All files will be checked against a whitelist (maybe through Live Grid). If the file is unknown, not certified...whatever, then the file is blocked. Okay, this has nearly nothing to do with "default deny", but I think this is what you may think of: Description: Live Grid execution blocker unless file is known safe. Quote Link to comment Share on other sites More sharing options...
Utini 1 Posted December 15, 2014 Share Posted December 15, 2014 This: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-14#entry17761 Yes, you already said this. Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones) This could be an idea, but it can even be very bad if the DNS server is compromised or there is a kind of "DNS server malware" on your computer which redirected all DNS queries to a fake/another/bad/... DNS server. So to use IP addresses there is more secure. Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window Yes great idea. I think you mean something like I described in post #149 in this topic[/topic]. Also: Add windows update rule to the standard rule set of svchost.exe (port 80 & 443 and maybe restrict it to microsoft update servers only) Well, maybe this can be an idea. Although svchost.exe of course does much more than just Windows updates. Also: Add spoolsv.exe standard rules Also: Add rundll32.exe standard rules What rules? Do you mean the firewall rules? I think it's quite good if not too much rules are created by default... Also: Let us search within the rule editor... e.g for filenames Yes, that's a great idea! A search function would make it much easier if you want to find specific rules. Make this a standard rule? https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-burning-rom-orbit-downloader-imgburn-dvdvideosoft-install-them-without-opencandy/ Thanks! But also have a look on my update I added there. So you can make ESET already detect OpenCandy. Also: https://forum.eset.com/topic/3437-poodle-attack-security-flaw-in-ssl-v3-eset-blocking/ Thanks too! I also think this could be a good idea. That's why I made the post. Allowing to add DNS is the only real way to e.g. allow windows update servers for svchost.exe. Their server IP's change daily so I would need to add update.microsoft.com as "allowed". Yep svchost.exe does a lot.. one if windows update and it should be allowed ;-) Well either allow or deny rules.. what ever is safe for those files. I don't what is safe but get asked by ESET ;P Quote Link to comment Share on other sites More sharing options...
Utini 1 Posted December 16, 2014 Share Posted December 16, 2014 This: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-14#entry17761 Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones) Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window Also: Add windows update rule to the standard rule set of svchost.exe (port 80 & 443 and maybe restrict it to microsoft update servers only) Also: Add spoolsv.exe standard rules Also: Add rundll32.exe standard rules Also: Let us search within the rule editor... e.g for filenames Update: Make this a standard rule? https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-burning-rom-orbit-downloader-imgburn-dvdvideosoft-install-them-without-opencandy/ Also: https://forum.eset.com/topic/3437-poodle-attack-security-flaw-in-ssl-v3-eset-blocking/ Also please add default rules or description for the following windows files: So far, I have noticed that the following processes all want to make regular connections: Host Process for Windows Services (svchost.exe) Host Process for Setting Synchronization (SettingSyncHost.exe) User Account Control Panel Host (UserAccountBroker.exe) Windows Explorer (explorer.exe) Windows Host Process (rundll32.exe) Store Broker (WSHost.exe) Windows Driver Foundation - User-mode Driver Framework Host Process (WUDFHost.exe) Device Association Framework Provider Host (dasHost.exe) Host Process for Windows Tasks (taskhost.exe) For example, right now I am worried about WSHost.exe because I don't even use the windows store and still it wants to send data to microsoft? Quote Link to comment Share on other sites More sharing options...
Utini 1 Posted December 16, 2014 Share Posted December 16, 2014 This: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-14#entry17761 Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones) Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window Also: Add windows update rule to the standard rule set of svchost.exe (port 80 & 443 and maybe restrict it to microsoft update servers only) Also: Add spoolsv.exe standard rules Also: Add rundll32.exe standard rules Also: Let us search within the rule editor... e.g for filenames Update: Make this a standard rule? https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-burning-rom-orbit-downloader-imgburn-dvdvideosoft-install-them-without-opencandy/ Also: https://forum.eset.com/topic/3437-poodle-attack-security-flaw-in-ssl-v3-eset-blocking/ Also please add default rules or description for the following windows files: So far, I have noticed that the following processes all want to make regular connections: Host Process for Windows Services (svchost.exe) Host Process for Setting Synchronization (SettingSyncHost.exe) User Account Control Panel Host (UserAccountBroker.exe) Windows Explorer (explorer.exe) Windows Host Process (rundll32.exe) Store Broker (WSHost.exe) Windows Driver Foundation - User-mode Driver Framework Host Process (WUDFHost.exe) Device Association Framework Provider Host (dasHost.exe) Host Process for Windows Tasks (taskhost.exe) For example, right now I am worried about WSHost.exe because I don't even use the windows store and still it wants to send data to microsoft? Also: Let us sort rules in the rule editor up and down. I am curios in which way the rules get requested anyway, like first rule first, then second then third ,... until the needed rule was found? If that is the case let us sort the rules so we can sort the most used rules first in the rule editor. Quote Link to comment Share on other sites More sharing options...
rugk 397 Posted December 16, 2014 Share Posted December 16, 2014 Decent suggestion you made, but could you please avoid full-quotes. You don't have to repeat every time what you said. Quote Link to comment Share on other sites More sharing options...
Utini 1 Posted December 16, 2014 Share Posted December 16, 2014 Decent suggestion you made, but could you please avoid full-quotes. You don't have to repeat every time what you said. Thanks, I guess they come from the usage of different security products for a long time together with knowledge of malware/trojans/password stealer/etc. Alright, I just don't want my suggestions to be lost and forgotten ;P Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,267 Posted December 16, 2014 Administrators Share Posted December 16, 2014 Also: Let us sort rules in the rule editor up and down. I am curios in which way the rules get requested anyway, like first rule first, then second then third ,... until the needed rule was found? If that is the case let us sort the rules so we can sort the most used rules first in the rule editor. There's an internal logic that evaluates rules. E.g. blocking rules are stronger than allowing rules and more specific rules (e.g. bound to a port or IP address) take precedence over general rules. This will change in v9 where rules will be evaluated in the order they appear in the list like it works in the recently released ESET Endpoint Security v6 for business users. Quote Link to comment Share on other sites More sharing options...
SweX 871 Posted December 17, 2014 Share Posted December 17, 2014 This: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-14#entry17761 Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones) Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window Also: Add windows update rule to the standard rule set of svchost.exe (port 80 & 443 and maybe restrict it to microsoft update servers only) Also: Add spoolsv.exe standard rules Also: Add rundll32.exe standard rules Also: Let us search within the rule editor... e.g for filenames Update: Make this a standard rule? https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-burning-rom-orbit-downloader-imgburn-dvdvideosoft-install-them-without-opencandy/ Also: https://forum.eset.com/topic/3437-poodle-attack-security-flaw-in-ssl-v3-eset-blocking/ Also please add default rules or description for the following windows files: So far, I have noticed that the following processes all want to make regular connections: Host Process for Windows Services (svchost.exe) Host Process for Setting Synchronization (SettingSyncHost.exe) User Account Control Panel Host (UserAccountBroker.exe) Windows Explorer (explorer.exe) Windows Host Process (rundll32.exe) Store Broker (WSHost.exe) Windows Driver Foundation - User-mode Driver Framework Host Process (WUDFHost.exe) Device Association Framework Provider Host (dasHost.exe) Host Process for Windows Tasks (taskhost.exe) For example, right now I am worried about WSHost.exe because I don't even use the windows store and still it wants to send data to microsoft? You are worrying about that programs you install may call "home", but you don't worry about that the OS (Windows) might call home to MS once in a while? Well WSHost.exe is part of the OS and a lot in the OS wants to connect to MS, but that doesn't mean you have to allow everything that's part of the OS to connect out, you can even block stuff from connection out without breaking the OS. If you Google around you can find more info about what is essential to be allowed and what isn't. IMO you are just making this harder for yourself, the pre-set rules that are in-place today should be enough out of the box, or else I assume ESET would have added rules for the ones in your list already if they are that essential. I think it is better to have a small pre-defined set out of the box like today, and users that want to add more rules can do so afterwards if they like, so no one have to spend time removing rules that they don't want right after install. The pre-defined rules are fine, and the Automatic mode will do the rest once users start using the computer. Again, there is a reason why Automatic mode is the default.... Quote Link to comment Share on other sites More sharing options...
Utini 1 Posted December 17, 2014 Share Posted December 17, 2014 This: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-14#entry17761 Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones) Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window Also: Add windows update rule to the standard rule set of svchost.exe (port 80 & 443 and maybe restrict it to microsoft update servers only) Also: Add spoolsv.exe standard rules Also: Add rundll32.exe standard rules Also: Let us search within the rule editor... e.g for filenames Update: Make this a standard rule? https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-burning-rom-orbit-downloader-imgburn-dvdvideosoft-install-them-without-opencandy/ Also: https://forum.eset.com/topic/3437-poodle-attack-security-flaw-in-ssl-v3-eset-blocking/ Also please add default rules or description for the following windows files: So far, I have noticed that the following processes all want to make regular connections: Host Process for Windows Services (svchost.exe) Host Process for Setting Synchronization (SettingSyncHost.exe) User Account Control Panel Host (UserAccountBroker.exe) Windows Explorer (explorer.exe) Windows Host Process (rundll32.exe) Store Broker (WSHost.exe) Windows Driver Foundation - User-mode Driver Framework Host Process (WUDFHost.exe) Device Association Framework Provider Host (dasHost.exe) Host Process for Windows Tasks (taskhost.exe) For example, right now I am worried about WSHost.exe because I don't even use the windows store and still it wants to send data to microsoft? You are worrying about that programs you install may call "home", but you don't worry about that the OS (Windows) might call home to MS once in a while? Well WSHost.exe is part of the OS and a lot in the OS wants to connect to MS, but that doesn't mean you have to allow everything that's part of the OS to connect out, you can even block stuff from connection out without breaking the OS. If you Google around you can find more info about what is essential to be allowed and what isn't. IMO you are just making this harder for yourself, the pre-set rules that are in-place today should be enough out of the box, or else I assume ESET would have added rules for the ones in your list already if they are that essential. I think it is better to have a small pre-defined set out of the box like today, and users that want to add more rules can do so afterwards if they like, so no one have to spend time removing rules that they don't want right after install. The pre-defined rules are fine, and the Automatic mode will do the rest once users start using the computer. Again, there is a reason why Automatic mode is the default.... I know that you can block some stuff without breaking anything. And obviously I googled every of those files and hwat other people recommend. A lot seems to make "useless" connections (e.g. feedsync when u dont use it or windows store). Besides that: there should be a rule set which lets you use windows out of the box with interactive mode without much configuration to be needed. For everything non-windows related you need to worry on your own. But all the above files are originally from windows and need configuration in interactive mode. Quote Link to comment Share on other sites More sharing options...
SweX 871 Posted December 17, 2014 Share Posted December 17, 2014 (edited) "But all the above files are originally from windows and need configuration in interactive mode." No, they don't "need" to be configured in interactive mode at all. That is totally your choice, you chose to do it that way. But you don't have to. How do you think rules are created for all those users that use Automatic mode? Probably 95%+ of the users. Rules for those examples above would have been taken care of automatically in automatic mode, or else every singel user would popup in the forum and ask what they can allow and what they should block. And why the product is so annoying. We don't need to have pre-defined rules for everything OS related out of the box except for stuff that is absolutely necessary, as Automatic mode will create rules automatically when needed (also for connections to MS) when the user is using their computer. Edited December 17, 2014 by SweX Quote Link to comment Share on other sites More sharing options...
Utini 1 Posted December 17, 2014 Share Posted December 17, 2014 "But all the above files are originally from windows and need configuration in interactive mode." No, they don't "need" to be configured in interactive mode at all. That is totally your choice, you chose to do it that way. But you don't have to. How do you think rules are created for all those users that use Automatic mode? Probably 95%+ of the users. Rules for those examples above would have been taken care of automatically in automatic mode, or else every singel user would popup in the forum and ask what they can allow and what they should block. And why the product is so annoying. We don't need to have pre-defined rules for everything OS related out of the box except for stuff that is absolutely necessary, as Automatic mode will create rules automatically when needed (also for connections to MS) when the user is using their computer. Automatic mode creates rule in a way of "let EVERYTHING out but nothing in". That is not secure in my opinion. It is user friendly to home users but it is definitely not secure enough if you want to focus on privacy. Apps (especially windows services/files) should be restricted to what they do. They should be allowed to connect to every port and every server. They should be allowed to use the 3 ports that they usually use and the connect to the microsoft servers and that's it. Or do you want a trojan to inject in one of those files and connect to some random chinese botnet server? svchost is also a windows standard process and it has a pre-defined rules. Same with logonui.exe , services.exe and all the other system rules that are pre-defined. The above files are more files/services that should be added to the pre-defined rules as they are just like everything that is pre-defined so far out-of-the-box windows files/processes that in automatic mode could do what ever they want. They just vulnerable as svchost.exe and need to be take care of just like ESET did with svchost,winlogon,etc. Quote Link to comment Share on other sites More sharing options...
rugk 397 Posted December 17, 2014 Share Posted December 17, 2014 (edited) If a file is modified for which there is a rules created and if the firewall is in interactive mode then you will see a question asking you whether you want to allow the connection with the modified version too. And this refers to Windows files of course too. So if a legitimate process is "injected" then you'll see a message about this when it is trying to connect to somewhere Edited December 17, 2014 by rugk Quote Link to comment Share on other sites More sharing options...
Utini 1 Posted December 18, 2014 Share Posted December 18, 2014 If a file is modified for which there is a rules created and if the firewall is in interactive mode then you will see a question asking you whether you want to allow the connection with the modified version too. And this refers to Windows files of course too. So if a legitimate process is "injected" then you'll see a message about this when it is trying to connect to somewhere Ofcourse...but first there has to be a rule for the file ;P a useful pre-defined rule for example Quote Link to comment Share on other sites More sharing options...
rugk 397 Posted December 21, 2014 Share Posted December 21, 2014 Description: Exclude a threat by the threat name Details: I think it would be to have a possibility to exclude a threat by it's name. Actually you can do this, but it will still only affect a specific file. I would like to exclude a threat for every file it is detected. For example it would be great if I could exclude Win32/OpenCandy, because I already created some rules by myself so that this PUA will be blocked. And because it is already blocked I don't want ESET still to recognize it. More information and some bug reports in this topic: Small Bugs in ESET Smart Security + Suggestions Quote Link to comment Share on other sites More sharing options...
rugk 397 Posted December 22, 2014 Share Posted December 22, 2014 Description: ESS Anti-Theft should capture pictures of all available cameras (not only of one camera). Detail: Especially Tablets or Convertibles now have more than one camera built-in. So if this is the case then ESS should take photos from all these cameras. More details: Have a look at this topic: Select camera for anti-theft Quote Link to comment Share on other sites More sharing options...
Utini 1 Posted December 22, 2014 Share Posted December 22, 2014 Description: ESS Anti-Theft should capture pictures of all available cameras (not only of one camera). Detail: Especially Tablets or Convertibles now have more than one camera built-in. So if this is the case then ESS should take photos from all these cameras. More details: Have a look at this topic: Select camera for anti-theft Maybe also do screenshots with available cameras when a wrong password was entered and windows logon / unlock ? I once coded my own program for that purpose but I wished ESET could do that too Quote Link to comment Share on other sites More sharing options...
rugk 397 Posted December 22, 2014 Share Posted December 22, 2014 Yeah great idea. Similar like it is already included in EMS! Quote Link to comment Share on other sites More sharing options...
Utini 1 Posted December 23, 2014 Share Posted December 23, 2014 What about a "suggestions" overview / databse ? E.g. list all suggestion and how many people voted for it. And also which suggestions are in progress already? It would make everything easier and offer a better overview? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.