Future changes to ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security Premium and ESET Ultimate Security

[Marcos 5,259]

I would like to suggest that if the upcoming ESS could include PID for each process in the Rule and Zone editor as it would be much helpful for me to determine which svchost and the thread inside it is attempting to connect to Internet. Thank You.

 

It makes no sense to display current PID for a process in the rule editor as it's different each time a process starts.

[yongsua 16]

Maybe ESS can be implemented with some sort of PID mapping or positioning system? Is it possible? Or at least the current PID is displayed on the interactive mode alert. Although PIDs vary each time a process starts but at least knowing the current PID can be helpful to identify which svchost and the thread that is attempting to connect to the Internet, which gives a chance to the user to initially jot down the threads or handles or DLLs involved by using basic dynamic analysis tool such as Process Explorer so that the user can just refer to the services or handles or DLLs involved from what the user has jotted down without referring to PID anymore and regardless how the PID varies.

Edited March 19, 2015 by yongsua

[rugk 397]

@yongsua

Yes, to show this in the interactive alerts/questions is a great and useful idea. I already had the issue that ESS showed "rundll.exe" is attempting to connect to a site (e.g. with OpenCandy) and I don't know which process it was, because there were running multiple instances.

Edited March 19, 2015 by rugk

[agasoft 0]

Hello,
I hope that developers will hear my voice.
I am Aleksandar, totally blind person. I used NOD32 from version 2.0/2.5, had a legal license too.

I am testing all available security solutions for home users, how they are accessible with screen readers, such as JAWS or NVDA.

I am now testing Eset Smart Security, and acording to my few days tests, I will suggest you and ask you for the following:

1. On the installation, turn back option to disable praphical user interface during installation. We can disable it later on settings, but, for the blind users, graphical user interface is not accessible with screen readers and keyboard.

2. Add our screen readers to exclusion list on Antivirus, firewall and HIPS, and on self defence too.

I encountering difficulties when I am using  JAWS with self defence, because JAWS wont anounce in settings does tree view is opened, or closed.

When I turn off self defence, JAWS reading everything properly.

3. I set HIPS to interactive mode, and its blocked screen reader too, and some applications, without asking what to do. I am ready to cooperate with you, to fix it for me.

4. Some sound alert when warning pops up will be welcome for us too.

You can contact me frely, I am ready to test upcoming versions with your team.

[rugk 397]

Well... AFAIK you can a also navigate with the keyboard in the graphical user interface. However for screen readers it may be more difficult to handle this graphical UI.

It's expectable that the screenreader could have problems with the self-defense. The self-defense is just doing their job and protecting access to egui.exe, so yes a rule is needed for this. No antivirus (in terms of scanning) exception and no firewall exception are needed as it should work without it, but a HIPS rule (which includes self-defense) is needed.

And ESS has a HIPS rule editor. However it's quite complex and may be difficult to use. On the other hand I don't think that ESET will add a pre-defined HIPS rule for all screen readers as such pre-defined rules could also be misused (e.g. if a malware imitates a screen reader). But if such a rule is configured once you should be able to let the self-defense (and HIPS) enabled and use ESS without problems with a screen reader.

 

As for HIPS interactive mode it could also be difficult as the interactive mode will block some actions of the screen reader and ask the user what to do. Probably with creating the necessary rules for the screen reader it could be solved, but apart from that I wouldn't recommend the interactive mode anyway as it will cause really many questions. If you still like to control your system you can enable the Smart mode, which will only trigger at suspicious events.

 

Sounds are currently played very rarely, but in situation where a threat is found or a on-demand scan is finished they are there. However an option to expand this sounds may be indeed useful.

[agasoft 0]

Maybe we can navigate with keyboard, but its not useful for us. If you remember, option to disable graphical interface existed in installations until version 5, I think.

I was not able to find, where to add rule specific to the self defence. I understand that its doing there job.

Firewall acception is needed, do the screen reader updates and some internet remote actions.

HIPS rules editor is not so complex to used, I am advanced user enough to handle it, just if the screen reader reading all to me, and if I can navigate with keyboard. I added all .exe and .dll files screen reader depending, but, I still have blocks in interactive mode.

Malware cannot imitate the screen reader, if Eset add in rules file signatures. Every screen reader file have a valid digital company signature, and I think that it will be hard for malware to take it off.

HIPS interactive mode, its really something because I came back to Eset.

Honestly, I am Outpost firewall fan, and HIPS working as I expected. Really many questions, yes, but just once, on the beginning.

I set firewall to interactive, too, and its working in Eset as expected. I am just curious, which firewall engine Eset using, if you know?

Fake, sounds are not played when threat found, in realtime protection module, which I also set to interactive.

No any antivirus will be my boss, and I wont to be slave, and I like take control of everything

Edited March 26, 2015 by agasoft

[rugk 397]

I don't know exactly about the installations, but did you used the live installer or the offline installer? The offline installer has more options and it could be that such an option is there too.

In automatic firewall mode this communication should automatically be allowed. As long as there is no incoming communication it should work fine.

Okay, if they can verify the authenticity of the screen reader then it could be possible.

Like I said I wouldn't use HIPS interactive mode. And if you exclude every EXE and DDL file then the automatic (or smart) mode without this rules may be even more secure.

Personally I like the smart mode quite well.

About the outpost firewall: If you'd like to use it you can do of course. However I would strongly recommend to only let 1 firewall enabled.

[agasoft 0]

Sure, I dont using Outpost firewall together with Eset, I just mentioned Outpost as HIPS working example. I like that I can use Eset HIPS on the same way. In Outpost exist option to exclude something just from self defence module, and its working perfectly there. I think that ESS is better then Outpost security Suite, because their antivirus is not so strong. I want to use ESS again, but currently cannot find a way to set HIPS as I need.

Also, I would recommend one more feature to Eset smart security. AD blocker. In Outpost, all ads are blocked, and I think that ESS deserve such useful protection.

[rugk 397]

No, please no adblocker. That's not a kind of protection... It protects you from such malicious apps?

There are a plenty other nice and free adblockers available online. So just choose your favourite one and use it. ESS doesn't need an adblocker. That would just bloating the product.

[agasoft 0]

I respect your thoughts. However, dont forget that some ads are really malicious. Finally, acording to your logic, eset should continue with Antivirus only, because exists a bunch of standalone firewalls, HIPS, antispam, and so on...

[rugk 397]

No if ads are really malicious then driveby-downloads or similar things of these ads should be blocked by ESET correctly.

HIPS, firewalls and co are other things. They are really protecting the user from threats or malware. So this is the difference not that there are many other tools for it.

[SCR 195]

I respect your thoughts. However, dont forget that some ads are really malicious. Finally, acording to your logic, eset should continue with Antivirus only, because exists a bunch of standalone firewalls, HIPS, antispam, and so on...

The Ad Block thing comes up about once a month. See posts #407 and #408 for the most recent:

https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-21

[cutting_edgetech 25]

The HIPS needs to be made more configurable. I think the user should be able to select their applications from a list, and choose what permissions their applications have. Also make better use of white listing for harmless system executions. I tried using interactive, and policy based mode. Interactive mode is unusable without better whitelisting. I was prompted to death. I could no use my computer for anything due to answering prompts the entire time I was on my computer. I used my computer in learning mode while running all my applications, and booting in learning mode several times. I then tried using policy-based mode, and the HIPS still blocked some of my applications even though I used those applications while in learning mode. The HIPS did not give me any option to allow them by prompt so the HIPS behaved more like an ant-executable in policy-based mode. Automatic mode with rules, and Smart Mode are the only modes that I have found useable. I have never received any prompt from either mode though so it's not like any HIPS I have ever used.

Edited April 4, 2015 by cutting_edgetech

[rugk 397]

The HIPS needs to be made more configurable. I think the user should be able to select their applications from a list, and choose what permissions their applications have.

It's already there. Just click on "configure HIPS" and you'll get a huge rules editor where you can add very specific rules.

 

Interactive mode is unusable without better whitelisting. I was prompted to death. I could no use my computer for anything due to answering prompts the entire time I was on my computer.

Yes, that's expected. But nobody forces you to use the interactive mode. And if you create some rules (e.g. with the learning mode like you did) then you get less prompts.

 

I then tried using policy-based mode, and the HIPS still blocked some of my applications even though I used those applications while in learning mode.

If a rule was correctly created then it shouldn't be blocked. If it still does then it surely wasn't created correctly or only a similar rule was created which doesn't cover the actions the application did later.

For troubleshooting this we would need to know the exact application, HIPS rule(s) and more information about how you

 

The HIPS did not give me any option to allow them by prompt so the HIPS behaved more like an ant-executable in policy-based mode. I have never received any prompt from either mode though so it's not like any HIPS I have ever used.

Yes, this is expected in the policy-based mode. In this mode HIPS only applies the rules and blocks every other action.

And again if you want to receive a prompt you have to use the interactive mode of course.

 

Automatic mode with rules, and Smart Mode are the only modes that I have found useable.

Great, so you found the mode(s) which fit's to you. That's the sense of these modes. Use the one you like.

And as you complained about the crowd of messages from interactive mode I would have recommend you the Smart mode anyway. There you have a huge "whitelist", so you will only be prompted for very suspicious actions.

Edited April 6, 2015 by rugk

[cutting_edgetech 25]

Rug, I can't get this forum to allow me to multiquote you to specifically address each one of your responses. I'm not sure why. I just tried multiple time, and lost my post for all my trouble. I'm so tired of loosing my post on this forum. I multiquote on other forums all the time without any problems. If someone could tell me how I would appreciate it. The multipquote button is not working. It's like it is not giving me the option since you already multiquoted me.

[cutting_edgetech 25]

 

The HIPS needs to be made more configurable. I think the user should be able to select their applications from a list, and choose what permissions their applications have.

It's already there. Just click on "configure HIPS" and you'll get a huge rules editor where you can add very specific rules.

HIPSOptions_ConfigureMarked.pngHIPSRulesEditor.png

 

Thank you! I had already looked at that, and overlooked the tab for the source application. I just hope they continue to add more options on what to monitor like physical memory access, remote code, remote data modification, use DNS API, keyboard access, etc..

 

Interactive mode is unusable without better whitelisting. I was prompted to death. I could no use my computer for anything due to answering prompts the entire time I was on my computer.

Yes, that's expected. But nobody forces you to use the interactive mode. And if you create some rules (e.g. with the learning mode like you did) then you get less prompts.

 

That's the whole point I made though. Learning Mode did not do anything to eliminate the prompts. I used learning mode for about 1 1/2 hours, and ran all my applications while in learning mode. I also used learning mode while rebooting 3 times. I received 15 minutes of none stop prompts before I had to give up trying to use interactive mode. I actually clicked the allow button for 15 straight minutes. Interactive mode was useless on my system. That's why I say they need to use whitelisting with interactive mode to make it more usable.

 

I then tried using policy-based mode, and the HIPS still blocked some of my applications even though I used those applications while in learning mode.

If a rule was correctly created then it shouldn't be blocked. If it still does then it surely wasn't created correctly or only a similar rule was created which doesn't cover the actions the application did later.

For troubleshooting this we would need to know the exact application, HIPS rule(s) and more information about how you

 

If the rules were not created correctly then it was not due to any error on my part. I used learning mode to create the rules. I did not make a list of the applications that were being blocked in policy based mode, but I do remember Tor Browser being one of them. I ran all the applications that were being blocked in learning mode multiple times. Policy Mode behaved more like an AE than a HIPS. Policy Mode would have been great if it prompted me for an action instead of blocking the application.

 

The HIPS did not give me any option to allow them by prompt so the HIPS behaved more like an ant-executable in policy-based mode. I have never received any prompt from either mode though so it's not like any HIPS I have ever used.

Yes, this is expected in the policy-based mode. In this mode HIPS only applies the rules and blocks every other action.

And again if you want to receive a prompt you have to use the interactive mode of course.

 

Well, I just responded to this one above.

 

Automatic mode with rules, and Smart Mode are the only modes that I have found useable.

Great, so you found the mode(s) which fit's to you. That's the sense of these modes. Use the one you like.

And as you complained about the crowd of messages from interactive mode I would have recommend you the Smart mode anyway. There you have a huge "whitelist", so you will only be prompted for very suspicious actions.

 

Smart Mode is actually not the Mode that fits me. It does not provide the leak protection I am looking for. Smart Mode is the only mode I found usable other than Automatic Mode With Rules.

Edited April 8, 2015 by cutting_edgetech

[toxinon12345 32]

Add to wishlist: Performance enhancements to Emulation

 

I noticed when scanning an UPX packed     Icon Resource Library,   it needs to unpack that section too....... but when removed the icons/bitmaps from the DLL, then UPXed and scanned all is OK back again

Edited April 15, 2015 by toxinon12345

[cutting_edgetech 25]

Please give the option to log only dropped/blocked packet per application.

[rugk 397]

@cutting_edgetech

If you have a firewall rule you can enable logging for it. So if it's a firewall rule which blocks the communication for an application then you should get such logs.

[cutting_edgetech 25]

I think you misunderstand my request. I'm requesting an option to log all dropped/blocked packets per application that violates any packet filter rule that comes preset with ESS. Many rules come by default. I don't want to just log blocked packets for a rule I have created. The only option currently is to log all traffic for an application. Logging allowed traffic consumes the log file, and makes it hard to find what I'm looking for. It probably also makes ESS a little heavier on the system.

[rugk 397]

Ahh okay, do you mean IDS? Or just the pre-defined firewall rules?

[cutting_edgetech 25]

Any predefined rule including IDS.

[Navara 2]

Description: Improve UI for ESET advanced configuration
Detail: Advanced configuration UX is seriously lacking. To provide specific example - when setting rules for applications I've to browse them all one-by-one to find the one I'm looking for - there is no filtering. Or I cannot select and delete more of them at once - again I've to one-by-one.

[Navara 2]

Description: Directory / RegExp based rules for applications
Detail: Games from Blizzard enjoy providing executable in directories with their versions numbers in path. That makes ESET popup window asking to allow Battle.net Update Agent (and game specific executables) to connect to internet just everytime, they update them. And they update them frequently. For Diablo3 I got like 50 firewall rules (49 being obsolete, btw). So I would like to be able to say

H:\games\Battle.net\Battle.net.[0-9]\*Battle.net.exe
C:\ProgramData\Battle.net\Agent\Agent.beta.[0-9]*\Agent.exe

are OK, or...

H:\games\Battle.net\*
C:\ProgramData\Battle.net\Agent\*

are OK, instead of 50 individual rules like

H:\games\Battle.net\Battle.net.4269\Battle.net.exe
C:\ProgramData\Battle.net\Agent\Agent.beta.2737\Agent.exe

[rugk 397]

That makes ESET popup window asking to allow Battle.net Update Agent (and game specific executables) to connect to internet just everytime, they update them.

Even if the file would stick in the same directory and would just be replaced you would get a notification from ESS everytime the file was changed. This happens because otherwise malware could just replace a file of which it believes that it has an allow firewall rule and would be able to communicate without permission.