Jump to content
novice

HIPS and FIREWALL in default installation

Recommended Posts

Hello,

Using ESET for a while (3 years) on an on-again off-again basis.

On default installation it is correct to assume that:

1. Firewall does the same thing like Windows firewall.

2. HIPS serves various ESET shields only and other than that an user will not see HIPS presence.

I am asking these , because in default installation I NEVER seen any reaction neither from firewall nor from HIPS.

Thanks!

Share this post


Link to post
Share on other sites
2 hours ago, novice said:

1. Firewall does the same thing like Windows firewall.

Not exactly. The Window firewall for example doesn't monitor IPv4/6 localhost connections; the Eset firewall does. Also Eset has IDS protection, the Win firewall does not. Note that changing default IDS rules result in corresponding default firewall rules be modified. Finally, Eset a few vers. back added the Troubleshooting Wizard to the Network Connections feature. As a result in the default firewall mode, any connections blocked are done so silently and one has to refer to the Troubleshooting Wizard and determine if the count shown has a non-zero value. If so, you have to click on the setting to see any blocked connection activity. Will then be presented with an Unblock tab option. Clicking on that option will result in Eset creating the necessary firewall rules to allow the activity. There are a few issues with the Troubleshooting Wizard. Entries listed there will "age off" after 1 hour resulting in possible blocked activity you are  not aware of. Also the Eset created firewall rules tend to be a bit too "permissive" for my liking.

2 hours ago, novice said:

2. HIPS serves various ESET shields only and other than that an user will not see HIPS presence.

As far as the HIPS goes, without adding custom user rules, it is for the most part "silent." It will trigger only when select protected system and registry areas modification activity by unknown/untrusted process activity occurs. Also when suspicious ransomware and like behavior was attempted.

Edited by itman

Share this post


Link to post
Share on other sites
35 minutes ago, itman said:

Also when suspicious ransomware and like behavior was attempted.

Have you ever seen such a detection????

 

36 minutes ago, itman said:

any connections blocked are done so silently and one has to refer to the Troubleshooting Wizard

A regular use , who opted for default installation, will never be aware about this; for him will be another connection "not made".

From your explanation, in default mode , ESET firewall doesn't seem to add substantial benefits to Win firewall.

Share this post


Link to post
Share on other sites
3 hours ago, novice said:

Have you ever seen such a detection????

Eset has significantly improved its YARA behavior signatures in ver. 12. As such, most of these types of alerts will be detected by the realtime protection versus the HIPS. Again, Eset originally developed the HIPS for protection of its own internal processes and in default mode, it is still primarily used for that purpose.

3 hours ago, novice said:

From your explanation, in default mode , ESET firewall doesn't seem to add substantial benefits to Win firewall.

If you don't think IDS protection adds substantial security benefits, then by all means continue to use the Win Firewall. BTW - you may not be aware the Windows stores its firewall rules in clear text in the registry. As such a hacker with proper access can easily disable or modify them. Ditto for the firewall service itself.  

Edited by itman

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

Eset has significantly improved....

Yet, my question stands: "Have you ever seen, with your own eyes, a detection, HIPS related in default mode??? ( let's say suspicious ransomware )???  

In over 3 years , testing all kind of malwares I never seen ONCE and alert HIPS related , in default installation. Hence my conclusion that , in fact HIPS is used exclusively for various shields in ESET  and nothing more.

For a regular user who installed ESET in default configuration, practically there is no HIPS.

Edited by novice

Share this post


Link to post
Share on other sites

Default mode as you describe it, will be less in intrusive as it is designed to work without user intervention and works for novices.

For more hands on, clear your rules for FW & HIPS and swap to interactive and see the alerts & frequency for yourself ??.

Not seen the alerts on default mode personally, but i do know that incorrect rules with HIPS can render a machine unusable. The inbuilt rules for HIPS will always ensure that your machine will be functional. An overly sensitive "default" HIPS would be just be a hindrance and confuse users.

 

Share this post


Link to post
Share on other sites
2 hours ago, cyberhash said:

he inbuilt rules for HIPS will always ensure that your machine will be functional

Not having a HIPS , to begin off, also will ensure that your machine will be functional...

 

2 hours ago, cyberhash said:

Default mode as you describe it, will be less in intrusive

"Less intrusive" doesn't mean ABSOLUTELY NO REACTION from either HIPS and firewall.

I ran HIPS in "Smart mode" , for 2 years now; ABSOLUTELY NO ALERT  in all this time...

Personally, I believe in default mode, HIPS serves ONLY  internal ESET shields and doesn't behave like a real HIPS and the firewall is as good as Windows firewall.

Share this post


Link to post
Share on other sites

First of all, we kindly ask you to stop using capitals in bold which is considered shouting and is against the forum rules. Moreover, combining several techniques (bold, caps, underline) expresses extreme shouting.

ESET uses various protection modules on different layers to ensure that if attackers bypass a particular protection (e.g. real-time protection), the malware will be detected and blocked on another layer.

ESET provides maximum protection without asking and requiring user's interaction, ie. you will not see any prompts in default modes and ESET will keep protecting you silently in the background. Also the fact that you have not seen any alert from HIPS-based protection modules means that most likely no malware has attempted to run.
With streamed updates and LiveGrid the chances of seeing HIPS-based (AMS/EB/Ransomware shield) will be even lower as new born malware will likely be detected and blocked by other protection modules, such as Web access protection and Real-time protection before HIPS comes into play. V12.1 has introduced another HIPS-based feature Behavior monitor which will work silently as well unless a specific malicious behavior is detected.

 

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

ESET provides maximum protection without asking and requiring user's interaction

Hello Marcos,

If this is the case (ESET provides maximum protection without asking and requiring user's interaction)  why not have a simple interface on ESET , with an ON-OFF button???

No amount of customization  will increase the offered protection beyond "maximum", which is already offered in default mode , as per your statement.

2 hours ago, Marcos said:

HIPS-based feature Behavior monitor which will work silently ...

As I said before (and many times prior to that)  , I never seen any alert HIPS based in almost 3 years running ESET in "Smart mode". What are you saying is very close to "believe and do not doubt" , a religion dogma.

2 hours ago, Marcos said:

you have not seen any alert from HIPS-based protection modules means that most likely no malware has attempted to run.

I tried hard to trigger an alert from HIPS in "Smart mode" for over 2 years now, disabling various settings , running ransomware simulators, running even a real ransomware (Wannacry) and I got nothing, absolutely nothing from HIPPS. I ran some other software with the same simulators and real "Wannacry" and I got the expected reaction from them (Malwarebytes , the anti-ransomware module or Acronis anti-ransomware)

It seems like ESET relies its detection on Live Grid and signature database in almost 100% of the situations and HIPS, in default mode, is just support for various internal mechanisms preventing termination .

Please feel free to provide a sample which will trigger HIPS in "Smart mode", if you disagree with my conclusion.

 

Thanks!

 

 

Edited by novice

Share this post


Link to post
Share on other sites

I've captured a short demonstration video of how ESET detects today's fresh Filecoder.FS by HIPS/AMS with 3 weeks outdated modules.
Moreover network was disabled to prevent updates and possible influence by LiveGrid:

 

Share this post


Link to post
Share on other sites
4 hours ago, novice said:

As I said before (and many times prior to that)  , I never seen any alert HIPS based in almost 3 years running ESET in "Smart mode". What are you saying is very close to "believe and do not doubt" , a religion dogma.

Here's an example of an alert from the new ver. 12.1 HIPS behavior detection:

emot_jpg_2c896f403c6b2917c533b57254a7021b.jpg.f1c07f1a2660b4d4f4b7fb07c529da6c.jpg

Share this post


Link to post
Share on other sites
3 hours ago, Marcos said:

how ESET detects today's fresh Filecoder.FS

Thank you for your video.

After searching "ESET Virus radar" , it seems like detection for Win32/Filecoder.FS  has been added on 2016-08-24, so the fact that definitions are 2 weeks old or ESET not being connected to Live Grid is irrelevant.

So in fact ESET detected something "fresh" based on a mechanism added 2 years ago.  How is this relevant to HIPS???

FS.jpg

Share this post


Link to post
Share on other sites

You are wrong. I clearly showed you that there was no detection with 3 weeks modules (I scanned the malware with the on-demand scanner first to show you that) but it was detected upon execution by HIPS/AMS.

Detections for Filecoder.FS variants have been continually added since 2016 as new variants emerged. These are the latest engine updates with Filecoder.FS detections added:

image.png

 

Hope this will make it clear that the detection was added today:

ECLS Command-line scanner, version 6.6.2058.0, (C) 1992-2017 ESET, spol. s r.o.
Module loader, version 1010 (20170621), build 1017
Module perseus, version 1527 (20170823), build 1895
Module scanner, version 18599P (20181225), build 39833
Module archiver, version 1267 (20170816), build 1257
Module advheur, version 1176 (20170217), build 1144
Module cleaner, version 1142 (20170814), build 1187

Command line: test --log-file=!log.txt --unsafe --unwanted --log-all --arch --base-dir=.

Scan started at:   Tue Dec 25 16:39:51 2018
name="test\______ _______.scr", threat="is OK", action="", info=""

Scan completed at: Tue Dec 25 16:39:51 2018
Scan time:         0 sec (0:00:00)
Total:             files - 1, objects 1
Infected:          files - 0, objects 0
Cleaned:           files - 0, objects 0


ECLS Command-line scanner, version 6.6.2058.0, (C) 1992-2017 ESET, spol. s r.o.
Module loader, version 1010 (20170621), build 1017
Module perseus, version 1527 (20170823), build 1895
Module scanner, version 18600P (20181225), build 39835
Module archiver, version 1267 (20170816), build 1257
Module advheur, version 1176 (20170217), build 1144
Module cleaner, version 1142 (20170814), build 1187

Scan started at:   Tue Dec 25 16:39:53 2018
name="test\______ _______.scr", threat="Win32/Filecoder.FS trojan", action="", info=""

Scan completed at: Tue Dec 25 16:39:53 2018
Scan time:         0 sec (0:00:00)
Total:             files - 1, objects 1
Infected:          files - 1, objects 1
Cleaned:           files - 0, objects 0

 

Share this post


Link to post
Share on other sites
16 minutes ago, novice said:

Thank you for your video.

After searching "ESET Virus radar" , it seems like detection for Win32/Filecoder.FS  has been added on 2016-08-24, so the fact that definitions are 2 weeks old or ESET not being connected to Live Grid is irrelevant.

So in fact ESET detected something "fresh" based on a mechanism added 2 years ago.  How is this relevant to HIPS???

FS.jpg

I do believe the detection happened because the malicious file acted in a way that ESET did detect that it was malicious so it was stopped , according to the video , the file was scanned without being cleaned yet ESET didn't detect anything on this file , once it ran , ESET did sense or detect some kind of malicious activity so it was stopped while it's not connected to LiveGrid so it's something that depends on how ESET did read the application and how it did re-act to it

Share this post


Link to post
Share on other sites

It also should be noted that Eset's HIPS is not going to throw an alert on suspicious process behavior unless:

1. That behavior has been confirmed with high confidence to be associated with malware.

2. Other process traces exist to associate the behavior with malware such as code snippets and the like.

If one wants a solution that absolutely blocks suspicious process behavior regardless of if it is malicious or not, they are better served using a solution such as NoVirus Thanks OSArmor. Whereas this solution works with minimal negative impact in Home based environments, it can reek havoc in corporate environments where many of the processes it blocks are routinely deployed. 

-EDIT- It should be noted that OSArmor is marketed, it is freeware BTW, as anti-exploit protection to be run in parallel with your existing AV solution. I don't use it because it can conflict with other AV software components. And there have been past conflicts with Eset; namely the HIPS component. It is however, a great source for creating user rules for Eset's HIPS which I have used in the past. Finally, it goes without saying that this type of software is only for advanced users with the OS internals knowledge to effectively respond to the blocked activity it can generate without borking their OS and apps installation/execution activities.   

Edited by itman

Share this post


Link to post
Share on other sites

I had opened a spam mail in 2016 I guess and the windows mail application loads the attachment automatically by default ... End of the story it was the Nemucod Trojan and ESET did block it.

I always check the results at AV-Comparatives and I see an increased detection of ESET with V12 but nevertheless I am asking why there is no such mode like "If ESET's unsure" because there are a few compromises whereas Defender is a bit more User-dependant in such situations. I think it'll be nice to have such a mode and a mode where ESET is blocking everything of which it is unsure.

Nevertheless I know that there is no 100% protection but how is BitDefender performing so well in not pretty real world like tests? (more a hypothetical question)

 

I switched to ESET because of V9 before that I'd been a Kaspersky User for about 10 years. It took me a lot time to try out other solutions and finding out which is the best for the things I do - since then I recommended ESET to many people who are using ESET now or had done it and I still do. The end of my licence is close and I am evaluating again... ESET renewal, BitDefender or MS Defender. The best is if the system is secure and it is user-dependant like Linux is but we all know no system is secure that is why there are AVs. MS Defender is an onboard solution and pretty well except in ESET categories like performance and False-Positives and thats why highly integrated and after self protection (Windows 1903) probably the best solution (?).

From a developers or person close to it (not marketing) perspective @Marcos & @itman why using a third party AV like for example ESET over MS Defender?

And what is the future of ESET product looks like in point of detection and its functions?

Edited by MarcoO

Share this post


Link to post
Share on other sites
1 hour ago, MarcoO said:

why using a third party AV like for example ESET over MS Defender?

Without getting into a long discussion on WD's deficiencies, its biggest flaw is that it can be easily disabled/modified by an attacker. Whereas Microsoft has finally tried to mitigate this by sandboxing portions of its kernel/engine process, it remains to be proven through penetration testing it can't be bypassed.

Share this post


Link to post
Share on other sites

My biggest issue with other AVs is how damn heavy they are, and Windows Defender being on of the worst. It scans everything like an AV from the 90s and completing a full scan on an M.2 SSD takes an eternity. ESET is light, powerful and full of features - you can't even feel it. I could rant about Bugdefender but I guess I'll leave it at that.

Share this post


Link to post
Share on other sites
5 hours ago, itman said:

..., it remains to be proven through penetration testing it can't be bypassed.

I think you mean "it can be bypassed" - Alright thank you for that knowledge!

5 hours ago, Tornado said:

My biggest issue with other AVs is how damn heavy they are, and Windows Defender being on of the worst. It scans everything like an AV from the 90s and completing a full scan on an M.2 SSD takes an eternity. ESET is light, powerful and full of features - you can't even feel it. I could rant about Bugdefender but I guess I'll leave it at that.

Yeah that is one of the top notch features of ESET.

 

7 hours ago, MarcoO said:

From a developers or person close to it (not marketing) perspective @Marcos & @itman why using a third party AV like for example ESET over MS Defender?

And what is the future of ESET product looks like in point of detection and its functions?

Is there an answer to my last question?

Share this post


Link to post
Share on other sites
7 hours ago, MarcoO said:

And what is the future of ESET product looks like in point of detection and its functions?

In v12.1 beta we've enabled HIPS-based Behavior Monitor and Augur is going to be added over the course of 2019. Besides that, we'll continue improving protection and cleaning both through existing modules and will release product updates with new features, bug fixes and improvements as well.

Share this post


Link to post
Share on other sites
10 hours ago, Tornado said:

and Windows Defender being on of the worst. It scans everything like an AV from the 90s and completing a full scan on an M.2 SSD takes an eternity

...yet, Windows Defender, old school without anything fancy, scored 99.9% in the latest AV Comparatives (July-November) , compared with  98.9%  (same July-November)

Additionally, I do not know many people who still do "scans" of their drives. This is a  90's practice.

Edited by novice

Share this post


Link to post
Share on other sites
9 hours ago, novice said:

...yet, Windows Defender, old school without anything fancy, scored 99.9% in the latest AV Comparatives (July-November) , compared with  98.9%  (same July-November)

Additionally, I do not know many people who still do "scans" of their drives. This is a  90's practice.

Those tests mean nothing to me, I know some happy clickers but I don't know any who got a thousand malware samples on their desktop. These tests bypass many layers of security solutions and simply test file system protection. Yes, Windows Defender is improving and yes it's a good thing that users who would never install an AV have Windows Defender running in the background offering basic protection. The problem is the performance, the bugs and how easy it is to disable like seriously, one UAC prompt a user clicks unknowingly and Windows Defender is disabled (and that's if you have UAC Always On which most don't). I'm glad that Microsoft are upping their game and making Windows more secure out of the box than it has ever been, but a multi billion dollar company could do so much better...

 

When I reinstall Windows and Windows Defender is enabled it feels like my gaming PC is a 10 year old laptop, you don't understand the difference I feel when I disable it via group policy and install ESET.

Share this post


Link to post
Share on other sites
29 minutes ago, Tornado said:

Those tests mean nothing to me, I know some happy clickers but I don't know any who got a thousand malware samples on their desktop. These tests bypass many layers of security solutions and simply test file system protection. Yes, Windows Defender is improving and yes it's a good thing that users who would never install an AV have Windows Defender running in the background offering basic protection. The problem is the performance, the bugs and how easy it is to disable like seriously, one UAC prompt a user clicks unknowingly and Windows Defender is disabled (and that's if you have UAC Always On which most don't). I'm glad that Microsoft are upping their game and making Windows more secure out of the box than it has ever been, but a multi billion dollar company could do so much better...

 

When I reinstall Windows and Windows Defender is enabled it feels like my gaming PC is a 10 year old laptop, you don't understand the difference I feel when I disable it via group policy and install ESET.

Also it's known to have a lot of false positive and that's not a good thing, ESET is very low in false positive

Share this post


Link to post
Share on other sites
44 minutes ago, Tornado said:

Those tests mean nothing to me...

To you... rest of the people think differently.

 

15 minutes ago, BALTAGY said:

ESET is very low in false positive

True, but do you prefer 98.4% detection rate (August) and less FP or 100% detection rate (August) and more FP   ????

A FP can be investigated and "excepted" while a non detection is fatal.

Share this post


Link to post
Share on other sites
1 minute ago, novice said:

To you... rest of the people think differently.

 

True, but do you prefer 98.4% detection rate (August) and less FP or 100% detection rate (August) and more FP   ????

A FP can be investigated and "excepted" while a non detection is fatal.

I prefer low FP, simply making the product detect 99% ( There's no 100% ) is easy, but making it 98.4% with a very low FP is better for me

I can give you many viruses that the product your talking about don't detect, so please understand that there's no 100%

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×