Jump to content

FW or HIPS window Alert closes too fast, how to make it stay up longer or find log of alert?


Recommended Posts

I get this smart security what I believe is a FW or HIPS alert that pops up asking me if i want to allow/deny b/c I have set interactive mode. The problem is the alert come up and only stays there for about 2 seconds before i can select any options or even reach for the screen shot keyboard. Looking at all the logs I don't even see where it shows up, I don't believe you can view any of the logs in the GUI that will display all the FW and HIPS alerts.

Question: is there a way to make the window stay up longer. If not where can i find the logs that will tell me what was actually reported? I have smart security 7.x

 

Thanks

Link to comment
Share on other sites

  • Administrators

It's weird, interactive dialogs stay on the screen for 30 seconds if I remember correctly and this cannot be configured in settings.

Link to comment
Share on other sites

I wish that was the case, its not. Is there a log somewhere i can view manually? This is quite irritating b/c the pop up is quite random.

Link to comment
Share on other sites

11 hours ago, jetspeedz said:

Looking at all the logs I don't even see where it shows up, I don't believe you can view any of the logs in the GUI that will display all the FW and HIPS alerts.

The problem is that if you don't respond to the alert, the default action is allow. Allowed actions are not logged by default. So it appears you're in a "catch-22" situation until it can be determined what is causing the short alert interval display.

11 hours ago, jetspeedz said:

I have smart security 7.x

Support for Smart Security ver. 7 ended 12/2017. You need to upgrade to the latest ver. of Internet Security or Smart Security which includes a few additional features such as password manager.

Link to comment
Share on other sites

  • Administrators

I overlooked that you had ESS v7. Please uninstall it and install ESET Internet Security 12.1.34 from scratch. Let us know should the issue persist.

Link to comment
Share on other sites

Can't create a video as the window is only open for a second or two max.

I have no intention of upgrading from 7.x when it works fine.

As i suspected there is no way to view the logs or change the notification timeout setting. Shame.

Link to comment
Share on other sites

  • Administrators

ESS v7 is very old, is not supported, lacks important security features, such as network attack protection and ransomware shield, suffers from old bugs, etc.

It reached EOL in Dec 2017. Besides no technical support, EOL also means that we can stop issuing module and engine updates at any time without prior notice.

image.png

Link to comment
Share on other sites

Still does not address the issue at hand.

As long as Eset continues to provide updates it serves its purpose. If you ask me ESS4 is even better as its lighter on system resources.

I'm not a novice user, don't need ransomware protection, all systems are backed up and imaged with disaster recovery options, interactive firewall with HIPS takes care of just about everything the new version covers including network attacks etc... I find as programs evolve they get more intrusive and heavier on system resources. Going from ESS4 to ESS7 proved just that as it uses more memory and I can only imagine what ESS12 uses vs the features provided.

 

In any case it appears the experts here are not able to provide any feedback to resolve the problem. Will have to debug the software myself i guess when I have more time and add tracers to capture what is going on...  will post what I find when I have time to dig into it.

Edited by jetspeedz
Link to comment
Share on other sites

  • Administrators

V12 uses less memory than v7 because it uses dll modules as opposed to binary dat modules. Also it uses an egui proxy to save additional memory otherwise used by gui which is not needed most of the time.

As it's been said, v7 reached end of life in 2017 and technical support is no longer provided for it. What's more, it can stop updating modules at any time which would cause new threats to be not recognized. We strongly recommend upgrading to the latest version.

Link to comment
Share on other sites

You have peaked my interest, apparently v11 was a hog, perhaps v12 is improved. As you know egui was never really the issue its the erkn that is the hog and has gotten bigger with subsequent releases. What is the idle ram allocation of the two services for v12? Assume proxy egui and erkn are running? is there any other services running? I'm assuming if its checking UEFI there is no some overhead for boot times too. Again features not everyone will use or need. Smart compact and efficient protection is where ESET needs to focus going back to the older version philosophy that put i on the map compared to others. proxy gui is a good start but who know what else was added in to make it feature rich.

Link to comment
Share on other sites

That is impressive, you have convinced me to test v12, if I'm not mistaking and i'll have to check an old air gapped system running v4 but those numbers are close if not better than v4. Thanks for posting the info.

Link to comment
Share on other sites

  • Administrators
13 minutes ago, jetspeedz said:

but those numbers are close if not better than v4.

Well, not really close to v4 :)

image.png

Link to comment
Share on other sites

  • Most Valued Members
1 hour ago, jetspeedz said:

You have peaked my interest, apparently v11 was a hog, perhaps v12 is improved. As you know egui was never really the issue its the erkn that is the hog and has gotten bigger with subsequent releases. What is the idle ram allocation of the two services for v12? Assume proxy egui and erkn are running? is there any other services running? I'm assuming if its checking UEFI there is no some overhead for boot times too. Again features not everyone will use or need. Smart compact and efficient protection is where ESET needs to focus going back to the older version philosophy that put i on the map compared to others. proxy gui is a good start but who know what else was added in to make it feature rich.

I can't remember if 11 was a hog but the problem is a lot of those that used it and complained probably didn't send in any logs. Eset will always try to fix issues if it can see them 

Link to comment
Share on other sites

Eset kernel and firewall processes for ver. 12.1.34 use approx. 90K of memory on my Win 10 x(64) 1809 build as shown in the below screen shot. Assumed is memory usage will vary depending on Win OS ver. used.

Eset_Memory.thumb.png.6676e0cd7d404eca0209bf45b51c3639.png

Edited by itman
Link to comment
Share on other sites

Getting back to the original Eset alert elapsed time display, I couldn't find a user manual on the web for ver. 7 Smart Security. But I did find one for ver. 8 which I assume is the same in regards to alert elapsed time display:

Quote

4.7.2 Alerts and notifications

The Alerts and notifications section under User interface allows you to configure how threat alerts and system notifications (e.g. successful update messages) are handled by ESET Smart Security. You can also set display time and the level of transparency of system tray notifications ( applies only to the systems supporting system tray notifications).

Deselect the check box next to Display alerts to cancel all alert windows. This is only suitable in certain situations. For most users we recommend that this option be left enabled (default).

Notifications on the Desktop are informative only, and do not require or offer user interaction. They are displayed in the notification area at the bottom right corner of the screen. To activate Desktop notifications, select Display notifications on desktop . More detailed options such as notification display time and window transparency can be modified by clicking Configure notifications. To preview the behavior of notifications, click Preview. To suppress notifications when running a full-screen application, select Do not display notifications when running applications in full-screen mode. Close message boxes automatically after (sec.).

To close pop-up windows automatically after a certain period of time, select If they are not closed manually, alert windows are automatically closed after the specified time period elapses.

Click Advanced setup to access additional Alerts and notification setup options.

https://download.eset.com/manuals/eset_ess_8_userguide_enu.pdf

Note the setting highlighted in red. In the "Configure notifications" section should be a setting which alert display time can be increased in value.

Alternatively, you can just uncheck the option highlighted in blue which will keep alerts displayed until they are manually closed.

Edited by itman
Link to comment
Share on other sites

14 hours ago, Marcos said:

Well, not really close to v4 :)

image.png

I know my v4 is not anywhere near that. Than again I don't use all the features either.

Link to comment
Share on other sites

13 hours ago, peteyt said:

I can't remember if 11 was a hog but the problem is a lot of those that used it and complained probably didn't send in any logs. Eset will always try to fix issues if it can see them 

I did a quick search and found some threads about it, what ever issues were reported are moot with the changes in v12 now.

8 hours ago, itman said:

Eset kernel and firewall processes for ver. 12.1.34 use approx. 90K of memory on my Win 10 x(64) 1809 build as shown in the below screen shot. Assumed is memory usage will vary depending on Win OS ver. used.

Eset_Memory.thumb.png.6676e0cd7d404eca0209bf45b51c3639.png

That is about about double what Marcos posted, still better than v7 which is promising. I wonder what the OS was Marcos was using. Also what type of hypervisor did he create the VM on and if that makes a difference for memory allocation.

8 hours ago, itman said:

Getting back to the original Eset alert elapsed time display, I couldn't find a user manual on the web for ver. 7 Smart Security. But I did find one for ver. 8 which I assume is the same in regards to alert elapsed time display:

https://download.eset.com/manuals/eset_ess_8_userguide_enu.pdf

Note the setting highlighted in red. In the "Configure notifications" section should be a setting which alert display time can be increased in value.

Alternatively, you can just uncheck the option highlighted in blue which will keep alerts displayed until they are manually closed.

 

Thanks I'm familiar with this option in v7 as well but its not the for the HIPS/FW alerts, not sure what the formal name of the alert window is but the notification window near the tray can also be controlled in the same area in v7.

Edited by jetspeedz
Link to comment
Share on other sites

On my system EIS 12 is asking for 50MB, and occupies 100+MB. Its pretty light at work, though not sure to what extent it actually detects or prevents intrusion and how fast. You can review HIPS logs in v12, enable Advanced Logging, change Logs verbosity level

Edited by zamar27
Link to comment
Share on other sites

thanks I believe you have the same access to the hips logs as well in older version i know you do in 7 and 4. I initially started this thread about alerts but it appears there is no quick fix. I know i can find out what is causing it with some debug tools but b/c i can't repeat the issue it would take a lot of effort to run and monitor these kernel debug tools so likely I will upgrade to v12 b/c of the resources improvements.

Link to comment
Share on other sites

I suggest to upgrade to Win 10 as well, its less huggy than any earlier releases, except some deep Win XP hacks for old laptops with minuscule RAM. On top, use Chrome with a tab suspender extension, and you'll be OK using an old PC for daily tasks. 

Edited by zamar27
Link to comment
Share on other sites

Wishful thinking, no Win 10 system can touch my tweaked Win 7 system. With more iterations there is more bloat, telemetry and junk. Not to say I don't have Win 10 systems but no intention of ever upgrading the 7 boxes.

Link to comment
Share on other sites

1 hour ago, zamar27 said:

On my system EIS 12 is asking for 50MB, and occupies 100+MB.

Prior to ver. 12.1.34 I believe, that's around what ekrn.exe + firewall service was using on my Win 10 x(64) 1809 build. I am wondering if the inclusion of the deep behavior inspection module processing is the reason for the bump up to 90K on my build.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...