Jump to content

How do rules work? Coming from CIS and KIS I really need some help


Recommended Posts

Hey there,

 

I have been using Kaspersky Internet Security and Comodo Internet Security for years and now want to switch to ESET Smart Security. I have a few question concerning the settings (rules):

 

In KIS I had to define rules for EVERYTHING. When I had all my rules I had no more pop ups (HIPS and FW). But it made the whole security suite slow as by the time the rule set grew a lot.

In CIS everything was checked online. If the application was whitelisted online, HIPS or FW didn't bother me and allowed to app. If the app wasn't whitelist or not known, I would get asked what to do with it. No rules to slow down the suite, no disturbing pop ups, but still when I downloaded e.g. "ccleaner.exe" but it wasn't the original one I would get asked what to do with it.

 

So how does ESS work? From what I could find out in my virtualbox malware test it seems to need a rule for everything too? Will that slow down the system when the rule set grows?

 

Why isn't there a rule pre-set "rule, ask, block on failure" ? I only see rules with "allow on failure". That seems a bit insecure?

 

So there is no "online check" for whitelisting and automatically creating rules?

 

Thanks in advance ! :)

Link to post
Share on other sites
  • Administrators

In KIS I had to define rules for EVERYTHING. When I had all my rules I had no more pop ups (HIPS and FW). But it made the whole security suite slow as by the time the rule set grew a lot.[/

In ESS, this can be accomplished by switching the firewall to policy-based.

So how does ESS work? From what I could find out in my virtualbox malware test it seems to need a rule for everything too? Will that slow down the system when the rule set grows?

Why isn't there a rule pre-set "rule, ask, block on failure" ? I only see rules with "allow on failure". That seems a bit insecure?

In fact, there are pre-set rules that cannot be removed completely from the list and it's only possible to disable them, if needed for whatever reasons.

We recommend using automatic mode which allows all outbound communication and blocks all non-initiated inbound communication. If you want to use rules, you can switch to learning mode until all necessary rules are created automatically or interactive mode which will enable you to create rules ad-hoc.

So there is no "online check" for whitelisting and automatically creating rules?

No. Let's assume that malware gets injected into a clean system process. In such case, the firewall would consider such process safe as it would look for cloud information about the clean system process and allow the communication.
Link to post
Share on other sites

 

In KIS I had to define rules for EVERYTHING. When I had all my rules I had no more pop ups (HIPS and FW). But it made the whole security suite slow as by the time the rule set grew a lot.[/

In ESS, this can be accomplished by switching the firewall to policy-based.

So how does ESS work? From what I could find out in my virtualbox malware test it seems to need a rule for everything too? Will that slow down the system when the rule set grows?

Why isn't there a rule pre-set "rule, ask, block on failure" ? I only see rules with "allow on failure". That seems a bit insecure?

In fact, there are pre-set rules that cannot be removed completely from the list and it's only possible to disable them, if needed for whatever reasons.

We recommend using automatic mode which allows all outbound communication and blocks all non-initiated inbound communication. If you want to use rules, you can switch to learning mode until all necessary rules are created automatically or interactive mode which will enable you to create rules ad-hoc.

So there is no "online check" for whitelisting and automatically creating rules?

No. Let's assume that malware gets injected into a clean system process. In such case, the firewall would consider such process safe as it would look for cloud information about the clean system process and allow the communication.

 

 

But going into interactive mode to create a big rule set will slow down the system?

 

I don't like allowing all outgoing connections as I want to see what which apps are "home calling" as well as I like to be notifed when "random.exe" tries to send some data :)

 

 

 

So my best option for HIPS and FW is to create a big rule set for all my apps. This will slow down the system or not?  Also I will get bombed with notifications when ever I install or run a new app for the first time ? 

 

What I like about "online whitelistening" is to simply see if the file I try to run is "known" and "secure" or "original" and not some "setup.exe" which has a trojan bound to it. With ESS I can only hope that the AV knows he threat or that the HIPS will warn me correctly + me understanding and acting correctly?

 

Thanks for your help. So far I really like the inerface of ESS !

Link to post
Share on other sites

@Utini I have like you used both the above suites over the years and found the same issues as you have highlighted and while it might not feel as secure having all the rule bases the only thing I do with Smart Security is switch HIPS to Smart Mode and enable Potentially Unsafe Programs.  I have found the program to be very light weight and haven't really felt the need for the firewall or hips to be interactive mode to set the rules.  It is also the only suite that I have used for consecutive years so it must be doing something right.

 

There is my two pence worth, I know in some respects it doesn't answer your question but the beauty of a trial you can make the software do what you want and see how it handles.  

Link to post
Share on other sites

If you don't want to be "bombarded" and/or spend time creating rules then I would leave the firewall in the default Automatic. It works very good. But you can also create your own rules if you like.

 

The HIPS can you leave in the default Automatic or set it to the new "Smart Mode" which seems to work splendid for me this far. Same here, you can also create your own rules if you like.

 

Also you will find a lot of answers how the different modes work in the in-built help file so it can be worth to check it out.

 

In any case, do not leave the HIPS or Firewall in learning mode for longer periods of time if you decide that you want some rules created automatically. I only recommend them incase there is a problem with the HIPS blocking an app, or the firewall was unable to create all necessary rules in the Automatic mode, then the learning modes could be the key to make things work.

 

"With ESS I can only hope that the AV knows he threat or that the HIPS will warn me correctly + me understanding and acting correctly?"

 

The chance that a threat will pass the other layers and features so the HIPS will have to act is pretty small.

Link to post
Share on other sites

@Utini I have like you used both the above suites over the years and found the same issues as you have highlighted and while it might not feel as secure having all the rule bases the only thing I do with Smart Security is switch HIPS to Smart Mode and enable Potentially Unsafe Programs.  I have found the program to be very light weight and haven't really felt the need for the firewall or hips to be interactive mode to set the rules.  It is also the only suite that I have used for consecutive years so it must be doing something right.

 

There is my two pence worth, I know in some respects it doesn't answer your question but the beauty of a trial you can make the software do what you want and see how it handles.  

 

If you don't want to be "bombarded" and/or spend time creating rules then I would leave the firewall in the default Automatic. It works very good. But you can also create your own rules if you like.

 

The HIPS can you leave in the default Automatic or set it to the new "Smart Mode" which seems to work splendid for me this far. Same here, you can also create your own rules if you like.

 

Also you will find a lot of answers how the different modes work in the in-built help file so it can be worth to check it out.

 

In any case, do not leave the HIPS or Firewall in learning mode for longer periods of time if you decide that you want some rules created automatically. I only recommend them incase there is a problem with the HIPS blocking an app, or the firewall was unable to create all necessary rules in the Automatic mode, then the learning modes could be the key to make things work.

 

"With ESS I can only hope that the AV knows he threat or that the HIPS will warn me correctly + me understanding and acting correctly?"

 

The chance that a threat will pass the other layers and features so the HIPS will have to act is pretty small.

 

 

Leaving filrewall in "automatic" is for my understanding very unsecure. I want to know and disable home calling. Especially when some random.exe does that.

 

Smart mode from wiki:

Smart mode: Only suspicious system events trigger a notification beyond the set of pre-defined rules in Automatic mode (operations such as system registry, active processes and programs).

 

So I tried smart mode with malware files from "malcode.com" and found out that from ~15 links 1 was able to come through. Not that "splendid" i think. So if you ask me the chance if there and not even that small for malware to pass through all the layers which means I would need to use interactive mode. But then I will end up with many many notifications :)

 

 

I wished there was a rule set like smart mode just with the addition of online whitelisting. So basically it would check rules, if no rule for the app exists check with the app is safe or known via online whitelisting. If not - bomb me with notifications please :)

Link to post
Share on other sites

 

If you don't want to be "bombarded" and/or spend time creating rules then I would leave the firewall in the default Automatic. It works very good. But you can also create your own rules if you like.

 

The HIPS can you leave in the default Automatic or set it to the new "Smart Mode" which seems to work splendid for me this far. Same here, you can also create your own rules if you like.

 

Also you will find a lot of answers how the different modes work in the in-built help file so it can be worth to check it out.

 

In any case, do not leave the HIPS or Firewall in learning mode for longer periods of time if you decide that you want some rules created automatically. I only recommend them incase there is a problem with the HIPS blocking an app, or the firewall was unable to create all necessary rules in the Automatic mode, then the learning modes could be the key to make things work.

 

"With ESS I can only hope that the AV knows he threat or that the HIPS will warn me correctly + me understanding and acting correctly?"

 

The chance that a threat will pass the other layers and features so the HIPS will have to act is pretty small.

 

 

Leaving filrewall in "automatic" is for my understanding very unsecure. I want to know and disable home calling. Especially when some random.exe does that.

 

Smart mode from wiki:

Smart mode: Only suspicious system events trigger a notification beyond the set of pre-defined rules in Automatic mode (operations such as system registry, active processes and programs).

 

So I tried smart mode with malware files from "malcode.com" and found out that from ~15 links 1 was able to come through. Not that "splendid" i think. So if you ask me the chance if there and not even that small for malware to pass through all the layers which means I would need to use interactive mode. But then I will end up with many many notifications :)

 

 

I wished there was a rule set like smart mode just with the addition of online whitelisting. So basically it would check rules, if no rule for the app exists check with the app is safe or known via online whitelisting. If not - bomb me with notifications please :)

 

 

When I said splendid I obviously meant in a real-world usage situation, not hammer the product with malware link after malware link. But thanks for your test ;) 15 nailed out of 16 is very good.

 

No, I still stand by my word that the chance is small in real-world usage situations. My friend is what you call a high risk user or a "happy clicker/downloader" and he doesn't managed to get infected with ESET during normal usage, but if I would tell him "go to malc0de and click on every link that you see, and execute each file that you are able to download"...then the usage situation is totally different. He's not a AV tester but a normal (maybe a bit extreme) computer user.

 

 

If it would be "very unsecure" to leave the firewall in the Automatic mode do you really think it would be the default mode or even exist in the product? I mentioned alternatives incase you don't want to use the Automatic as well. In interactive you will be notified  when something calls home, but it is not the most convenient mode that you seem to be asking for. But if you know how to respond to every FW notifications then try it, and if you don't like it, change to another mode.

 

But if you really don't trust these modes, then maybe you should put both the HIPS and Firewall in Learning mode for a few days while you use your computer, after that try interactive and the "bombarding" on you should be considerably less than if you started with interactive mode right away. But you will not be able to allow or deny anything in these modes, the automatic firewall mode is actually much more secure than learning mode that won't block anything but "learn" your system and apps.

 

Personally, I am no big downloader so having the Firewall in policy based-mode suite me perfectly, I have allow rules for everything I need, and I will not be notified to allow or deny anything at all as everything is denied and blocked by default unless there is an existing allow rule. And I love this mode, I call it "dead quiet mode". 

Edited by SweX
Link to post
Share on other sites

 

 

If you don't want to be "bombarded" and/or spend time creating rules then I would leave the firewall in the default Automatic. It works very good. But you can also create your own rules if you like.

 

The HIPS can you leave in the default Automatic or set it to the new "Smart Mode" which seems to work splendid for me this far. Same here, you can also create your own rules if you like.

 

Also you will find a lot of answers how the different modes work in the in-built help file so it can be worth to check it out.

 

In any case, do not leave the HIPS or Firewall in learning mode for longer periods of time if you decide that you want some rules created automatically. I only recommend them incase there is a problem with the HIPS blocking an app, or the firewall was unable to create all necessary rules in the Automatic mode, then the learning modes could be the key to make things work.

 

"With ESS I can only hope that the AV knows he threat or that the HIPS will warn me correctly + me understanding and acting correctly?"

 

The chance that a threat will pass the other layers and features so the HIPS will have to act is pretty small.

 

 

Leaving filrewall in "automatic" is for my understanding very unsecure. I want to know and disable home calling. Especially when some random.exe does that.

 

Smart mode from wiki:

Smart mode: Only suspicious system events trigger a notification beyond the set of pre-defined rules in Automatic mode (operations such as system registry, active processes and programs).

 

So I tried smart mode with malware files from "malcode.com" and found out that from ~15 links 1 was able to come through. Not that "splendid" i think. So if you ask me the chance if there and not even that small for malware to pass through all the layers which means I would need to use interactive mode. But then I will end up with many many notifications :)

 

 

I wished there was a rule set like smart mode just with the addition of online whitelisting. So basically it would check rules, if no rule for the app exists check with the app is safe or known via online whitelisting. If not - bomb me with notifications please :)

 

 

When I said splendid I obviously meant in a real-world usage situation, not hammer the product with malware link after malware link. But thanks for your test ;) 15 nailed out of 16 is very good.

 

No, I still stand by my word that the chance is small in real-world usage situations. My friend is what you call a high risk user or a "happy clicker/downloader" and he doesn't managed to get infected with ESET during normal usage, but if I would tell him "go to malc0de and click on every link that you see, and execute each file that you are able to download"...then the usage situation is totally different. He's not a AV tester but a normal (maybe a bit extreme) computer user.

 

 

If it would be "very unsecure" to leave the firewall in the Automatic mode do you really think it would be the default mode or even exist in the product? I mentioned alternatives incase you don't want to use the Automatic as well. In interactive you will be notified  when something calls home, but it is not the most convenient mode that you seem to be asking for. But if you know how to respond to every FW notifications then try it, and if you don't like it, change to another mode.

 

But if you really don't trust these modes, then maybe you should put both the HIPS and Firewall in Learning mode for a few days while you use your computer, after that try interactive and the "bombarding" on you should be considerably less than if you started with interactive mode right away. But you will not be able to allow or deny anything in these modes, the automatic firewall mode is actually much more secure than learning mode that won't block anything but "learn" your system and apps.

 

Personally, I am no big downloader so having the Firewall in policy based-mode suite me perfectly, I have allow rules for everything I need, and I will not be notified to allow or deny anything at all as everything is denied and blocked by default unless there is an existing allow rule. And I love this mode, I call it "dead quiet mode". 

 

 

Hmm I think 1 out of 15 is pretty bad.with KIS and CIS i had like 0 out of 200. And as a "brain" user I want peotection just against that 1% of malware which is unknown and injects through some XSS or java drive by hidden on some exploited website or similiar. Because evrrything else is no matter to me as I know how to prevent it and already act correctly.

 

In the end I think interactive with a big rule set is what I need to use with ESS. Will a big rule set slow down ESS or the System? That was the case with KIS.

 

Btw I think the standart settings are just like with every other security product meant to be user friendly and easy to use. 

 

Thanks

Link to post
Share on other sites
  • Administrators

Any firewall could be easily fooled if it mainly depended on the reputation of files. It often happens that malware injects into running system processes so in such case the firewall would allow the communication as the system process would be whitelisted.

ESET uses smart mechanisms to prevent malware from getting to your computer:

- firewall (including Botnet protection)

- strong web protection (url / cloud blocking)

- strong Advanced heuristics employed by all protection modules

- HIPS

- Exploit Blocker

- Advanced Memory Scanner. This is the last layer of protection as it's used upon execution. Utilizing HIPS, it checks for suspicious behavior of files already unpacked in memory. This is my favorite feature as it blocks almost every new malware variant that I come across.

Link to post
Share on other sites

Any firewall could be easily fooled if it mainly depended on the reputation of files. It often happens that malware injects into running system processes so in such case the firewall would allow the communication as the system process would be whitelisted.

ESET uses smart mechanisms to prevent malware from getting to your computer:

- firewall (including Botnet protection)

- strong web protection (url / cloud blocking)

- strong Advanced heuristics employed by all protection modules

- HIPS

- Exploit Blocker

- Advanced Memory Scanner. This is the last layer of protection as it's used upon execution. Utilizing HIPS, it checks for suspicious behavior of files already unpacked in memory. This is my favorite feature as it blocks almost every new malware variant that I come across.

 

I am sure ESS is strong in its different security layers that it provides ! So far ESS has a lot that I like. I just don't really like it's rule system. I believe some "online check" which validates if the app is legit or not would be a very nice addition. Especially in terms of user friendliness. Not to allow the app or act based on it's signature. but only to let the user know that the "ccleaner.exe" or "winzip.exe" is actually a valid file and not some "fake" or "manipulated" file. 

 

Is interactive mode with a big rule set tested already? Any performance loss?

Link to post
Share on other sites

 

 

 

If you don't want to be "bombarded" and/or spend time creating rules then I would leave the firewall in the default Automatic. It works very good. But you can also create your own rules if you like.

 

The HIPS can you leave in the default Automatic or set it to the new "Smart Mode" which seems to work splendid for me this far. Same here, you can also create your own rules if you like.

 

Also you will find a lot of answers how the different modes work in the in-built help file so it can be worth to check it out.

 

In any case, do not leave the HIPS or Firewall in learning mode for longer periods of time if you decide that you want some rules created automatically. I only recommend them incase there is a problem with the HIPS blocking an app, or the firewall was unable to create all necessary rules in the Automatic mode, then the learning modes could be the key to make things work.

 

"With ESS I can only hope that the AV knows he threat or that the HIPS will warn me correctly + me understanding and acting correctly?"

 

The chance that a threat will pass the other layers and features so the HIPS will have to act is pretty small.

 

 

Leaving filrewall in "automatic" is for my understanding very unsecure. I want to know and disable home calling. Especially when some random.exe does that.

 

Smart mode from wiki:

Smart mode: Only suspicious system events trigger a notification beyond the set of pre-defined rules in Automatic mode (operations such as system registry, active processes and programs).

 

So I tried smart mode with malware files from "malcode.com" and found out that from ~15 links 1 was able to come through. Not that "splendid" i think. So if you ask me the chance if there and not even that small for malware to pass through all the layers which means I would need to use interactive mode. But then I will end up with many many notifications :)

 

 

I wished there was a rule set like smart mode just with the addition of online whitelisting. So basically it would check rules, if no rule for the app exists check with the app is safe or known via online whitelisting. If not - bomb me with notifications please :)

 

 

When I said splendid I obviously meant in a real-world usage situation, not hammer the product with malware link after malware link. But thanks for your test ;) 15 nailed out of 16 is very good.

 

No, I still stand by my word that the chance is small in real-world usage situations. My friend is what you call a high risk user or a "happy clicker/downloader" and he doesn't managed to get infected with ESET during normal usage, but if I would tell him "go to malc0de and click on every link that you see, and execute each file that you are able to download"...then the usage situation is totally different. He's not a AV tester but a normal (maybe a bit extreme) computer user.

 

 

If it would be "very unsecure" to leave the firewall in the Automatic mode do you really think it would be the default mode or even exist in the product? I mentioned alternatives incase you don't want to use the Automatic as well. In interactive you will be notified  when something calls home, but it is not the most convenient mode that you seem to be asking for. But if you know how to respond to every FW notifications then try it, and if you don't like it, change to another mode.

 

But if you really don't trust these modes, then maybe you should put both the HIPS and Firewall in Learning mode for a few days while you use your computer, after that try interactive and the "bombarding" on you should be considerably less than if you started with interactive mode right away. But you will not be able to allow or deny anything in these modes, the automatic firewall mode is actually much more secure than learning mode that won't block anything but "learn" your system and apps.

 

Personally, I am no big downloader so having the Firewall in policy based-mode suite me perfectly, I have allow rules for everything I need, and I will not be notified to allow or deny anything at all as everything is denied and blocked by default unless there is an existing allow rule. And I love this mode, I call it "dead quiet mode". 

 

 

Hmm I think 1 out of 15 is pretty bad.with KIS and CIS i had like 0 out of 200. And as a "brain" user I want peotection just against that 1% of malware which is unknown and injects through some XSS or java drive by hidden on some exploited website or similiar. Because evrrything else is no matter to me as I know how to prevent it and already act correctly.

 

In the end I think interactive with a big rule set is what I need to use with ESS. Will a big rule set slow down ESS or the System? That was the case with KIS.

 

Btw I think the standart settings are just like with every other security product meant to be user friendly and easy to use. 

 

Thanks

 

If you would have had the HIPS in interactive mode, you would most likely have seen a popup for the sample that sneaked by. 

You can make the HIPS very tight compared to the default or the smart mode if that's what you're looking for. It's possible to do that, but it's not going to be as convenient as you would like it to be I guess.

 

Yes the default is the best for the majority of the user base, a good balance between protection and system performance.

 

I have never tried to use a big ruleset as I don't see a need for it, the only way to find out if a big ruleset will slow things down or not is if you try it yourself.

 

There is a "known safe" cloud white list in Live Grid but it is not used as a detection mechanism today, e.g detection of non known safe files. But it is used in other ways during scanning for example. And also to block bad files that no signature has been created for yet. 

 

I don't know exactly what you had in mind, but I posted a future suggestion that could work based on that if the user wants to. You can read the post to see if it is something similar to what you have in mind: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/?p=17761

Edited by SweX
Link to post
Share on other sites

 

 

 

 

If you don't want to be "bombarded" and/or spend time creating rules then I would leave the firewall in the default Automatic. It works very good. But you can also create your own rules if you like.

 

The HIPS can you leave in the default Automatic or set it to the new "Smart Mode" which seems to work splendid for me this far. Same here, you can also create your own rules if you like.

 

Also you will find a lot of answers how the different modes work in the in-built help file so it can be worth to check it out.

 

In any case, do not leave the HIPS or Firewall in learning mode for longer periods of time if you decide that you want some rules created automatically. I only recommend them incase there is a problem with the HIPS blocking an app, or the firewall was unable to create all necessary rules in the Automatic mode, then the learning modes could be the key to make things work.

 

"With ESS I can only hope that the AV knows he threat or that the HIPS will warn me correctly + me understanding and acting correctly?"

 

The chance that a threat will pass the other layers and features so the HIPS will have to act is pretty small.

 

 

Leaving filrewall in "automatic" is for my understanding very unsecure. I want to know and disable home calling. Especially when some random.exe does that.

 

Smart mode from wiki:

Smart mode: Only suspicious system events trigger a notification beyond the set of pre-defined rules in Automatic mode (operations such as system registry, active processes and programs).

 

So I tried smart mode with malware files from "malcode.com" and found out that from ~15 links 1 was able to come through. Not that "splendid" i think. So if you ask me the chance if there and not even that small for malware to pass through all the layers which means I would need to use interactive mode. But then I will end up with many many notifications :)

 

 

I wished there was a rule set like smart mode just with the addition of online whitelisting. So basically it would check rules, if no rule for the app exists check with the app is safe or known via online whitelisting. If not - bomb me with notifications please :)

 

 

When I said splendid I obviously meant in a real-world usage situation, not hammer the product with malware link after malware link. But thanks for your test ;) 15 nailed out of 16 is very good.

 

No, I still stand by my word that the chance is small in real-world usage situations. My friend is what you call a high risk user or a "happy clicker/downloader" and he doesn't managed to get infected with ESET during normal usage, but if I would tell him "go to malc0de and click on every link that you see, and execute each file that you are able to download"...then the usage situation is totally different. He's not a AV tester but a normal (maybe a bit extreme) computer user.

 

 

If it would be "very unsecure" to leave the firewall in the Automatic mode do you really think it would be the default mode or even exist in the product? I mentioned alternatives incase you don't want to use the Automatic as well. In interactive you will be notified  when something calls home, but it is not the most convenient mode that you seem to be asking for. But if you know how to respond to every FW notifications then try it, and if you don't like it, change to another mode.

 

But if you really don't trust these modes, then maybe you should put both the HIPS and Firewall in Learning mode for a few days while you use your computer, after that try interactive and the "bombarding" on you should be considerably less than if you started with interactive mode right away. But you will not be able to allow or deny anything in these modes, the automatic firewall mode is actually much more secure than learning mode that won't block anything but "learn" your system and apps.

 

Personally, I am no big downloader so having the Firewall in policy based-mode suite me perfectly, I have allow rules for everything I need, and I will not be notified to allow or deny anything at all as everything is denied and blocked by default unless there is an existing allow rule. And I love this mode, I call it "dead quiet mode". 

 

 

Hmm I think 1 out of 15 is pretty bad.with KIS and CIS i had like 0 out of 200. And as a "brain" user I want peotection just against that 1% of malware which is unknown and injects through some XSS or java drive by hidden on some exploited website or similiar. Because evrrything else is no matter to me as I know how to prevent it and already act correctly.

 

In the end I think interactive with a big rule set is what I need to use with ESS. Will a big rule set slow down ESS or the System? That was the case with KIS.

 

Btw I think the standart settings are just like with every other security product meant to be user friendly and easy to use. 

 

Thanks

 

If you would have had the HIPS in interactive mode, you would most likely have seen a popup for the sample that sneaked by. 

You can make the HIPS very tight compared to the default or the smart mode if that's what you're looking for. It's possible to do that, but it's not going to be as convenient as you would like it to be I guess.

 

Yes the default is the best for the majority of the user base, a good balance between protection and system performance.

 

I have never tried to use a big ruleset as I don't see a need for it, the only way to find out if a big ruleset will slow things down or not is if you try it yourself.

 

There is a "known safe" cloud white list in Live Grid but it is not used as a detection mechanism today, e.g detection of non known safe files. But it is used in other ways during scanning for example. And also to block bad files that no signature has been created for yet. 

 

I don't know exactly what you had in mind, but I posted a future suggestion that could work based on that if the user wants to. You can read the post to see if it is something similar to what you have in mind: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/?p=17761

 

 

Yes your suggestion sounds pretty much what I am looking for. Until that I will play around a little with interactive mode or stay with CIS.

 

Thanks for your help !

 

@edit: One more thing though:

 

Smart mode has: rules, ask on suspicious, allow on failure.

 

Why not block on failure ? That would be safer?

 

And what I also don't understand, lets sa I use interactive and create rules for every application. Where do I find those rules for HIPS? E.g. each app and it's permissions ?

Edited by Utini
Link to post
Share on other sites

But going into interactive mode to create a big rule set will slow down the system?

 

I don't like allowing all outgoing connections as I want to see what which apps are "home calling" as well as I like to be notifed when "random.exe" tries to send some data :)

 

 

 

So my best option for HIPS and FW is to create a big rule set for all my apps. This will slow down the system or not?  Also I will get bombed with notifications when ever I install or run a new app for the first time ? 

 

What I like about "online whitelistening" is to simply see if the file I try to run is "known" and "secure" or "original" and not some "setup.exe" which has a trojan bound to it. With ESS I can only hope that the AV knows he threat or that the HIPS will warn me correctly + me understanding and acting correctly?

 

Thanks for your help. So far I really like the inerface of ESS !

 

 

I use interactive firewall mode.

You do not need a large rule set and it does not appreciably slow ESS down.

You will get notifications when an application starts accessing the internet (recently installed or otherwise). If this is not what you want, then don't use interactive mode.

 

Rules can be a specific or general as you want. A relatively easy way of generating specific rules is to get ESS to remember and allow each specific attempt during a "training phase". Then look a the rules generated and create general rules covering all likely use requirements (using lists, ranges, and masks as appropriate). You will find similar applicatons need similar access (web browsers, email clients, office applications etc). As I do not have that many applications, it isn't actually as hard as it sounds.

Edited by Patch
Link to post
Share on other sites

 

 

I don't know exactly what you had in mind, but I posted a future suggestion that could work based on that if the user wants to. You can read the post to see if it is something similar to what you have in mind: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/?p=17761

 

 

Yes your suggestion sounds pretty much what I am looking for. Until that I will play around a little with interactive mode or stay with CIS.

 

Thanks for your help !

 

Right, it is still only a suggestion/idea and far from all suggestions get implemented for obvious reasons. But if you like it then you can always give a kudo to it.

 

You're welcome. I hope you will find a way to use the product that suite you. It's not a difficult or hard to use product so I'm sure you'll get there eventually.

Link to post
Share on other sites

 

But going into interactive mode to create a big rule set will slow down the system?

 

I don't like allowing all outgoing connections as I want to see what which apps are "home calling" as well as I like to be notifed when "random.exe" tries to send some data :)

 

 

 

So my best option for HIPS and FW is to create a big rule set for all my apps. This will slow down the system or not?  Also I will get bombed with notifications when ever I install or run a new app for the first time ? 

 

What I like about "online whitelistening" is to simply see if the file I try to run is "known" and "secure" or "original" and not some "setup.exe" which has a trojan bound to it. With ESS I can only hope that the AV knows he threat or that the HIPS will warn me correctly + me understanding and acting correctly?

 

Thanks for your help. So far I really like the inerface of ESS !

 

 

I use interactive firewall mode.

You do not need a large rule set and it does not appreciably slow ESS down.

You will get notifications when an application starts accessing the internet (recently installed or otherwise). If this is not what you want, then don't use interactive mode.

 

Rules can be a specific or general as you want. A relatively easy way of generating specific rules is to get ESS to remember and allow each specific attempt during a "training phase". Then look a the rules generated and create general rules covering all likely use requirements (using lists, ranges, and masks as appropriate). You will find similar applicatons need similar access (web browsers, email clients, office applications etc). As I do not have that many applications, it isn't actually as hard as it sounds.

 

 

I thought when I "allow an app and remember as rule" it would be safed in the "rules" so I could edit them later? That way I would create a rule for each APP in FW and HIPS. How ever, I can't find the HIPS/FW app-specific rules anywhere?

Link to post
Share on other sites

I assume this is what you're looking for.

 

For the Firewall...


From the main GUI click "Setup" -> click on "Network" -> click on "Configure rules and zones..."

 

or


From the main GUI click F5 on your keyboard -> "Network" -> "Personal firewall" -> "Rules and zones" -> under Zone and rule editor click "Setup"

 

For the HIPS...


From the main GUI click "Setup" -> click on "Computer" -> under HIPS click "Configure..." -> click on "Configure rules..."

 

or

From the main GUI click F5 on your keyboard -> "Computer" -> "HIPS" -> click on "Configure rules..."

Edited by SweX
Link to post
Share on other sites

FYI

 

If you don't think you can find a convenient way to use ESS the way you want to.....

 

Then I know a user that use ESET NOD32 Antivirus and Comodo Firewall (not the whole CIS suite) together but I'm not sure if he got some exclusions set up to make it work or not, if you think that could be a better plan for you then I could ask him if there is something special that's needed to make them work if you want? I won't ask until I hear back from you.

 

They both have HIPS so something probably has to give in to make them "like" each other. ESET with HIPS enabled plus Comodo Firewall is probably how it has to be, so you don't disable the ESET HIPS that plays a central role in the product.

 

Why I say this is because your ESS license will work with NOD32 as well.

 

But you will lose some neat features only found in ESS if you decide to go for this.

 

You should know that I am not a fan of Comodo at all, or a fan of how they used to whitelist some questionable stuff in the past. But since you have used Comodo before I thought why not mention it. Though, I doubt very much that this setup will be lighter on your system than with ESS alone.

Edited by SweX
Link to post
Share on other sites

FYI

 

If you don't think you can find a convenient way to use ESS the way you want to.....

 

Then I know a user that use ESET NOD32 Antivirus and Comodo Firewall (not the whole CIS suite) together but I'm not sure if he got some exclusions set up to make it work or not, if you think that could be a better plan for you then I could ask him if there is something special that's needed to make them work if you want? I won't ask until I hear back from you.

 

They both have HIPS so something probably has to give in to make them "like" each other. ESET with HIPS enabled plus Comodo Firewall is probably how it has to be, so you don't disable the ESET HIPS that plays a central role in the product.

 

Why I say this is because your ESS license will work with NOD32 as well.

 

But you will lose some neat features only found in ESS if you decide to go for this.

 

You should know that I am not a fan of Comodo at all, or a fan of how they used to whitelist some questionable stuff in the past. But since you have used Comodo before I thought why not mention it. Though, I doubt very much that this setup will be lighter on your system than with ESS alone.

 

Thanks for sharing that even if you don't like Comodo. I am currently looking into Emsisoft Internet Security. I think performance wise it is better to use one suite instead of different products from different companies. I already use MBAM Pro and HitmanPro Alert as realtime protection so that is more than enough crossing between companies ;P

 

Maybe I can find my way into using ESS with a rule for every app on my system. And when something new gets installed I will just add a new rule for that.

Link to post
Share on other sites

You're welcome,

 

Yes I agree with that a whole suite is indeed lighter in 99% of the cases, depending on product and features of course but generally that's how it is, and not only for compatibility as incompatibilities happen quite frequently when using some stand-alone AVs and firewalls due to their features.

 

IMO, MBAM Prem is not needed in real-time(with ESET anyway), but many does use it and doesn't have any problems using both. So that is a question of each to their own. HMPA is a nice product, even if I don't use it myself currently, I know several ESET users that use it along ESET without problems. But if it is needed is up to each person to decide.

 

Emsisoft EIS is a nice product, not as light as ESS. Also I am not a fan of the BD engine. ;-P

 

The most simple way if you don't want to create rules manually for each app is to use the interactive mode, the popups will be decrease as time goes by. Use Learning mode for a few days to learn your current system and apps, then switch to interactive and you will be notified for anything new you may install, or something calling home.

 

But you doesn't sound like an average user when you start to mention apps like MBAM and HMPA....so IMO HIPS in Smart Mode is more than enough for you. But you can have the Firewall

in interactive if you like. Please consider this  ;)

Edited by SweX
Link to post
Share on other sites

You're welcome,

 

Yes I agree with that a whole suite is indeed lighter in 99% of the cases, depending on product and features of course but generally that's how it is, and not only for compatibility as incompatibilities happen quite frequently when using some stand-alone AVs and firewalls due to their features.

 

IMO, MBAM Prem is not needed in real-time(with ESET anyway), but many does use it and doesn't have any problems using both. So that is a question of each to their own. HMPA is a nice product, even if I don't use it myself currently, I know several ESET users that use it along ESET without problems. But if it is needed is up to each person to decide.

 

Emsisoft EIS is a nice product, not as light as ESS. Also I am not a fan of the BD engine. ;-P

 

The most simple way if you don't want to create rules manually for each app is to use the interactive mode, the popups will be decrease as time goes by. Use Learning mode for a few days to learn your current system and apps, then switch to interactive and you will be notified for anything new you may install, or something calling home.

 

But you doesn't sound like an average user when you start to mention apps like MBAM and HMPA....so IMO HIPS in Smart Mode is more than enough for you. But you can have the Firewall

in interactive if you like. Please consider this  ;)

 

Yes you are right, HIPS in Smart Mode with FW in interactive could be the fine line that I could live with. How ever, isn't the HIPS faster when there are rules for an app defined instead of it having to analyze it over and over again (smart mode checks the bevahviour every time I run an app) ?

 

Emsisoft gets my vote as it comes from the same country I live in (Austria) ;P But it surely doesn't seem to be as lightweight. Also I prefer the interface of ESET.

Edited by Utini
Link to post
Share on other sites

Yay sounds good!  

No it doesn't make any difference performance wise between Smart Mode vs dedicated rules from my experience.

 

Haha I see. Yeah I said it's a nice (Austrian) product, I would probably pick it over KIS anyway ;-P

 

Yes, I really like the ESET GUI too.

 

So, have you decided what to do now ?  :D

Edited by SweX
Link to post
Share on other sites

Yay sounds good!  

No it doesn't make any difference performance wise between Smart Mode vs dedicated rules from my experience.

 

Haha I see. Yeah I said it's a nice (Austrian) product, I would probably pick it over KIS anyway ;-P

 

Yes, I really like the ESET GUI too.

 

So, have you decided what to do now ?  :D

 

Not completely ;)

 

I will do a few more test with smart mode in a vbox tomorrow. Also i will look for the best way to completely remove CIS (if there is one).

 

If everything looks fine I will wait until I find a decent discounted offer (i generally don't like to pay for software, especially not yearly. mbam pro is the only exception as i have a lifetime license).

 

In the mean time I will play around with Emsisoft.

 

Thanks for your help!

Link to post
Share on other sites

Do you still have CIS installed?

 

Well, my view on paying for software differs from yours.

 

Every company needs a good money flow, without money flow it's goodnight.

 

Tzuk with sandboxie could use the lifetime license model for a long time because he was pretty much the only developer. 

Same with Bill and Winpatrol.

But sandboxie is now owned by a bigger company, not a one man show anymore.

And also Malwarebytes had one in the beginning but stopped not that long ago....because they have grown and have expanded their product lineup, and employ more people.

There is no way a medium sized company like MBAM could continue for much longer using the lifetime license model. Yes of course It makes customers happy to pay one time and have it for life, but it is a terrible business model in terms of money flow. 

 

Same with Surfright and HMP and HMPA. Its no longer a 2 man show with the Loman brothers they also have staff to pay. Plus they also use AV engines in the cloud on top of their own tech but I doubt Kaspersky let them use their engine for free. Not that they have had a lifetime license but to compare.

 

Qihoo 360 is free even if they use licensed engines in the product.....but nothing comes for free in this world people need to remember that.

 

Qihoo is a search engine giant.  ESET....is just ESET.

 

Now, even if ESET had a free product, I would pay for it anyway to support the company and the great job the devs & researchers do and of course because I think the product is worth paying for. Software companies is like any other company that needs a steady income, only because what they produce isn't something that you can touch and hold in your hand doesn't mean that it doesn't cost money to develop and maintain the products. But each product is different so there is pay for software that I don't think is worth paying for as well.

 

Yeah every vendor has 30-day trials so take advantage of them so you don't buy something and has to go through a refund process if you don't like it.

Link to post
Share on other sites

Do you still have CIS installed?

 

Well, my view on paying for software differs from yours.

 

Every company needs a good money flow, without money flow it's goodnight.

 

Tzuk with sandboxie could use the lifetime license model for a long time because he was pretty much the only developer. 

Same with Bill and Winpatrol.

But sandboxie is now owned by a bigger company, not a one man show anymore.

And also Malwarebytes had one in the beginning but stopped not that long ago....because they have grown and have expanded their product lineup, and employ more people.

There is no way a medium sized company like MBAM could continue for much longer using the lifetime license model. Yes of course It makes customers happy to pay one time and have it for life, but it is a terrible business model in terms of money flow. 

 

Same with Surfright and HMP and HMPA. Its no longer a 2 man show with the Loman brothers they also have staff to pay. Plus they also use AV engines in the cloud on top of their own tech but I doubt Kaspersky let them use their engine for free. Not that they have had a lifetime license but to compare.

 

Qihoo 360 is free even if they use licensed engines in the product.....but nothing comes for free in this world people need to remember that.

 

Qihoo is a search engine giant.  ESET....is just ESET.

 

Now, even if ESET had a free product, I would pay for it anyway to support the company and the great job the devs & researchers do and of course because I think the product is worth paying for. Software companies is like any other company that needs a steady income, only because what they produce isn't something that you can touch and hold in your hand doesn't mean that it doesn't cost money to develop and maintain the products. But each product is different so there is pay for software that I don't think is worth paying for as well.

 

Yeah every vendor has 30-day trials so take advantage of them so you don't buy something and has to go through a refund process if you don't like it.

 

Yep I still have CIS installed. Not sure if the uninstaller will completely remove everything from CIS but I guess so.

 

Well CIS is free ;-) HMPA is free for me as I beta tested it. And with MBAM Pro I have the lifetime license :)

 

But I guess when I find a discounted offer I can live with a few € a year.

Link to post
Share on other sites

 

Do you still have CIS installed?

 

Well, my view on paying for software differs from yours.

 

Every company needs a good money flow, without money flow it's goodnight.

 

Tzuk with sandboxie could use the lifetime license model for a long time because he was pretty much the only developer. 

Same with Bill and Winpatrol.

But sandboxie is now owned by a bigger company, not a one man show anymore.

And also Malwarebytes had one in the beginning but stopped not that long ago....because they have grown and have expanded their product lineup, and employ more people.

There is no way a medium sized company like MBAM could continue for much longer using the lifetime license model. Yes of course It makes customers happy to pay one time and have it for life, but it is a terrible business model in terms of money flow. 

 

Same with Surfright and HMP and HMPA. Its no longer a 2 man show with the Loman brothers they also have staff to pay. Plus they also use AV engines in the cloud on top of their own tech but I doubt Kaspersky let them use their engine for free. Not that they have had a lifetime license but to compare.

 

Qihoo 360 is free even if they use licensed engines in the product.....but nothing comes for free in this world people need to remember that.

 

Qihoo is a search engine giant.  ESET....is just ESET.

 

Now, even if ESET had a free product, I would pay for it anyway to support the company and the great job the devs & researchers do and of course because I think the product is worth paying for. Software companies is like any other company that needs a steady income, only because what they produce isn't something that you can touch and hold in your hand doesn't mean that it doesn't cost money to develop and maintain the products. But each product is different so there is pay for software that I don't think is worth paying for as well.

 

Yeah every vendor has 30-day trials so take advantage of them so you don't buy something and has to go through a refund process if you don't like it.

 

Yep I still have CIS installed. Not sure if the uninstaller will completely remove everything from CIS but I guess so.

 

Well CIS is free ;-) HMPA is free for me as I beta tested it. And with MBAM Pro I have the lifetime license :)

 

But I guess when I find a discounted offer I can live with a few € a year.

 

I didn't mention Comodo because I thought you knew why it is free, one reason is because of their cert business. ;-P

 

But HMPA can also worth paying for for non license holders, buy HMPA get HMP for free, buy HMP get HMPA for free. Nice deal IMO.

Yes I know, but you wouldn't be able to get your hands on a lifetime license today for MBAM as they don't sell them anymore. 

 

I tried Comodo couple years ago...never again! 

Not sure how good their uninstaller is these days, you can always check manually afterwards for left-overs like drivers etc...

 

It's very easy to find good deals for ESET in the U.S when for example Newegg almost give away licenses....but in Europe it can be a bit trickier. But if you look hard enough you might find some. 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...