Administrators Marcos 5,267 Posted March 19, 2015 Administrators Share Posted March 19, 2015 I would like to suggest that if the upcoming ESS could include PID for each process in the Rule and Zone editor as it would be much helpful for me to determine which svchost and the thread inside it is attempting to connect to Internet. Thank You. It makes no sense to display current PID for a process in the rule editor as it's different each time a process starts. Quote Link to comment Share on other sites More sharing options...
yongsua 16 Posted March 19, 2015 Share Posted March 19, 2015 (edited) Maybe ESS can be implemented with some sort of PID mapping or positioning system? Is it possible? Or at least the current PID is displayed on the interactive mode alert. Although PIDs vary each time a process starts but at least knowing the current PID can be helpful to identify which svchost and the thread that is attempting to connect to the Internet, which gives a chance to the user to initially jot down the threads or handles or DLLs involved by using basic dynamic analysis tool such as Process Explorer so that the user can just refer to the services or handles or DLLs involved from what the user has jotted down without referring to PID anymore and regardless how the PID varies. Edited March 19, 2015 by yongsua Quote Link to comment Share on other sites More sharing options...
rugk 397 Posted March 19, 2015 Share Posted March 19, 2015 (edited) @yongsua Yes, to show this in the interactive alerts/questions is a great and useful idea. I already had the issue that ESS showed "rundll.exe" is attempting to connect to a site (e.g. with OpenCandy) and I don't know which process it was, because there were running multiple instances. Edited March 19, 2015 by rugk Quote Link to comment Share on other sites More sharing options...
agasoft 0 Posted March 26, 2015 Share Posted March 26, 2015 Hello,I hope that developers will hear my voice.I am Aleksandar, totally blind person. I used NOD32 from version 2.0/2.5, had a legal license too. I am testing all available security solutions for home users, how they are accessible with screen readers, such as JAWS or NVDA. I am now testing Eset Smart Security, and acording to my few days tests, I will suggest you and ask you for the following: 1. On the installation, turn back option to disable praphical user interface during installation. We can disable it later on settings, but, for the blind users, graphical user interface is not accessible with screen readers and keyboard. 2. Add our screen readers to exclusion list on Antivirus, firewall and HIPS, and on self defence too. I encountering difficulties when I am using JAWS with self defence, because JAWS wont anounce in settings does tree view is opened, or closed. When I turn off self defence, JAWS reading everything properly. 3. I set HIPS to interactive mode, and its blocked screen reader too, and some applications, without asking what to do. I am ready to cooperate with you, to fix it for me. 4. Some sound alert when warning pops up will be welcome for us too. You can contact me frely, I am ready to test upcoming versions with your team. Quote Link to comment Share on other sites More sharing options...
rugk 397 Posted March 26, 2015 Share Posted March 26, 2015 Well... AFAIK you can a also navigate with the keyboard in the graphical user interface. However for screen readers it may be more difficult to handle this graphical UI. It's expectable that the screenreader could have problems with the self-defense. The self-defense is just doing their job and protecting access to egui.exe, so yes a rule is needed for this. No antivirus (in terms of scanning) exception and no firewall exception are needed as it should work without it, but a HIPS rule (which includes self-defense) is needed. And ESS has a HIPS rule editor. However it's quite complex and may be difficult to use. On the other hand I don't think that ESET will add a pre-defined HIPS rule for all screen readers as such pre-defined rules could also be misused (e.g. if a malware imitates a screen reader). But if such a rule is configured once you should be able to let the self-defense (and HIPS) enabled and use ESS without problems with a screen reader. As for HIPS interactive mode it could also be difficult as the interactive mode will block some actions of the screen reader and ask the user what to do. Probably with creating the necessary rules for the screen reader it could be solved, but apart from that I wouldn't recommend the interactive mode anyway as it will cause really many questions. If you still like to control your system you can enable the Smart mode, which will only trigger at suspicious events. Sounds are currently played very rarely, but in situation where a threat is found or a on-demand scan is finished they are there. However an option to expand this sounds may be indeed useful. Quote Link to comment Share on other sites More sharing options...
agasoft 0 Posted March 26, 2015 Share Posted March 26, 2015 (edited) Maybe we can navigate with keyboard, but its not useful for us. If you remember, option to disable graphical interface existed in installations until version 5, I think. I was not able to find, where to add rule specific to the self defence. I understand that its doing there job. Firewall acception is needed, do the screen reader updates and some internet remote actions. HIPS rules editor is not so complex to used, I am advanced user enough to handle it, just if the screen reader reading all to me, and if I can navigate with keyboard. I added all .exe and .dll files screen reader depending, but, I still have blocks in interactive mode. Malware cannot imitate the screen reader, if Eset add in rules file signatures. Every screen reader file have a valid digital company signature, and I think that it will be hard for malware to take it off. HIPS interactive mode, its really something because I came back to Eset. Honestly, I am Outpost firewall fan, and HIPS working as I expected. Really many questions, yes, but just once, on the beginning. I set firewall to interactive, too, and its working in Eset as expected. I am just curious, which firewall engine Eset using, if you know? Fake, sounds are not played when threat found, in realtime protection module, which I also set to interactive. No any antivirus will be my boss, and I wont to be slave, and I like take control of everything Edited March 26, 2015 by agasoft Quote Link to comment Share on other sites More sharing options...
rugk 397 Posted March 26, 2015 Share Posted March 26, 2015 I don't know exactly about the installations, but did you used the live installer or the offline installer? The offline installer has more options and it could be that such an option is there too. In automatic firewall mode this communication should automatically be allowed. As long as there is no incoming communication it should work fine. Okay, if they can verify the authenticity of the screen reader then it could be possible. Like I said I wouldn't use HIPS interactive mode. And if you exclude every EXE and DDL file then the automatic (or smart) mode without this rules may be even more secure. Personally I like the smart mode quite well. About the outpost firewall: If you'd like to use it you can do of course. However I would strongly recommend to only let 1 firewall enabled. Quote Link to comment Share on other sites More sharing options...
agasoft 0 Posted March 26, 2015 Share Posted March 26, 2015 Sure, I dont using Outpost firewall together with Eset, I just mentioned Outpost as HIPS working example. I like that I can use Eset HIPS on the same way. In Outpost exist option to exclude something just from self defence module, and its working perfectly there. I think that ESS is better then Outpost security Suite, because their antivirus is not so strong. I want to use ESS again, but currently cannot find a way to set HIPS as I need. Also, I would recommend one more feature to Eset smart security. AD blocker. In Outpost, all ads are blocked, and I think that ESS deserve such useful protection. Quote Link to comment Share on other sites More sharing options...
rugk 397 Posted March 28, 2015 Share Posted March 28, 2015 No, please no adblocker. That's not a kind of protection... It protects you from such malicious apps? There are a plenty other nice and free adblockers available online. So just choose your favourite one and use it. ESS doesn't need an adblocker. That would just bloating the product. Quote Link to comment Share on other sites More sharing options...
agasoft 0 Posted March 28, 2015 Share Posted March 28, 2015 I respect your thoughts. However, dont forget that some ads are really malicious. Finally, acording to your logic, eset should continue with Antivirus only, because exists a bunch of standalone firewalls, HIPS, antispam, and so on... Quote Link to comment Share on other sites More sharing options...
rugk 397 Posted March 28, 2015 Share Posted March 28, 2015 No if ads are really malicious then driveby-downloads or similar things of these ads should be blocked by ESET correctly. HIPS, firewalls and co are other things. They are really protecting the user from threats or malware. So this is the difference not that there are many other tools for it. Quote Link to comment Share on other sites More sharing options...
Most Valued Members SCR 195 Posted March 28, 2015 Most Valued Members Share Posted March 28, 2015 I respect your thoughts. However, dont forget that some ads are really malicious. Finally, acording to your logic, eset should continue with Antivirus only, because exists a bunch of standalone firewalls, HIPS, antispam, and so on... The Ad Block thing comes up about once a month. See posts #407 and #408 for the most recent: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-21 Quote Link to comment Share on other sites More sharing options...
ESET Insiders cutting_edgetech 25 Posted April 4, 2015 ESET Insiders Share Posted April 4, 2015 (edited) The HIPS needs to be made more configurable. I think the user should be able to select their applications from a list, and choose what permissions their applications have. Also make better use of white listing for harmless system executions. I tried using interactive, and policy based mode. Interactive mode is unusable without better whitelisting. I was prompted to death. I could no use my computer for anything due to answering prompts the entire time I was on my computer. I used my computer in learning mode while running all my applications, and booting in learning mode several times. I then tried using policy-based mode, and the HIPS still blocked some of my applications even though I used those applications while in learning mode. The HIPS did not give me any option to allow them by prompt so the HIPS behaved more like an ant-executable in policy-based mode. Automatic mode with rules, and Smart Mode are the only modes that I have found useable. I have never received any prompt from either mode though so it's not like any HIPS I have ever used. Edited April 4, 2015 by cutting_edgetech Quote Link to comment Share on other sites More sharing options...
rugk 397 Posted April 6, 2015 Share Posted April 6, 2015 (edited) The HIPS needs to be made more configurable. I think the user should be able to select their applications from a list, and choose what permissions their applications have. It's already there. Just click on "configure HIPS" and you'll get a huge rules editor where you can add very specific rules. Interactive mode is unusable without better whitelisting. I was prompted to death. I could no use my computer for anything due to answering prompts the entire time I was on my computer. Yes, that's expected. But nobody forces you to use the interactive mode. And if you create some rules (e.g. with the learning mode like you did) then you get less prompts. I then tried using policy-based mode, and the HIPS still blocked some of my applications even though I used those applications while in learning mode. If a rule was correctly created then it shouldn't be blocked. If it still does then it surely wasn't created correctly or only a similar rule was created which doesn't cover the actions the application did later. For troubleshooting this we would need to know the exact application, HIPS rule(s) and more information about how you The HIPS did not give me any option to allow them by prompt so the HIPS behaved more like an ant-executable in policy-based mode. I have never received any prompt from either mode though so it's not like any HIPS I have ever used. Yes, this is expected in the policy-based mode. In this mode HIPS only applies the rules and blocks every other action. And again if you want to receive a prompt you have to use the interactive mode of course. Automatic mode with rules, and Smart Mode are the only modes that I have found useable. Great, so you found the mode(s) which fit's to you. That's the sense of these modes. Use the one you like. And as you complained about the crowd of messages from interactive mode I would have recommend you the Smart mode anyway. There you have a huge "whitelist", so you will only be prompted for very suspicious actions. Edited April 6, 2015 by rugk Quote Link to comment Share on other sites More sharing options...
ESET Insiders cutting_edgetech 25 Posted April 8, 2015 ESET Insiders Share Posted April 8, 2015 Rug, I can't get this forum to allow me to multiquote you to specifically address each one of your responses. I'm not sure why. I just tried multiple time, and lost my post for all my trouble. I'm so tired of loosing my post on this forum. I multiquote on other forums all the time without any problems. If someone could tell me how I would appreciate it. The multipquote button is not working. It's like it is not giving me the option since you already multiquoted me. Quote Link to comment Share on other sites More sharing options...
ESET Insiders cutting_edgetech 25 Posted April 8, 2015 ESET Insiders Share Posted April 8, 2015 (edited) The HIPS needs to be made more configurable. I think the user should be able to select their applications from a list, and choose what permissions their applications have. It's already there. Just click on "configure HIPS" and you'll get a huge rules editor where you can add very specific rules. HIPSOptions_ConfigureMarked.pngHIPSRulesEditor.png Thank you! I had already looked at that, and overlooked the tab for the source application. I just hope they continue to add more options on what to monitor like physical memory access, remote code, remote data modification, use DNS API, keyboard access, etc.. Interactive mode is unusable without better whitelisting. I was prompted to death. I could no use my computer for anything due to answering prompts the entire time I was on my computer. Yes, that's expected. But nobody forces you to use the interactive mode. And if you create some rules (e.g. with the learning mode like you did) then you get less prompts. That's the whole point I made though. Learning Mode did not do anything to eliminate the prompts. I used learning mode for about 1 1/2 hours, and ran all my applications while in learning mode. I also used learning mode while rebooting 3 times. I received 15 minutes of none stop prompts before I had to give up trying to use interactive mode. I actually clicked the allow button for 15 straight minutes. Interactive mode was useless on my system. That's why I say they need to use whitelisting with interactive mode to make it more usable. I then tried using policy-based mode, and the HIPS still blocked some of my applications even though I used those applications while in learning mode. If a rule was correctly created then it shouldn't be blocked. If it still does then it surely wasn't created correctly or only a similar rule was created which doesn't cover the actions the application did later. For troubleshooting this we would need to know the exact application, HIPS rule(s) and more information about how you If the rules were not created correctly then it was not due to any error on my part. I used learning mode to create the rules. I did not make a list of the applications that were being blocked in policy based mode, but I do remember Tor Browser being one of them. I ran all the applications that were being blocked in learning mode multiple times. Policy Mode behaved more like an AE than a HIPS. Policy Mode would have been great if it prompted me for an action instead of blocking the application. The HIPS did not give me any option to allow them by prompt so the HIPS behaved more like an ant-executable in policy-based mode. I have never received any prompt from either mode though so it's not like any HIPS I have ever used. Yes, this is expected in the policy-based mode. In this mode HIPS only applies the rules and blocks every other action. And again if you want to receive a prompt you have to use the interactive mode of course. Well, I just responded to this one above. Automatic mode with rules, and Smart Mode are the only modes that I have found useable. Great, so you found the mode(s) which fit's to you. That's the sense of these modes. Use the one you like. And as you complained about the crowd of messages from interactive mode I would have recommend you the Smart mode anyway. There you have a huge "whitelist", so you will only be prompted for very suspicious actions. Smart Mode is actually not the Mode that fits me. It does not provide the leak protection I am looking for. Smart Mode is the only mode I found usable other than Automatic Mode With Rules. Edited April 8, 2015 by cutting_edgetech Quote Link to comment Share on other sites More sharing options...
ESET Insiders toxinon12345 32 Posted April 15, 2015 ESET Insiders Share Posted April 15, 2015 (edited) Add to wishlist: Performance enhancements to Emulation I noticed when scanning an UPX packed Icon Resource Library, it needs to unpack that section too....... but when removed the icons/bitmaps from the DLL, then UPXed and scanned all is OK back again Edited April 15, 2015 by toxinon12345 Quote Link to comment Share on other sites More sharing options...
ESET Insiders cutting_edgetech 25 Posted April 19, 2015 ESET Insiders Share Posted April 19, 2015 Please give the option to log only dropped/blocked packet per application. Quote Link to comment Share on other sites More sharing options...
rugk 397 Posted April 19, 2015 Share Posted April 19, 2015 @cutting_edgetech If you have a firewall rule you can enable logging for it. So if it's a firewall rule which blocks the communication for an application then you should get such logs. Quote Link to comment Share on other sites More sharing options...
ESET Insiders cutting_edgetech 25 Posted April 19, 2015 ESET Insiders Share Posted April 19, 2015 I think you misunderstand my request. I'm requesting an option to log all dropped/blocked packets per application that violates any packet filter rule that comes preset with ESS. Many rules come by default. I don't want to just log blocked packets for a rule I have created. The only option currently is to log all traffic for an application. Logging allowed traffic consumes the log file, and makes it hard to find what I'm looking for. It probably also makes ESS a little heavier on the system. Quote Link to comment Share on other sites More sharing options...
rugk 397 Posted April 19, 2015 Share Posted April 19, 2015 Ahh okay, do you mean IDS? Or just the pre-defined firewall rules? Quote Link to comment Share on other sites More sharing options...
ESET Insiders cutting_edgetech 25 Posted April 19, 2015 ESET Insiders Share Posted April 19, 2015 Any predefined rule including IDS. Quote Link to comment Share on other sites More sharing options...
Navara 2 Posted May 1, 2015 Share Posted May 1, 2015 Description: Improve UI for ESET advanced configurationDetail: Advanced configuration UX is seriously lacking. To provide specific example - when setting rules for applications I've to browse them all one-by-one to find the one I'm looking for - there is no filtering. Or I cannot select and delete more of them at once - again I've to one-by-one. Quote Link to comment Share on other sites More sharing options...
Navara 2 Posted May 1, 2015 Share Posted May 1, 2015 Description: Directory / RegExp based rules for applicationsDetail: Games from Blizzard enjoy providing executable in directories with their versions numbers in path. That makes ESET popup window asking to allow Battle.net Update Agent (and game specific executables) to connect to internet just everytime, they update them. And they update them frequently. For Diablo3 I got like 50 firewall rules (49 being obsolete, btw). So I would like to be able to say H:\games\Battle.net\Battle.net.[0-9]\*Battle.net.exeC:\ProgramData\Battle.net\Agent\Agent.beta.[0-9]*\Agent.exe are OK, or... H:\games\Battle.net\*C:\ProgramData\Battle.net\Agent\* are OK, instead of 50 individual rules like H:\games\Battle.net\Battle.net.4269\Battle.net.exeC:\ProgramData\Battle.net\Agent\Agent.beta.2737\Agent.exe Quote Link to comment Share on other sites More sharing options...
rugk 397 Posted May 1, 2015 Share Posted May 1, 2015 That makes ESET popup window asking to allow Battle.net Update Agent (and game specific executables) to connect to internet just everytime, they update them. Even if the file would stick in the same directory and would just be replaced you would get a notification from ESS everytime the file was changed. This happens because otherwise malware could just replace a file of which it believes that it has an allow firewall rule and would be able to communicate without permission. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.