Scheduled Scans

[Wolf Igmc4 6]

19 minutes ago, Marcos said:

You can exclude potentially unwanted and unsafe applications from detection by name.

No, for example: A threat has been detected (MSIL/blabla) when X tried to access X.

I just want to block the popup of the specific ´MSIL/blabla´.

If for example another threat is detected (for example, MSIL/Blabla25) is detected, it´s popup will appear.

 

I don´t know if you understand me :/

[persian-boy 22]

On 9/6/2017 at 8:05 PM, persian-boy said:

show that command line

Can we have this feature in the upcoming version? plsssss -.-
This is very important because I cant blindly allow a command line :|
 

[itman 1,659]

4 hours ago, persian-boy said:

Can we have this feature in the upcoming version? plsssss -.-
This is very important because I cant blindly allow a command line :|
 

In the example of lets say a command shell executing powershell, cmd.exe starts up conhost.exe. Conhost.exe is the process that actually starts up powershell.exe. So creating a HIPS rule to monitor what conhost.exe starts up will give you the information your seeking. 

[peteyt 393]

Could we have an ignore once options for Potentially unwanted applications? Often I will instal stuff that might contain extras e.g. in the installer and Eset will pop up and let me know I'm instaling a potentially unwanted application. I've noticed that Malwarebytes has an option to ignore it once e.g. you want to test it but might remove it fully later.  

[Marcos 5,074]

38 minutes ago, peteyt said:

Could we have an ignore once options for Potentially unwanted applications? Often I will instal stuff that might contain extras e.g. in the installer and Eset will pop up and let me know I'm instaling a potentially unwanted application. I've noticed that Malwarebytes has an option to ignore it once e.g. you want to test it but might remove it fully later.  

Unfold advanced options in the yellow alert window, check "Exclude from detection" and click "No action".

[peteyt 393]

1 hour ago, Marcos said:

Unfold advanced options in the yellow alert window, check "Exclude from detection" and click "No action".

I do not see no action when installing a Potentially unwanted application - I think no action appears after a scan. After pressing ignore I get a windows access the specific file. I either have to exclude it  which would exclude it for good I presume or disable the protection temporarily. Malwarebytes comes up with ignore or ignore once which is helpful.

[persian-boy 22]

Hi, Itman Hips In interactive will alert about conhost by default.
But that's not what I want...if you noticed that new voodoo shield can monitor commands I mean smth like that!
Your way doesn't work for me.

Eset pls add this feature and also sorting the hips rules list by directory and a purge button for not existing rules in hips rules to your Todo list.
 

 

[SM03 12]

when will the full n final v11 release?

[persian-boy 22]

Can ESET force the Hips to work like an Anti-EXE? I tired a lot of sample with Hips in interactive but because the Exe file could run the final system status is infected...the problem is hips won't react in execution.
Even with Hips in interactive mode, the process will run(if Eset fails to detect it by sig or whatever it has)and it will remain in the process but can't do anything malicious because hips alert you.
Would be good if we let this hips jump on Executable files
 

[Wolf Igmc4 6]

You can add a vulnerability detection module, and something like the USB vacinne of Panda.

[itman 1,659]

5 hours ago, persian-boy said:

Can ESET force the Hips to work like an Anti-EXE? I tired a lot of sample with Hips in interactive but because the Exe file could run the final system status is infected...the problem is hips won't react in execution.
Even with Hips in interactive mode, the process will run(if Eset fails to detect it by sig or whatever it has)and it will remain in the process but can't do anything malicious because hips alert you.
Would be good if we let this hips jump on Executable files
 

You will need to show an example of an .exe that Eset HIPS did not detect running in Interactive mode. The only way I know that could occur is if you inadvertently created an allow rule while running in Training mode or by manual creation. 

One possibility for example is that an allow rule was created for a process to start another process. If the allow rule did not specifically state what process start up was allowed, then Eset will allow any child process startup from the parent process.

Edited September 30, 2017 by itman

[persian-boy 22]

You are right sorry my bad :-)
I had allowed rule for EXPLORER.exe that's why it didn't react I just tweaked the rules manually and everything working nicely.
I trained the Hips in learning mode for 3 days and after that removed, every rule that I thought its dangers but forgot to tweak the rules for EXPLORER.exe
Thanks To Eset for this hips module:D
Still waiting to see the new features like a purge button for HIPS list and sorting the rules based on the directory.

Edited October 1, 2017 by persian-boy

[persian-boy 22]

What about a sandbox? I guess it is much important than Anti-Theft I'm still waiting to see a purge button for not existing Rules in both Hips and firewall.
Also showing the command line when Hips alert for cmd!and provide a way to submit the FP from the Gui, not email :|
Also an option to let us sort the rules based on the directory.

 

Edited October 6, 2017 by persian-boy

[Wolf Igmc4 6]

17 minutes ago, persian-boy said:

What about a sandbox? I guess it is much important than Anti-Theft I'm still waiting to see a purge button for not existing Rules in both Hips and firewall.
Also showing the command line when Hips alert for cmd!and provide a way to submit the FP from the Gui, not email :|
Also an option to let us sort the rules based on the directory.

 

ESET have sandbox, but we just can't access it. But I agree with you, I want to manage apps in a sandbox.

[persian-boy 22]

That sandbox is diffrent.. it can analyze the malware but I mean smth like Sandboxie :|

Edited October 6, 2017 by persian-boy

[persian-boy 22]

On 10/1/2017 at 8:21 AM, persian-boy said:

You are right sorry my bad :-)
I had allowed rule for EXPLORER.exe that's why it didn't react I just tweaked the rules manually and everything working nicely.
I trained the Hips in learning mode for 3 days and after that removed, every rule that I thought its dangers but forgot to tweak the rules for EXPLORER.exe
Thanks To Eset for this hips module:D
Still waiting to see the new features like a purge button for HIPS list and sorting the rules based on the directory.

 

 

I thought I fixed it... but the same issue exists.
Example: Dw farbar recovery scan tool and run it!then you will see Hips won't alert for execution.
 

[itman 1,659]

57 minutes ago, persian-boy said:

Example: Dw farbar recovery scan tool and run it!then you will see Hips won't alert for execution.

I have run Farbar in the past and Eset HIPS in Auto or Safe mode will not alert because its a safe app.

Are you saying that the HIPS in Interactive or Policy mode is not throwing an alert at Farber startup time?

[persian-boy 22]

No, I'm running it in interactive mode and it won't alert for  EXE file but I found(just 20 min ago) how to make it work.
I will create an article and gonna learn smth cool:D
 

[Navara 2]

I would liek to be able to sort, filter, resize, export to text,... pretty much any table that Eset GUI uses. It causes me almost physical pain to use them currently with reflexes forcing me to avoid touching that at almost all costs. That might be cool way to prevent users from messing with app, but terrible for finding / verifying / reporting any apps misbehaviour.

Firewall rules being best example of terrible UX. Please hire UX specialist and fix that.

[Navara 2]

Where you show IP - and mostly in pop-up dialogs - include link to whois information. How shall I make quick semi-qualified decission to allow/deny question when I don't have tools / information for it and all I see is IP number? I can run putty to one of my servers and do Whois / GeoIP query, but that shall be available in ESET already.

[Mahoneko 2]

 

Description: [New Feature] Firewall rules last triggered/used
Detail: [Context : using Firewall in interactive mode]  Keep the last date time a firewall rules has been triggered, and display it in the rules list window, to be able to sort by this date.
Why ? Because during the computere/Windows 'life, program are installed, uninstalled, moved, and many rules become obsolete and useless. And this is more visible with windows 10 store because each new software version is a new exe and so a new rule.
If we can find easily old and not triggered rules since a while, we could delete them to clean up the rules list (and probably improve speed of FW).

 

In addition, a new related feature

 

Description: [New Feature] Delete automatically FW rules if not triggered for XX days
Detail: [Context : using Firewall in interactive mode] . Add a configuration in the FW that can be activate and set the number of days before delete automatically a rule not triggered
- Enable auto-cleanup rules : True/False
- [If enabled] Delete rules if not triggered after [  90  ]  days

 

Thank you
 

Edited October 12, 2017 by Mahoneko

[itman 1,659]

On ‎10‎/‎8‎/‎2017 at 4:31 PM, persian-boy said:

I thought I fixed it... but the same issue exists.
Example: Dw farbar recovery scan tool and run it!then you will see Hips won't alert for execution.
 

I did some of my own testing in regards to this business about the HIPS not detecting Farber activity. For starters, I set the HIPS to Interactive mode and then ran Farbar.

To begin with, Farbar will load and begin execution because you started it manually. However, the first attempt by Farbar to perform any activity the HIPS monitors for will cause an alert as shown by the below screen shot.

Now if you create a .bat script and run Farbar by execution of the script, you will receive a HIPS alert about the startup of Farbar. Likewise, malware doesn't magically run by itself. Something has to execute it. 

[persian-boy 22]

Thanks for the test  Itman:-) I guess you are right and Eset won't react on execution because of I started the file manually and I missed this part of the story.
BTW good to see hips can catch the child process
 

Edited October 11, 2017 by persian-boy

[itman 1,659]

18 minutes ago, persian-boy said:

Thanks for the test  Itman:-) I guess you are right and Eset won't react on execution because of I started the file manually and I missed this part of the story.

As far as anti-exec processing, there is a one built into Win 10 - native SmartScreen. I have tested with a couple of unknown reputation files and each time got an alert from it when they tried to run. Eset let the files run w/o issue. Neither file was malicious but I prefer an option to disallow execution in this instance.

The downside is native SmartScreen relies on "The Mark of the Web" remaining associated with the downloaded file. There are ways to "strip that off" of a download.

[persian-boy 22]

I know about SRP and smart screen also using a tool call https://github.com/AndyFul/Hard_Configurator but  I wanted to do that with Eset.
Just give a try to this tool because its unbeatable:D
 

Edited October 12, 2017 by persian-boy