Jump to content
Aryeh Goretsky

Future changes to ESET Internet Security and ESET Smart Security Premium

Recommended Posts

 

Description: Default Deny

Detail: Incorporate a default deny for people wanting rock hard protection. (EX: Kaspersky Trusted Application Mode and Avast Hardened Mode Aggressive).

 

Deny where? It appears only in interactive mode of firewall and HIPS but selecting Deny automatically would not only render interactive mode useless but would also cause too many troubles if every action/communication was denied without asking the user.

 

 

The rules say "allow on failure".. I think what mar122999 meant is that "block on faliure" is more secure?

Share this post


Link to post
Share on other sites

This: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-14#entry17761

 

Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones)

Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window

Also: Add windows update rule to the standard rule set of svchost.exe (port 80 & 443 and maybe restrict it to microsoft update servers only)

Also: Add spoolsv.exe standard rules

Also: Add rundll32.exe standard rules

Also: Let us search within the rule editor... e.g for filenames

 

Update: 

Make this a standard rule? https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-burning-rom-orbit-downloader-imgburn-dvdvideosoft-install-them-without-opencandy/

Also: https://forum.eset.com/topic/3437-poodle-attack-security-flaw-in-ssl-v3-eset-blocking/

Edited by Utini

Share this post


Link to post
Share on other sites

 

Description: Default Deny

Detail: Incorporate a default deny for people wanting rock hard protection. (EX: Kaspersky Trusted Application Mode and Avast Hardened Mode Aggressive).

 

Deny where? It appears only in interactive mode of firewall and HIPS but selecting Deny automatically would not only render interactive mode useless but would also cause too many troubles if every action/communication was denied without asking the user.

 

 

I am reffering to the antivirus part of ESET. All files will be checked against a whitelist (maybe through Live Grid). If the file is unknown, not certified...whatever, then the file is blocked.

Share this post


Link to post
Share on other sites

Yes, you already said this. :D

 

Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones)

This could be an idea, but it can even be very bad if the DNS server is compromised or there is a kind of "DNS server malware" on your computer which redirected all DNS queries to a fake/another/bad/... DNS server.

So to use IP addresses there is more secure.

 

Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window

Yes great idea. I think you mean something like I described in post #149 in this topic[/topic].

 

Well, maybe this can be an idea. Although svchost.exe of course does much more than just Windows updates.

 

What rules? Do you mean the firewall rules?

I think it's quite good if not too much rules are created by default...

 

Yes, that's a great idea!

A search function would make it much easier if you want to find specific rules.

 

Thanks! :D

But also have a look on my update I added there. So you can make ESET already detect OpenCandy.

 

Thanks too! :D

I also think this could be a good idea. That's why I made the post. :)

Share this post


Link to post
Share on other sites

I am reffering to the antivirus part of ESET. All files will be checked against a whitelist (maybe through Live Grid). If the file is unknown, not certified...whatever, then the file is blocked.

Okay, this has nearly nothing to do with "default deny", but I think this is what you may think of:

Description: Live Grid execution blocker unless file is known safe.

Share this post


Link to post
Share on other sites

 

Yes, you already said this. :D

 

Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones)

This could be an idea, but it can even be very bad if the DNS server is compromised or there is a kind of "DNS server malware" on your computer which redirected all DNS queries to a fake/another/bad/... DNS server.

So to use IP addresses there is more secure.

 

Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window

Yes great idea. I think you mean something like I described in post #149 in this topic[/topic].

 

Well, maybe this can be an idea. Although svchost.exe of course does much more than just Windows updates.

 

What rules? Do you mean the firewall rules?

I think it's quite good if not too much rules are created by default...

 

Yes, that's a great idea!

A search function would make it much easier if you want to find specific rules.

 

Thanks! :D

But also have a look on my update I added there. So you can make ESET already detect OpenCandy.

 

Thanks too! :D

I also think this could be a good idea. That's why I made the post. :)

 

 

Allowing to add DNS is the only real way to e.g. allow windows update servers for svchost.exe. Their server IP's change daily so I would need to add update.microsoft.com as "allowed".

Yep svchost.exe does a lot.. one if windows update and it should be allowed ;-)

Well either allow or deny rules.. what ever is safe for those files. I don't what is safe but get asked by ESET ;P

Share this post


Link to post
Share on other sites

This: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-14#entry17761

 

Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones)

Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window

Also: Add windows update rule to the standard rule set of svchost.exe (port 80 & 443 and maybe restrict it to microsoft update servers only)

Also: Add spoolsv.exe standard rules

Also: Add rundll32.exe standard rules

Also: Let us search within the rule editor... e.g for filenames

 

Update: 

Make this a standard rule? https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-burning-rom-orbit-downloader-imgburn-dvdvideosoft-install-them-without-opencandy/

Also: https://forum.eset.com/topic/3437-poodle-attack-security-flaw-in-ssl-v3-eset-blocking/

 

Also please add default rules or description for the following windows files:

 

So far, I have noticed that the following processes all want to make regular connections:
Host Process for Windows Services (svchost.exe)
Host Process for Setting Synchronization (SettingSyncHost.exe)
User Account Control Panel Host (UserAccountBroker.exe)
Windows Explorer (explorer.exe)
Windows Host Process (rundll32.exe)
Store Broker (WSHost.exe)
Windows Driver Foundation - User-mode Driver Framework Host Process (WUDFHost.exe)
Device Association Framework Provider Host (dasHost.exe)
Host Process for Windows Tasks (taskhost.exe)
 
For example, right now I am worried about WSHost.exe because I don't even use the windows store and still it wants to send data to microsoft?

Share this post


Link to post
Share on other sites

 

This: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-14#entry17761

 

Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones)

Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window

Also: Add windows update rule to the standard rule set of svchost.exe (port 80 & 443 and maybe restrict it to microsoft update servers only)

Also: Add spoolsv.exe standard rules

Also: Add rundll32.exe standard rules

Also: Let us search within the rule editor... e.g for filenames

 

Update: 

Make this a standard rule? https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-burning-rom-orbit-downloader-imgburn-dvdvideosoft-install-them-without-opencandy/

Also: https://forum.eset.com/topic/3437-poodle-attack-security-flaw-in-ssl-v3-eset-blocking/

 

Also please add default rules or description for the following windows files:

 

So far, I have noticed that the following processes all want to make regular connections:
Host Process for Windows Services (svchost.exe)
Host Process for Setting Synchronization (SettingSyncHost.exe)
User Account Control Panel Host (UserAccountBroker.exe)
Windows Explorer (explorer.exe)
Windows Host Process (rundll32.exe)
Store Broker (WSHost.exe)
Windows Driver Foundation - User-mode Driver Framework Host Process (WUDFHost.exe)
Device Association Framework Provider Host (dasHost.exe)
Host Process for Windows Tasks (taskhost.exe)
 
For example, right now I am worried about WSHost.exe because I don't even use the windows store and still it wants to send data to microsoft?

 

 

Also: Let us sort rules in the rule editor up and down. I am curios in which way the rules get requested anyway, like first rule first, then second then third ,... until the needed rule was found? If that is the case let us sort the rules so we can sort the most used rules first in the rule editor.

Share this post


Link to post
Share on other sites

Decent suggestion you made, but could you please avoid full-quotes.

You don't have to repeat every time what you said. :)

Share this post


Link to post
Share on other sites

Decent suggestion you made, but could you please avoid full-quotes.

You don't have to repeat every time what you said. :)

 

Thanks, I guess they come from the usage of different security products for a long time together with knowledge of malware/trojans/password stealer/etc. :)

 

Alright, I just don't want my suggestions to be lost and forgotten ;P

Share this post


Link to post
Share on other sites
Also: Let us sort rules in the rule editor up and down. I am curios in which way the rules get requested anyway, like first rule first, then second then third ,... until the needed rule was found? If that is the case let us sort the rules so we can sort the most used rules first in the rule editor.

 

There's an internal logic that evaluates rules. E.g. blocking rules are stronger than allowing rules and more specific rules (e.g. bound to a port or IP address) take precedence over general rules. This will change in v9 where rules will be evaluated in the order they appear in the list like it works in the recently released ESET Endpoint Security v6 for business users.

Share this post


Link to post
Share on other sites

 

This: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-14#entry17761

 

Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones)

Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window

Also: Add windows update rule to the standard rule set of svchost.exe (port 80 & 443 and maybe restrict it to microsoft update servers only)

Also: Add spoolsv.exe standard rules

Also: Add rundll32.exe standard rules

Also: Let us search within the rule editor... e.g for filenames

 

Update: 

Make this a standard rule? https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-burning-rom-orbit-downloader-imgburn-dvdvideosoft-install-them-without-opencandy/

Also: https://forum.eset.com/topic/3437-poodle-attack-security-flaw-in-ssl-v3-eset-blocking/

 

Also please add default rules or description for the following windows files:

 

So far, I have noticed that the following processes all want to make regular connections:
Host Process for Windows Services (svchost.exe)
Host Process for Setting Synchronization (SettingSyncHost.exe)
User Account Control Panel Host (UserAccountBroker.exe)
Windows Explorer (explorer.exe)
Windows Host Process (rundll32.exe)
Store Broker (WSHost.exe)
Windows Driver Foundation - User-mode Driver Framework Host Process (WUDFHost.exe)
Device Association Framework Provider Host (dasHost.exe)
Host Process for Windows Tasks (taskhost.exe)
 
For example, right now I am worried about WSHost.exe because I don't even use the windows store and still it wants to send data to microsoft?

 

You are worrying about that programs you install may call "home", but you don't worry about that the OS (Windows) might call home to MS once in a while? Well WSHost.exe is part of the OS and a lot in the OS wants to connect to MS, but that doesn't mean you have to allow everything that's part of the OS to connect out, you can even block stuff from connection out without breaking the OS. If you Google around you can find more info about what is essential to be allowed and what isn't.

 

IMO you are just making this harder for yourself, the pre-set rules that are in-place today should be enough out of the box, or else I assume ESET would have added rules for the ones in your list already if they are that essential. I think it is better to have a small pre-defined set out of the box like today, and users that want to add more rules can do so afterwards if they like, so no one have to spend time removing rules that they don't want right after install. The pre-defined rules are fine, and the Automatic mode will do the rest once users start using the computer.

 

Again, there is a reason why Automatic mode is the default....

Share this post


Link to post
Share on other sites

 

 

This: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/page-14#entry17761

 

Also: Let us enter DNS Adresses for rules (remote dns adress and also let us add dns adresses to zones)

Also: When a fw pop up appears, let me copy the information in this windows (e.g. the ip adress). Right now I cant mark & copy anything in the notification window

Also: Add windows update rule to the standard rule set of svchost.exe (port 80 & 443 and maybe restrict it to microsoft update servers only)

Also: Add spoolsv.exe standard rules

Also: Add rundll32.exe standard rules

Also: Let us search within the rule editor... e.g for filenames

 

Update: 

Make this a standard rule? https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-burning-rom-orbit-downloader-imgburn-dvdvideosoft-install-them-without-opencandy/

Also: https://forum.eset.com/topic/3437-poodle-attack-security-flaw-in-ssl-v3-eset-blocking/

 

Also please add default rules or description for the following windows files:

 

So far, I have noticed that the following processes all want to make regular connections:
Host Process for Windows Services (svchost.exe)
Host Process for Setting Synchronization (SettingSyncHost.exe)
User Account Control Panel Host (UserAccountBroker.exe)
Windows Explorer (explorer.exe)
Windows Host Process (rundll32.exe)
Store Broker (WSHost.exe)
Windows Driver Foundation - User-mode Driver Framework Host Process (WUDFHost.exe)
Device Association Framework Provider Host (dasHost.exe)
Host Process for Windows Tasks (taskhost.exe)
 
For example, right now I am worried about WSHost.exe because I don't even use the windows store and still it wants to send data to microsoft?

 

You are worrying about that programs you install may call "home", but you don't worry about that the OS (Windows) might call home to MS once in a while? Well WSHost.exe is part of the OS and a lot in the OS wants to connect to MS, but that doesn't mean you have to allow everything that's part of the OS to connect out, you can even block stuff from connection out without breaking the OS. If you Google around you can find more info about what is essential to be allowed and what isn't.

 

IMO you are just making this harder for yourself, the pre-set rules that are in-place today should be enough out of the box, or else I assume ESET would have added rules for the ones in your list already if they are that essential. I think it is better to have a small pre-defined set out of the box like today, and users that want to add more rules can do so afterwards if they like, so no one have to spend time removing rules that they don't want right after install. The pre-defined rules are fine, and the Automatic mode will do the rest once users start using the computer.

 

Again, there is a reason why Automatic mode is the default....

 

 

I know that you can block some stuff without breaking anything. And obviously I googled every of those files and hwat other people recommend. A lot seems to make "useless" connections (e.g. feedsync when u dont use it or windows store).

 

Besides that: there should be a rule set which lets you use windows out of the box with interactive mode without much configuration to be needed. For everything non-windows related you need to worry on your own. But all the above files are originally from windows and need configuration in interactive mode.

Share this post


Link to post
Share on other sites

"But all the above files are originally from windows and need configuration in interactive mode."

 

No, they don't "need" to be configured in interactive mode at all.

That is totally your choice, you chose to do it that way. But you don't have to.

 

How do you think rules are created for all those users that use Automatic mode? Probably 95%+ of the users.

 

Rules for those examples above would have been taken care of automatically in automatic mode, or else every singel user would popup in the forum and ask what they can allow and what they should block. And why the product is so annoying.

 

We don't need to have pre-defined rules for everything OS related out of the box except for stuff that is absolutely necessary, as Automatic mode will create rules automatically when needed (also for connections to MS) when the user is using their computer.

Edited by SweX

Share this post


Link to post
Share on other sites

"But all the above files are originally from windows and need configuration in interactive mode."

 

No, they don't "need" to be configured in interactive mode at all.

That is totally your choice, you chose to do it that way. But you don't have to.

 

How do you think rules are created for all those users that use Automatic mode? Probably 95%+ of the users.

 

Rules for those examples above would have been taken care of automatically in automatic mode, or else every singel user would popup in the forum and ask what they can allow and what they should block. And why the product is so annoying.

 

We don't need to have pre-defined rules for everything OS related out of the box except for stuff that is absolutely necessary, as Automatic mode will create rules automatically when needed (also for connections to MS) when the user is using their computer.

 

Automatic mode creates rule in a way of "let EVERYTHING out but nothing in". That is not secure in my opinion. It is user friendly to home users but it is definitely not secure enough if you want to focus on privacy. Apps (especially windows services/files) should be restricted to what they do. They should be allowed to connect to every port and every server. They should be allowed to use the 3 ports that they usually use and the connect to the microsoft servers and that's it. Or do you want a trojan to inject in one of those files and connect to some random chinese botnet server?

 

svchost is also a windows standard process and it has a pre-defined rules.  Same with logonui.exe , services.exe and all the other system rules that are pre-defined. The above files are more files/services that should be added to the pre-defined rules as they are just like everything that is pre-defined so far out-of-the-box windows files/processes that in automatic mode could do what ever they want. They just vulnerable as svchost.exe and need to be take care of just like ESET did with svchost,winlogon,etc.

Share this post


Link to post
Share on other sites

If a file is modified for which there is a rules created and if the firewall is in interactive mode then you will see a question asking you whether you want to allow the connection with the modified version too.

And this refers to Windows files of course too.

 

So if a legitimate process is "injected" then you'll see a message about this when it is trying to connect to somewhere

Edited by rugk

Share this post


Link to post
Share on other sites

If a file is modified for which there is a rules created and if the firewall is in interactive mode then you will see a question asking you whether you want to allow the connection with the modified version too.

And this refers to Windows files of course too.

 

So if a legitimate process is "injected" then you'll see a message about this when it is trying to connect to somewhere

 

Ofcourse...but first there has to be a rule for the file ;P a useful pre-defined rule for example :)

Share this post


Link to post
Share on other sites

Description: Exclude a threat by the threat name

Details: I think it would be to have a possibility to exclude a threat by it's name. Actually you can do this, but it will still only affect a specific file. I would like to exclude a threat for every file it is detected.

For example it would be great if I could exclude Win32/OpenCandy, because I already created some rules by myself so that this PUA will be blocked. And because it is already blocked I don't want ESET still to recognize it.

 

More information and some bug reports in this topic:

Small Bugs in ESET Smart Security + Suggestions

Share this post


Link to post
Share on other sites

Description: ESS Anti-Theft should capture pictures of all available cameras (not only of one camera).

Detail: Especially Tablets or Convertibles now have more than one camera built-in. So if this is the case then ESS should take photos from all these cameras.

More details: Have a look at this topic: Select camera for anti-theft

Share this post


Link to post
Share on other sites

Description: ESS Anti-Theft should capture pictures of all available cameras (not only of one camera).

Detail: Especially Tablets or Convertibles now have more than one camera built-in. So if this is the case then ESS should take photos from all these cameras.

More details: Have a look at this topic: Select camera for anti-theft

 

Maybe also do screenshots with available cameras when a wrong password was entered and windows logon / unlock ? I once coded my own program for that purpose but I wished ESET could do that too ;)

Share this post


Link to post
Share on other sites

Yeah great idea. Similar like it is already included in EMS! :)

Share this post


Link to post
Share on other sites

What about a "suggestions" overview / databse ?

 

E.g. list all suggestion and how many people voted for it. And also which suggestions are in progress already? It would make everything easier and offer a better overview?

Share this post


Link to post
Share on other sites

the must have future in eset smart security is offline virus database  update,because if the user doesn't have internet connection he can still protected by updating the antivirus by offline update.because you can not get everywhere internet.

many antivirus provide this facility and eset also should provide it.

Share this post


Link to post
Share on other sites

the must have future in eset smart security is offline virus database  update,because if the user doesn't have internet connection he can still protected by updating the antivirus by offline update.because you can not get everywhere internet.

many antivirus provide this facility and eset also should provide it.

https://forum.eset.com/topic/3506-offline-update/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...