Future changes to ESET Internet Security and ESET Smart Security Premium

[rugk 397]

The HIPS needs to be made more configurable. I think the user should be able to select their applications from a list, and choose what permissions their applications have.

It's already there. Just click on "configure HIPS" and you'll get a huge rules editor where you can add very specific rules.

 

Interactive mode is unusable without better whitelisting. I was prompted to death. I could no use my computer for anything due to answering prompts the entire time I was on my computer.

Yes, that's expected. But nobody forces you to use the interactive mode. And if you create some rules (e.g. with the learning mode like you did) then you get less prompts.

 

I then tried using policy-based mode, and the HIPS still blocked some of my applications even though I used those applications while in learning mode.

If a rule was correctly created then it shouldn't be blocked. If it still does then it surely wasn't created correctly or only a similar rule was created which doesn't cover the actions the application did later.

For troubleshooting this we would need to know the exact application, HIPS rule(s) and more information about how you

 

The HIPS did not give me any option to allow them by prompt so the HIPS behaved more like an ant-executable in policy-based mode. I have never received any prompt from either mode though so it's not like any HIPS I have ever used.

Yes, this is expected in the policy-based mode. In this mode HIPS only applies the rules and blocks every other action.

And again if you want to receive a prompt you have to use the interactive mode of course.

 

Automatic mode with rules, and Smart Mode are the only modes that I have found useable.

Great, so you found the mode(s) which fit's to you. That's the sense of these modes. Use the one you like.

And as you complained about the crowd of messages from interactive mode I would have recommend you the Smart mode anyway. There you have a huge "whitelist", so you will only be prompted for very suspicious actions.

Edited April 6, 2015 by rugk

[cutting_edgetech 25]

Rug, I can't get this forum to allow me to multiquote you to specifically address each one of your responses. I'm not sure why. I just tried multiple time, and lost my post for all my trouble. I'm so tired of loosing my post on this forum. I multiquote on other forums all the time without any problems. If someone could tell me how I would appreciate it. The multipquote button is not working. It's like it is not giving me the option since you already multiquoted me.

[cutting_edgetech 25]

 

The HIPS needs to be made more configurable. I think the user should be able to select their applications from a list, and choose what permissions their applications have.

It's already there. Just click on "configure HIPS" and you'll get a huge rules editor where you can add very specific rules.

HIPSOptions_ConfigureMarked.pngHIPSRulesEditor.png

 

Thank you! I had already looked at that, and overlooked the tab for the source application. I just hope they continue to add more options on what to monitor like physical memory access, remote code, remote data modification, use DNS API, keyboard access, etc..

 

Interactive mode is unusable without better whitelisting. I was prompted to death. I could no use my computer for anything due to answering prompts the entire time I was on my computer.

Yes, that's expected. But nobody forces you to use the interactive mode. And if you create some rules (e.g. with the learning mode like you did) then you get less prompts.

 

That's the whole point I made though. Learning Mode did not do anything to eliminate the prompts. I used learning mode for about 1 1/2 hours, and ran all my applications while in learning mode. I also used learning mode while rebooting 3 times. I received 15 minutes of none stop prompts before I had to give up trying to use interactive mode. I actually clicked the allow button for 15 straight minutes. Interactive mode was useless on my system. That's why I say they need to use whitelisting with interactive mode to make it more usable.

 

I then tried using policy-based mode, and the HIPS still blocked some of my applications even though I used those applications while in learning mode.

If a rule was correctly created then it shouldn't be blocked. If it still does then it surely wasn't created correctly or only a similar rule was created which doesn't cover the actions the application did later.

For troubleshooting this we would need to know the exact application, HIPS rule(s) and more information about how you

 

If the rules were not created correctly then it was not due to any error on my part. I used learning mode to create the rules. I did not make a list of the applications that were being blocked in policy based mode, but I do remember Tor Browser being one of them. I ran all the applications that were being blocked in learning mode multiple times. Policy Mode behaved more like an AE than a HIPS. Policy Mode would have been great if it prompted me for an action instead of blocking the application.

 

The HIPS did not give me any option to allow them by prompt so the HIPS behaved more like an ant-executable in policy-based mode. I have never received any prompt from either mode though so it's not like any HIPS I have ever used.

Yes, this is expected in the policy-based mode. In this mode HIPS only applies the rules and blocks every other action.

And again if you want to receive a prompt you have to use the interactive mode of course.

 

Well, I just responded to this one above.

 

Automatic mode with rules, and Smart Mode are the only modes that I have found useable.

Great, so you found the mode(s) which fit's to you. That's the sense of these modes. Use the one you like.

And as you complained about the crowd of messages from interactive mode I would have recommend you the Smart mode anyway. There you have a huge "whitelist", so you will only be prompted for very suspicious actions.

 

Smart Mode is actually not the Mode that fits me. It does not provide the leak protection I am looking for. Smart Mode is the only mode I found usable other than Automatic Mode With Rules.

Edited April 8, 2015 by cutting_edgetech

[toxinon12345 32]

Add to wishlist: Performance enhancements to Emulation

 

I noticed when scanning an UPX packed     Icon Resource Library,   it needs to unpack that section too....... but when removed the icons/bitmaps from the DLL, then UPXed and scanned all is OK back again

Edited April 15, 2015 by toxinon12345

[cutting_edgetech 25]

Please give the option to log only dropped/blocked packet per application.

[rugk 397]

@cutting_edgetech

If you have a firewall rule you can enable logging for it. So if it's a firewall rule which blocks the communication for an application then you should get such logs.

[cutting_edgetech 25]

I think you misunderstand my request. I'm requesting an option to log all dropped/blocked packets per application that violates any packet filter rule that comes preset with ESS. Many rules come by default. I don't want to just log blocked packets for a rule I have created. The only option currently is to log all traffic for an application. Logging allowed traffic consumes the log file, and makes it hard to find what I'm looking for. It probably also makes ESS a little heavier on the system.

[rugk 397]

Ahh okay, do you mean IDS? Or just the pre-defined firewall rules?

[cutting_edgetech 25]

Any predefined rule including IDS.

[Navara 2]

Description: Improve UI for ESET advanced configuration
Detail: Advanced configuration UX is seriously lacking. To provide specific example - when setting rules for applications I've to browse them all one-by-one to find the one I'm looking for - there is no filtering. Or I cannot select and delete more of them at once - again I've to one-by-one.

[Navara 2]

Description: Directory / RegExp based rules for applications
Detail: Games from Blizzard enjoy providing executable in directories with their versions numbers in path. That makes ESET popup window asking to allow Battle.net Update Agent (and game specific executables) to connect to internet just everytime, they update them. And they update them frequently. For Diablo3 I got like 50 firewall rules (49 being obsolete, btw). So I would like to be able to say

H:\games\Battle.net\Battle.net.[0-9]\*Battle.net.exe
C:\ProgramData\Battle.net\Agent\Agent.beta.[0-9]*\Agent.exe

are OK, or...

H:\games\Battle.net\*
C:\ProgramData\Battle.net\Agent\*

are OK, instead of 50 individual rules like

H:\games\Battle.net\Battle.net.4269\Battle.net.exe
C:\ProgramData\Battle.net\Agent\Agent.beta.2737\Agent.exe

[rugk 397]

That makes ESET popup window asking to allow Battle.net Update Agent (and game specific executables) to connect to internet just everytime, they update them.

Even if the file would stick in the same directory and would just be replaced you would get a notification from ESS everytime the file was changed. This happens because otherwise malware could just replace a file of which it believes that it has an allow firewall rule and would be able to communicate without permission.

[Sonoran Desert 7]

Description: Make the email tag message shorter and editable.

 

Details: Have it so email tag messages are shorter with less cryptic database and virus definition info and just have a short message (with the link to ESET) with something like "scanned with ESET Smart Security, a better way to fight malware" or something similar. Possibly make the tag message editable for a custom message with the link to ESET.

 

Veteran ESET power users might chortle and guffaw at this simple request but in my wife's business she talks with and emails many people who don't know anything about computers and malware, it's all mysterious to them. Many of them have "computer problems" stemming from getting malware installed on their systems. They run Norton or McAfee (or other inferior AV's) simply because it was pre-installed on their computer/device and just keep using it, not knowing any better. At times, in the course of conversation, chit-chat, some of my wife's clients complain of "yet another virus" and ask my wife what she uses and she tells them ESS (and recommends Malwarebytes Pro along with ESS for an unbeatable combination). Of course, they've never heard of ESET and their computer "fixers" never recommend ESET either. They just keep bringing their infected computers back to the shop, or have the shop log in and remove the malware, not getting advice to try a better malware solution.

 

This suggestion is presented as just a simple way to "grass roots, word-of-mouth" advertise ESET. In my opinion, people who don't know anything about computers or just don't want to fuss with their malware solution should only be running ESET anyway. ESET is simple to install and works perfectly at all default settings with no tweaking required, perfect for a novice. Everyone emails and having the simple ESET tagline link might make people who don't pay attention to computer security aware of ESET and hopefully try out ESET.

Edited May 4, 2015 by Sonoran Desert

[itman 1,595]

When is Eset going to fix this and other security issues of SSL protocol scanning mentioned in the below referenced article?

 

Disabling of HTTP Public Key Pinning

 

 Each and every TLS intercepting application I tested(Avast, Eset, and Kapersky) breaks HTTP Public Key Pinning (HPKP). It is a technology that a lot of people in the IT security community are pretty excited about: It allows a web page to pin public keys of certificates in a browser. On subsequent visits the browser will only accept certificates with these keys. It is a very effective protection against malicious or hacked certificate authorities issuing rogue certificates.

 

 Browsers made a compromise when introducing HPKP. They won't enable the feature for manually installed certificates. The reason for that is simple (although I don't like it): If they hadn't done that they would've broken all TLS interception software like these Antivirus applications. But the applications could do the HPKP checking themselves. They just don't do it.

 

ref: https://blog.hboeck.de/archives/869-How-Kaspersky-makes-you-vulnerable-to-the-FREAK-attack-and-other-ways-Antivirus-software-lowers-your-HTTPS-security.html

Edited May 8, 2015 by itman

[rugk 397]

Yes the important point there is:

But the applications could do the HPKP checking themselves.

(the same is valid for OCSP stapling too BTW)

 

BTW here is the complete topic about this: https://forum.eset.com/topic/4806-ways-anti-virus-software-lowers-your-https-security/

Edited May 9, 2015 by rugk

[itman 1,595]

Yes the important point there is:

But the applications could do the HPKP checking themselves.

(the same is valid for OCSP stapling too BTW)

 

BTW here is the complete topic about this: https://forum.eset.com/topic/4806-ways-anti-virus-software-lowers-your-https-security/

What Eset should be doing is not unencrypting sites with EV certs. like Avast and Kapersky. Validate the cert pinning path and leave it at that. 

 

If you can't trust a web site with an EV cert., you shouldn't be doing business there.

[rugk 397]

What Eset should be doing is not unencrypting sites with EV certs. like Avast and Kapersky. Validate the cert pinning path and leave it at that. 

 

If you can't trust a web site with an EV cert., you shouldn't be doing business there.

 

Well... the researcher (alias the author of the blog post) mentioned that none of the AVs he tested would do this. So all would not scan EV certificates.

As for ESET this is wrong as I showed in the topic I linked.

 

However back to your suggestion. Even some guys who want to spread malicious files could register a EV-certificate. It would be quite expensive for them and they would maybe have to hide behind a (fake) company, but it could be possible.

Or just think of the file hosters which use an EV certificate.

 

However on the other hand of course sites which host static content (or at least no user-submitted files) could be excluded this way. So I would agree to have an option in the SSL scanning settings to exclude all EV certificates from SSL scanning, but not to do this automatically. The user should be able to choose whom he trusts and whom not.

Edited May 10, 2015 by rugk

[itman 1,595]

 

What Eset should be doing is not unencrypting sites with EV certs. like Avast and Kapersky. Validate the cert pinning path and leave it at that. 

 

If you can't trust a web site with an EV cert., you shouldn't be doing business there.

 

Well... the researcher (alias the author of the blog post) mentioned that none of the AVs he tested would do this. So all would not scan EV certificates.

As for ESET this is wrong as I showed in the topic I linked.

 

However back to your suggestion. Even some guys who want to spread malicious files could register a EV-certificate. It would be quite expensive for them and they would maybe have to hide behind a (fake) company, but it could be possible.

Or just think of the file hosters which use an EV certificate.

 

However on the other hand of course sites which host static content (or at least no user-submitted files) could be excluded this way. So I would agree to have an option in the SSL scanning settings to exclude all EV certificates from SSL scanning, but not to do this automatically. The user should be able to choose whom he trusts and whom not.

 

I posted this under a topic in the Smart Security forum and will duplicate here. I believe this is the best overall solution. Also I don't believe this suggestion wouldn't be too difficult for Eset to quickly implement.

 

Here's my suggestion to make SSL protocol usable. Add an option to the Eset's desktop taskbar icon display to turn SSL protocol scanning on and off. You can even add time intervals that it will remain off. This way I could easily turn off SSL protocol scanning when I wanted to use a site where I wanted my privacy maintained and when finished, easily re-enable SSL protocol scanning.

Edited May 10, 2015 by itman

[kakashi 6]

Eset corp for the master peace eset 9

Details here.

Add a new 4 firewall artificial intelligence technology protection

That be more accurate ,focus ,turbo speed blocking,deep scan attack,and ports,anti bypass firewall and anti brute force,ping protection and fast response, reduce false and positive firewall attacks or detection

,fix firewall crash and bugs

Add new engines for better detection

1. Ai codes engine =this will analise all codes running or hidding this can increase to detect any virus or any modifications

2. Ai header engine =scan full software or anything from the inside

3. Ai advance heuristic =this will help

To detect more complex infections

4. Ai forensics engine = this will detect more difficult and strong virus mechanism

And run a full diagnostic if is safe or not what the detect

5. Ai.cloud engine detection = this is for maximum deep detection analise everything

6 AI dll engine = this is very important most of the virus hide uaing dll and anti virus fail to detect it or a haker manipulate a dll to enter to your pc and the anti virus fails and cant block it

7. Ai smart strong engine for sistem defense. = this block any manipulation of the software ,registry,network and settings,polity ports, dll,keyboard,webcam,browser,flash,java,script,text,audio ect virus or any malware can bypass this.

8. New Ai smart anti exploit mitigation

= what this you say, this protect you from any exploit, from new ,old,and unknown

This protect any software holes ,like bios,cpu,hardware,mac addresses network exploit ,bugs ,drivers,crash,incompavility,errors,java,flash, webcam, keyboard and network ip and protect you in real time and you can add any software that no is included in the anti exploit mitigation to be protected and monitored if is attack this increase the security

8 ai new smart engine anti publishing = this can help in real time detect if the page is fraud ,fake,scammer,modifie,, this can detect the full page code And tell you what part of the page is not secure ,for example baking online ,logging online,sensitive information,https if is secure or encrypted ,check the domain is safe or fake and prevent malware spread

Ect

9.ai advanced anti spam engine ,= detect deep spam scams scammers bots hide attachment infected ,full page deep analysis.inpection ,detection,prevention blocking,and emails and links . Ect

10.Ai smart network intrusion and Ids and protection =

Detect all type of network attacks ,bots ,botnet,script network attacks brute force anti exploit attack,network holes ports,https vulnerability ,new unknown attack,dos attack ,mac adrees flooding ,memory flooding,hardware and harddrive flood or attack ,ip flood,ip fragmentation

Mac high jack remote ,dns protection dns encryption,wireless protection detect all wireless attacks Windows host protection

Cooking protection etc

11.new design software

-low memory impact

-low cpu impact

-low hardware and harddrive impact

12. Add turbo fast scan ,deep scan

New rootkit scan

13.add new network monitor

See all conection running and what internet usage you have been used on total

14new firewall rule and port bloking

Add to block or edit any port incase you want to block a port or restrict access to something like a program, port or remote

Add denied access to Windows programs running on network or stop it ,check if is safe name and details

Add instant notification for all

For example you computer have been compromised and is blocked

And for unknown ports so you know is something wrong ,for example unknown port have been detected program name is ect

Add ai ssl new secure sll protocol that cant be intercepted or exploit or be vulnerable

Add a new fast intelligence run package but that dont slow down the pc performance

Add out date it software scan, so this checks for new updates and pach it like browsers java flash ,framework or programs

Fix firewall always slowdown internet speed test and loading

Fix in the.firewall take to much junks on the internet crash or stop working or get super slow

Just helping make the ultimate software master peace

[kakashi 6]

Fix eset driver crash and instaling and unistaling problems

Make a new anti stealth protection that protect your files to been steal and prevent criptolokers virus to encrypt your files and take over the sistem or share

Make a new eset filter network protection

Add low impact starting up

[rugk 397]

@kakashi

Just shut off your computer then you have the protection you are suggesting. And your computer will be "turbo speed blocking" any "anti stealth protection" and "criptolokers" (yeah crispy lockers, bad things) and "dont slow down the pc performance" while blocking "any malware can bypass this". Don't forget you will have a "dns encryption" ("nothing" is quite undistinguishable I think, so that's encrypted), a "new secure" "ssl" "protocol" "that cant be intercepted"¹ and of course a very "low hardware and harddrive impact".

The "Ai header engine" can take a header if water is in your computer so everything spouts out. The "Ai smart anti exploit mitigation" will protect you from software which tries to mitigate exploits, which is the only useful thing to do because it would be bad if you miss heroic deeds.

And all "software holes ,like bios,cpu,hardware" will be blocked too of course. So all this software holes are not needed anymore. Just uninstall your BIOS, CPU or hardware. No problem! Additionally "bugs" will be smashed as these crawling critters don't have a warm and comfortable environment in your computer. And the "keyboard" blocking is by default of course - no one needs a keyboard.

"4 firewall" will protect you from "artificial intelligence technology" - just image all these AIs which try to kill people. All of them will be barbecued! (There's only one problem: What will happen to the other AIs like the "Ai forensics engine"?)

The "smart engine anti publishing" is not really new but very effective - usually it's called "control my brain". But of course it's improved as it's smart now. Now it will not only control the brain of one user it will also try to control other users brains with whom the user spoke.

"Add a new fast intelligence run package" - Yes of course the next NSA marathon will come soon!

"Fix eset driver crash" - No the ESET drivers are reliable, there driver's license was never revoked at all and all

"Add low impact starting up" - Until you are not hitting your shutdowned computer you already have a low impact.

 

¹ (quite difficult to bring the words into the right order while still quoting correctly...)

Edited May 29, 2015 by rugk

[SlimRock 6]

my 2 cents advice! 

[kakashi 6]

It see you hated me the way you talk are you ok... they are simple ideas in order to make a better product mr rugk

[kakashi 6]

I found in eset 9 some bugs. The icon look in blank the firt time installing crash

The scan engine very slow

Try to reduce memory from 100mbs to 50 or 40mbs this can help

Nope firewall errors for the moment

Idont see the anti exploit mitigation and the anti exploit log

Try to reduce ping network impact this can help page load more faster

Fix the start up have higth impact

Add new smart diagnostic like

Network

Performance

Memory

Anti virus engine

Report automatically crash

Report https website certificate error bugs or vulnerability and sll problems

And protocols filtering

Report firewall crash or bugs

This help mode send it automatically to the developer

You try to add anti backdoor technology ,prevents any software ect open a backdoor or webpages

Ect

[SweX 871]

Try to reduce memory from 100mbs to 50 or 40mbs this can help

 

Because ? And help with what exactly ? Do you even know why the RAM usage is like it is ?

(sorry for only quoting one of your requests...I simply don't have time to ask questions about each one)

 

No, rugk doesn't hate you, don't be silly kakashi. It's just that we are all concerned about what would happen with the products if you were head of development at ESET.    ESET could easily loose over 50% of their user-base if they did a 360 with their product lineup, and started to offer something totally different. If we would go over to Kaspersky's, Symantec's, Bitdefender's, Avast's, Webroot's etc etc... forum and copy your post and paste it there, do you think they would appreciate it, or not ?

(People use their products (just like ESET) because they like them, not because they want the products to become something totally different.)

 

Why do you even use ESET if you don't like it and want it to change so badly ?

There are over a 100 other AVs you can try out if you like, maybe one of them will suit you better.

Edited May 29, 2015 by SweX