Jump to content
Aryeh Goretsky

Future changes to ESET Internet Security and ESET Smart Security Premium

Recommended Posts

6 hours ago, Wolf Igmc4 said:

An option to block individually notifications of a particular threat.

You can exclude potentially unwanted and unsafe applications from detection by name.

Share this post


Link to post
Share on other sites
19 minutes ago, Marcos said:

You can exclude potentially unwanted and unsafe applications from detection by name.

No, for example: A threat has been detected (MSIL/blabla) when X tried to access X.

I just want to block the popup of the specific ´MSIL/blabla´.

If for example another threat is detected (for example, MSIL/Blabla25) is detected, it´s popup will appear.

 

I don´t know if you understand me :/

Share this post


Link to post
Share on other sites
On 9/6/2017 at 8:05 PM, persian-boy said:

show that command line

Can we have this feature in the upcoming version? plsssss -.-
This is very important because I cant blindly allow a command line :|
 

Share this post


Link to post
Share on other sites
4 hours ago, persian-boy said:

Can we have this feature in the upcoming version? plsssss -.-
This is very important because I cant blindly allow a command line :|
 

In the example of lets say a command shell executing powershell, cmd.exe starts up conhost.exe. Conhost.exe is the process that actually starts up powershell.exe. So creating a HIPS rule to monitor what conhost.exe starts up will give you the information your seeking. 

Share this post


Link to post
Share on other sites

Could we have an ignore once options for Potentially unwanted applications? Often I will instal stuff that might contain extras e.g. in the installer and Eset will pop up and let me know I'm instaling a potentially unwanted application. I've noticed that Malwarebytes has an option to ignore it once e.g. you want to test it but might remove it fully later.  

Share this post


Link to post
Share on other sites
38 minutes ago, peteyt said:

Could we have an ignore once options for Potentially unwanted applications? Often I will instal stuff that might contain extras e.g. in the installer and Eset will pop up and let me know I'm instaling a potentially unwanted application. I've noticed that Malwarebytes has an option to ignore it once e.g. you want to test it but might remove it fully later.  

Unfold advanced options in the yellow alert window, check "Exclude from detection" and click "No action".

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

Unfold advanced options in the yellow alert window, check "Exclude from detection" and click "No action".

I do not see no action when installing a Potentially unwanted application - I think no action appears after a scan. After pressing ignore I get a windows access the specific file. I either have to exclude it  which would exclude it for good I presume or disable the protection temporarily. Malwarebytes comes up with ignore or ignore once which is helpful.

Share this post


Link to post
Share on other sites

Hi, Itman Hips In interactive will alert about conhost by default.
But that's not what I want...if you noticed that new voodoo shield can monitor commands I mean smth like that!
Your way doesn't work for me.

Eset pls add this feature and also sorting the hips rules list by directory and a purge button for not existing rules in hips rules to your Todo list.
 

 

Share this post


Link to post
Share on other sites

Can ESET force the Hips to work like an Anti-EXE? I tired a lot of sample with Hips in interactive but because the Exe file could run the final system status is infected...the problem is hips won't react in execution.
Even with Hips in interactive mode, the process will run(if Eset fails to detect it by sig or whatever it has)and it will remain in the process but can't do anything malicious because hips alert you.
Would be good if we let this hips jump on Executable files :)
 

Share this post


Link to post
Share on other sites
5 hours ago, persian-boy said:

Can ESET force the Hips to work like an Anti-EXE? I tired a lot of sample with Hips in interactive but because the Exe file could run the final system status is infected...the problem is hips won't react in execution.
Even with Hips in interactive mode, the process will run(if Eset fails to detect it by sig or whatever it has)and it will remain in the process but can't do anything malicious because hips alert you.
Would be good if we let this hips jump on Executable files :)
 

You will need to show an example of an .exe that Eset HIPS did not detect running in Interactive mode. The only way I know that could occur is if you inadvertently created an allow rule while running in Training mode or by manual creation. 

One possibility for example is that an allow rule was created for a process to start another process. If the allow rule did not specifically state what process start up was allowed, then Eset will allow any child process startup from the parent process.

Edited by itman

Share this post


Link to post
Share on other sites

You are right sorry my bad :-)
I had allowed rule for EXPLORER.exe that's why it didn't react I just tweaked the rules manually and everything working nicely.
I trained the Hips in learning mode for 3 days and after that removed, every rule that I thought its dangers but forgot to tweak the rules for EXPLORER.exe
Thanks To Eset for this hips module:D
Still waiting to see the new features like a purge button for HIPS list and sorting the rules based on the directory.

Edited by persian-boy

Share this post


Link to post
Share on other sites

What about a sandbox? I guess it is much important than Anti-Theft-_- I'm still waiting to see a purge button for not existing Rules in both Hips and firewall.
Also showing the command line when Hips alert for cmd!and provide a way to submit the FP from the Gui, not email :|
Also an option to let us sort the rules based on the directory.

 

Edited by persian-boy

Share this post


Link to post
Share on other sites
17 minutes ago, persian-boy said:

What about a sandbox? I guess it is much important than Anti-Theft-_- I'm still waiting to see a purge button for not existing Rules in both Hips and firewall.
Also showing the command line when Hips alert for cmd!and provide a way to submit the FP from the Gui, not email :|
Also an option to let us sort the rules based on the directory.

 

ESET have sandbox, but we just can't access it. But I agree with you, I want to manage apps in a sandbox.

Share this post


Link to post
Share on other sites

That sandbox is diffrent.. it can analyze the malware but I mean smth like Sandboxie :|

Edited by persian-boy

Share this post


Link to post
Share on other sites
On 10/1/2017 at 8:21 AM, persian-boy said:

You are right sorry my bad :-)
I had allowed rule for EXPLORER.exe that's why it didn't react I just tweaked the rules manually and everything working nicely.
I trained the Hips in learning mode for 3 days and after that removed, every rule that I thought its dangers but forgot to tweak the rules for EXPLORER.exe
Thanks To Eset for this hips module:D
Still waiting to see the new features like a purge button for HIPS list and sorting the rules based on the directory.

 

 

I thought I fixed it... but the same issue exists.
Example: Dw farbar recovery scan tool and run it!then you will see Hips won't alert for execution.
 

Share this post


Link to post
Share on other sites
57 minutes ago, persian-boy said:

Example: Dw farbar recovery scan tool and run it!then you will see Hips won't alert for execution.

I have run Farbar in the past and Eset HIPS in Auto or Safe mode will not alert because its a safe app.

Are you saying that the HIPS in Interactive or Policy mode is not throwing an alert at Farber startup time?

Share this post


Link to post
Share on other sites

No, I'm running it in interactive mode and it won't alert for  EXE file but I found(just 20 min ago) how to make it work.
I will create an article and gonna learn smth cool:D
 

Share this post


Link to post
Share on other sites

I would liek to be able to sort, filter, resize, export to text,... pretty much any table that Eset GUI uses. It causes me almost physical pain to use them currently with reflexes forcing me to avoid touching that at almost all costs. That might be cool way to prevent users from messing with app, but terrible for finding / verifying / reporting any apps misbehaviour.

Firewall rules being best example of terrible UX. Please hire UX specialist and fix that.

Share this post


Link to post
Share on other sites

Where you show IP - and mostly in pop-up dialogs - include link to whois information. How shall I make quick semi-qualified decission to allow/deny question when I don't have tools / information for it and all I see is IP number? I can run putty to one of my servers and do Whois / GeoIP query, but that shall be available in ESET already.

Share this post


Link to post
Share on other sites

 

Description: [New Feature] Firewall rules last triggered/used
Detail: [Context : using Firewall in interactive mode]  Keep the last date time a firewall rules has been triggered, and display it in the rules list window, to be able to sort by this date.
Why ? Because during the computere/Windows 'life, program are installed, uninstalled, moved, and many rules become obsolete and useless. And this is more visible with windows 10 store because each new software version is a new exe and so a new rule.
If we can find easily old and not triggered rules since a while, we could delete them to clean up the rules list (and probably improve speed of FW).

 

In addition, a new related feature

 

Description: [New Feature] Delete automatically FW rules if not triggered for XX days
Detail: [Context : using Firewall in interactive mode] . Add a configuration in the FW that can be activate and set the number of days before delete automatically a rule not triggered
- Enable auto-cleanup rules : True/False
- [If enabled] Delete rules if not triggered after [  90  ]  days

 

Thank you
 

Edited by Mahoneko

Share this post


Link to post
Share on other sites
On ‎10‎/‎8‎/‎2017 at 4:31 PM, persian-boy said:

I thought I fixed it... but the same issue exists.
Example: Dw farbar recovery scan tool and run it!then you will see Hips won't alert for execution.
 

I did some of my own testing in regards to this business about the HIPS not detecting Farber activity. For starters, I set the HIPS to Interactive mode and then ran Farbar.

To begin with, Farbar will load and begin execution because you started it manually. However, the first attempt by Farbar to perform any activity the HIPS monitors for will cause an alert as shown by the below screen shot.

Now if you create a .bat script and run Farbar by execution of the script, you will receive a HIPS alert about the startup of Farbar. Likewise, malware doesn't magically run by itself. Something has to execute it. 

Eset_Farbar.thumb.png.d3d34a2eea5c04e579614cc5e798e384.png

Share this post


Link to post
Share on other sites

Thanks for the test  Itman:-) I guess you are right and Eset won't react on execution because of I started the file manually and I missed this part of the story.
BTW good to see hips can catch the child process:giggle:^_^
 

Edited by persian-boy

Share this post


Link to post
Share on other sites
18 minutes ago, persian-boy said:

Thanks for the test  Itman:-) I guess you are right and Eset won't react on execution because of I started the file manually and I missed this part of the story.

As far as anti-exec processing, there is a one built into Win 10 - native SmartScreen. I have tested with a couple of unknown reputation files and each time got an alert from it when they tried to run. Eset let the files run w/o issue. Neither file was malicious but I prefer an option to disallow execution in this instance.

The downside is native SmartScreen relies on "The Mark of the Web" remaining associated with the downloaded file. There are ways to "strip that off" of a download.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...