Jump to content

Future changes to ESET Internet Security and ESET Smart Security Premium


Recommended Posts

  • Administrators
6 hours ago, Wolf Igmc4 said:

An option to block individually notifications of a particular threat.

You can exclude potentially unwanted and unsafe applications from detection by name.

Link to comment
Share on other sites

19 minutes ago, Marcos said:

You can exclude potentially unwanted and unsafe applications from detection by name.

No, for example: A threat has been detected (MSIL/blabla) when X tried to access X.

I just want to block the popup of the specific ´MSIL/blabla´.

If for example another threat is detected (for example, MSIL/Blabla25) is detected, it´s popup will appear.

 

I don´t know if you understand me :/

Link to comment
Share on other sites

4 hours ago, persian-boy said:

Can we have this feature in the upcoming version? plsssss -.-
This is very important because I cant blindly allow a command line :|
 

In the example of lets say a command shell executing powershell, cmd.exe starts up conhost.exe. Conhost.exe is the process that actually starts up powershell.exe. So creating a HIPS rule to monitor what conhost.exe starts up will give you the information your seeking. 

Link to comment
Share on other sites

  • Most Valued Members

Could we have an ignore once options for Potentially unwanted applications? Often I will instal stuff that might contain extras e.g. in the installer and Eset will pop up and let me know I'm instaling a potentially unwanted application. I've noticed that Malwarebytes has an option to ignore it once e.g. you want to test it but might remove it fully later.  

Link to comment
Share on other sites

  • Administrators
38 minutes ago, peteyt said:

Could we have an ignore once options for Potentially unwanted applications? Often I will instal stuff that might contain extras e.g. in the installer and Eset will pop up and let me know I'm instaling a potentially unwanted application. I've noticed that Malwarebytes has an option to ignore it once e.g. you want to test it but might remove it fully later.  

Unfold advanced options in the yellow alert window, check "Exclude from detection" and click "No action".

Link to comment
Share on other sites

  • Most Valued Members
1 hour ago, Marcos said:

Unfold advanced options in the yellow alert window, check "Exclude from detection" and click "No action".

I do not see no action when installing a Potentially unwanted application - I think no action appears after a scan. After pressing ignore I get a windows access the specific file. I either have to exclude it  which would exclude it for good I presume or disable the protection temporarily. Malwarebytes comes up with ignore or ignore once which is helpful.

Link to comment
Share on other sites

Hi, Itman Hips In interactive will alert about conhost by default.
But that's not what I want...if you noticed that new voodoo shield can monitor commands I mean smth like that!
Your way doesn't work for me.

Eset pls add this feature and also sorting the hips rules list by directory and a purge button for not existing rules in hips rules to your Todo list.
 

 

Link to comment
Share on other sites

Can ESET force the Hips to work like an Anti-EXE? I tired a lot of sample with Hips in interactive but because the Exe file could run the final system status is infected...the problem is hips won't react in execution.
Even with Hips in interactive mode, the process will run(if Eset fails to detect it by sig or whatever it has)and it will remain in the process but can't do anything malicious because hips alert you.
Would be good if we let this hips jump on Executable files :)
 

Link to comment
Share on other sites

5 hours ago, persian-boy said:

Can ESET force the Hips to work like an Anti-EXE? I tired a lot of sample with Hips in interactive but because the Exe file could run the final system status is infected...the problem is hips won't react in execution.
Even with Hips in interactive mode, the process will run(if Eset fails to detect it by sig or whatever it has)and it will remain in the process but can't do anything malicious because hips alert you.
Would be good if we let this hips jump on Executable files :)
 

You will need to show an example of an .exe that Eset HIPS did not detect running in Interactive mode. The only way I know that could occur is if you inadvertently created an allow rule while running in Training mode or by manual creation. 

One possibility for example is that an allow rule was created for a process to start another process. If the allow rule did not specifically state what process start up was allowed, then Eset will allow any child process startup from the parent process.

Edited by itman
Link to comment
Share on other sites

You are right sorry my bad :-)
I had allowed rule for EXPLORER.exe that's why it didn't react I just tweaked the rules manually and everything working nicely.
I trained the Hips in learning mode for 3 days and after that removed, every rule that I thought its dangers but forgot to tweak the rules for EXPLORER.exe
Thanks To Eset for this hips module:D
Still waiting to see the new features like a purge button for HIPS list and sorting the rules based on the directory.

Edited by persian-boy
Link to comment
Share on other sites

What about a sandbox? I guess it is much important than Anti-Theft-_- I'm still waiting to see a purge button for not existing Rules in both Hips and firewall.
Also showing the command line when Hips alert for cmd!and provide a way to submit the FP from the Gui, not email :|
Also an option to let us sort the rules based on the directory.

 

Edited by persian-boy
Link to comment
Share on other sites

17 minutes ago, persian-boy said:

What about a sandbox? I guess it is much important than Anti-Theft-_- I'm still waiting to see a purge button for not existing Rules in both Hips and firewall.
Also showing the command line when Hips alert for cmd!and provide a way to submit the FP from the Gui, not email :|
Also an option to let us sort the rules based on the directory.

 

ESET have sandbox, but we just can't access it. But I agree with you, I want to manage apps in a sandbox.

Link to comment
Share on other sites

On 10/1/2017 at 8:21 AM, persian-boy said:

You are right sorry my bad :-)
I had allowed rule for EXPLORER.exe that's why it didn't react I just tweaked the rules manually and everything working nicely.
I trained the Hips in learning mode for 3 days and after that removed, every rule that I thought its dangers but forgot to tweak the rules for EXPLORER.exe
Thanks To Eset for this hips module:D
Still waiting to see the new features like a purge button for HIPS list and sorting the rules based on the directory.

 

 

I thought I fixed it... but the same issue exists.
Example: Dw farbar recovery scan tool and run it!then you will see Hips won't alert for execution.
 

Link to comment
Share on other sites

57 minutes ago, persian-boy said:

Example: Dw farbar recovery scan tool and run it!then you will see Hips won't alert for execution.

I have run Farbar in the past and Eset HIPS in Auto or Safe mode will not alert because its a safe app.

Are you saying that the HIPS in Interactive or Policy mode is not throwing an alert at Farber startup time?

Link to comment
Share on other sites

I would liek to be able to sort, filter, resize, export to text,... pretty much any table that Eset GUI uses. It causes me almost physical pain to use them currently with reflexes forcing me to avoid touching that at almost all costs. That might be cool way to prevent users from messing with app, but terrible for finding / verifying / reporting any apps misbehaviour.

Firewall rules being best example of terrible UX. Please hire UX specialist and fix that.

Link to comment
Share on other sites

Where you show IP - and mostly in pop-up dialogs - include link to whois information. How shall I make quick semi-qualified decission to allow/deny question when I don't have tools / information for it and all I see is IP number? I can run putty to one of my servers and do Whois / GeoIP query, but that shall be available in ESET already.

Link to comment
Share on other sites

 

Description: [New Feature] Firewall rules last triggered/used
Detail: [Context : using Firewall in interactive mode]  Keep the last date time a firewall rules has been triggered, and display it in the rules list window, to be able to sort by this date.
Why ? Because during the computere/Windows 'life, program are installed, uninstalled, moved, and many rules become obsolete and useless. And this is more visible with windows 10 store because each new software version is a new exe and so a new rule.
If we can find easily old and not triggered rules since a while, we could delete them to clean up the rules list (and probably improve speed of FW).

 

In addition, a new related feature

 

Description: [New Feature] Delete automatically FW rules if not triggered for XX days
Detail: [Context : using Firewall in interactive mode] . Add a configuration in the FW that can be activate and set the number of days before delete automatically a rule not triggered
- Enable auto-cleanup rules : True/False
- [If enabled] Delete rules if not triggered after [  90  ]  days

 

Thank you
 

Edited by Mahoneko
Link to comment
Share on other sites

On ‎10‎/‎8‎/‎2017 at 4:31 PM, persian-boy said:

I thought I fixed it... but the same issue exists.
Example: Dw farbar recovery scan tool and run it!then you will see Hips won't alert for execution.
 

I did some of my own testing in regards to this business about the HIPS not detecting Farber activity. For starters, I set the HIPS to Interactive mode and then ran Farbar.

To begin with, Farbar will load and begin execution because you started it manually. However, the first attempt by Farbar to perform any activity the HIPS monitors for will cause an alert as shown by the below screen shot.

Now if you create a .bat script and run Farbar by execution of the script, you will receive a HIPS alert about the startup of Farbar. Likewise, malware doesn't magically run by itself. Something has to execute it. 

Eset_Farbar.thumb.png.d3d34a2eea5c04e579614cc5e798e384.png

Link to comment
Share on other sites

Thanks for the test  Itman:-) I guess you are right and Eset won't react on execution because of I started the file manually and I missed this part of the story.
BTW good to see hips can catch the child process:giggle:^_^
 

Edited by persian-boy
Link to comment
Share on other sites

18 minutes ago, persian-boy said:

Thanks for the test  Itman:-) I guess you are right and Eset won't react on execution because of I started the file manually and I missed this part of the story.

As far as anti-exec processing, there is a one built into Win 10 - native SmartScreen. I have tested with a couple of unknown reputation files and each time got an alert from it when they tried to run. Eset let the files run w/o issue. Neither file was malicious but I prefer an option to disallow execution in this instance.

The downside is native SmartScreen relies on "The Mark of the Web" remaining associated with the downloaded file. There are ways to "strip that off" of a download.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...