Jump to content
Aryeh Goretsky

Future changes to ESET Internet Security and ESET Smart Security Premium

Recommended Posts

4 hours ago, persian-boy said:

Would be good if I could whitelist the certain cmd command for specific application in HIPS - _ -

You need to be more specific on what you are trying to do. Give an example.

One issue I have in regards to the cmd.exe is that there is no way to restrict what .bat files it can execute. A "target" in a HIPS rule has to be an application - period. This could be accomplished if the HIPS provided a read restriction in the Files section. I really don't know why read restriction capability was never added. Every other HIPS I have used in the past had the capability.

I will also add that file wildcard capability which I have repeated asked for needs to be added to make this capability functional. The following is example rules.

1. Allow cmd.exe to read xyz.bat.

2. Block/ask cmd.exe to read C:\*\*.bat; where C:\* would mean the drive root directory and all subdirectories.

Share this post


Link to post
Share on other sites
8 hours ago, itman said:

One issue I have in regards to the cmd.exe is that there is no way to restrict what .bat files it can execute. A "target" in a HIPS rule has to be an application - period. This could be accomplished if the HIPS provided a read restriction in the Files section. I really don't know why read restriction capability was never added. Every other HIPS I have used in the past had the capability.

Having read restriction capability in the files section is a feature I suggested long ago. Hopefully ESET will finally see the merits of this.

Share this post


Link to post
Share on other sites

HI,
Example:
There is a command line like ipconfig /all which launch by OpenVPN.exe(my software) When it's trying to read the config file and connect to the VPN service.
Some tools need to use cmd(like Nvidia) ! and the user wants to know what is happening! I achieved this protection with Rehips. Rehips let me  whitelist the commands for every process(or an ask rule)
That read restriction is a good idea! btw I don't know anything about wildcard and don't like the concept - _ - too complicated for my poor brain haha.average users don't want to use wildcard -.-

Edited by persian-boy

Share this post


Link to post
Share on other sites
On ‎11‎/‎24‎/‎2017 at 7:27 PM, persian-boy said:

Some tools need to use cmd(like Nvidia) ! and the user wants to know what is happening! I

Nvidia in their "infinite security wisdom" created two .bat scripts they dumped in C:\Windows directory. Their startup service can run these .bat scripts if errors are encountered in their software as recovery procedures. So basically, you have to allow svchost.exe to run cmd.exe. Not the most secure thing to do if malware creates a malicious service. Hence my recommendation that file wildcard support is needed.

There is also the issue of why the HIPS hasn't been updated to reflect Win 10's current ability to uniquely identify an individual svchost.exe service by process id. 

Edited by itman

Share this post


Link to post
Share on other sites

Some Suggestion about HIPS:
1-
Add protection for direct keyboard access.
2- What about a purge button for not exist rules? I asked this before -.-

From Eset website:
interactive mode: In interactive mode HIPS will prompt you to Allow or Deny each operation detected
This is not true! I got different alerts when I set the ask rules for some applications.I mean the ask rule is better than interactive mode!interactive mode doesn't cover all operations.so I have to use int mode plus some custom ask rules.
Thanks for the info Itman! but where that malware come from?I use sandboxie+srp+hips+eset av+some grp policy tweaks and some other tweaks like disabling useless services by AnVir Task Manager. so there is no malware to create an infected service!

5 hours ago, itman said:

current ability to uniquely identify an individual svchost.exe service by process id

I didn't know about it! Eset pls listen to what Itman say:D I want the maximum protection(99%)

Edited by persian-boy

Share this post


Link to post
Share on other sites
On 10/19/2017 at 6:02 AM, persian-boy said:

Boot time filter for the firewall to prevent data leak during the system startup

Any feedback on this? is it there ? or no? I just want to know. cowboy, what do you think about this feature?

Share this post


Link to post
Share on other sites
15 hours ago, persian-boy said:

This is not true! I got different alerts when I set the ask rules for some applications.I mean the ask rule is better than interactive mode!interactive mode doesn't cover all operations.so I have to use int mode plus some custom ask rules.

I explained this once to you. Eset has internal default rules and those rules take precedence to any user created rules.

Also if an alert response is not received within a short period of time, Eset will auto allow the action. This comes into play for example with any ask rule that might be triggered during the boot process. Those will be allowed by the time the PC initializes, the desktop appears, and finally the Eset GUI is started. 

Edited by itman

Share this post


Link to post
Share on other sites

Eset don't you want to fix this auto allow? more dangerous than useful!omg.
Every HIPS(Comodo.spyshelter, Rehips and...) freeze the operation till the user answer the alert! whats the point of asking rule if its gonna allow it without my permission?! make no sense!
Itman I know about those internal rules but I'm saying the interactive mod doesn't cover all operations!

9 hours ago, itman said:

boot process

This is dangerous!Eset pls fix the bug!

Eset updating the hips module in silent and without any changelog or information!that's bad!

Edited by persian-boy

Share this post


Link to post
Share on other sites

Description: Perfect Behavior Blocker

Detail: Eset is a perfect AV, But it dosen't include a good Behaviour Blocker, I know your HIPS is effective, but nothing can protect against Zero days better than a good Behavior Blocker

All Eset need, is a perfect Behaviour Blocker

Edited by amir

Share this post


Link to post
Share on other sites
13 hours ago, persian-boy said:

Every HIPS(Comodo.spyshelter, Rehips and...) freeze the operation till the user answer the alert! whats the point of asking rule if its gonna allow it without my permission?! make no sense!

It actually used to do this prior to ver. 11. I believe this has something to do with Microsoft's decree to AV vendors that they can't interfere with the boot process in Win 10 ver. 1709. I am actually surprised that Eset even processes an Ask HIPS use in ver. 11 and instead, just auto allows it. I know it is doing so because it will slightly delay your boot time; something I though wasn't supposed to happen on Win 10 ver. 1709.

Again it is a bit peculiar that the HIPS default action is allow. However, it always has been this way. To be honest, I seriously doubt Eset will change it to block mode.

A proper frame of reference for you is Eset first and foremost created the HIPS for its own internal use. As such, it really isn't designed to be user configurable other than to create a few exception rules. This is more so evident in the retail vers. of Eset. For example, Eset added file wildcard capability a while back for the Endpoint vers. but refuses to do so for the retail vers..

Edited by itman

Share this post


Link to post
Share on other sites

Add a behavior blocker, based on the reputation system of Eset. Yes, I said this some time ago, but if Eset don't add it, in the future, this will be a big problem. 

Share this post


Link to post
Share on other sites
1 hour ago, Wolf Igmc4 said:

Add a behavior blocker, based on the reputation system of Eset. Yes, I said this some time ago, but if Eset don't add it, in the future, this will be a big problem. 

It has been asked a lot but I don't think we will see it. The issue eset has is choice e.g. what should happen if something new and unknown turns up, could simply be an update e.g. a windows update, but if eset doesn't have any reputation for the files it will have to ask the user and it seems like they want to avoid this in case the user clicks the wrong thing e.g. allows or blocks

Share this post


Link to post
Share on other sites

Ich kann dir einige Videos zeigen, wo Ransomware immer wieder auftaucht and it fails

I can show you some videos where ransomware keeps popping up and it fails

Edited by Marcos
Machine translation added

Share this post


Link to post
Share on other sites

Please use this topic only to report wishes and suggestions for future improvements. Do not use it for discussions on a particular subject. If you want to discuss something, create a new topic.

Share this post


Link to post
Share on other sites

Translation is ambiguous when you disable LiveGrid:

"Esto puede ser muy peligroso, por lo que debe volver a habilitar la protección de inmediato"

If we think of it as an implication, we should use "así que" or "por lo tanto".

Thanks.

Share this post


Link to post
Share on other sites

Eset HIPS only protect Folder/Files from Deleting them or writing to them. would be Good if Eset add Access/Read protection as well.

Edited by persian-boy

Share this post


Link to post
Share on other sites

ESET alone does not protect against ransomware. I already have Emsisoft with me and look there. I have 99% protection ;-) ESET has to do something.

 

Share this post


Link to post
Share on other sites
23 minutes ago, galaxy said:

ESET alone does not protect against ransomware. I already have Emsisoft with me and look there. I have 99% protection ;-) ESET has to do something.

Please open a new topic and provide more information, including hashes of the malicious files. It is not true that ESET is bad at protecting against ransomware, quite the contrary. Of course, if you have a weak overall protection and an attacker with admin rights manages to remotes in, no matter what security software you you since with admin rights the attacker can do virtually anything, including disabling the security sw prior to running ransomware. Again, no security software detects 100% of threats and if you claim the opposite, we could prove you to be wrong.

Share this post


Link to post
Share on other sites

This HIPS issue has been "bugging" me for some time.

I keep cmd.exe execution "under tight reins" so to speak with a number of HIPS rules to monitor what it is doing. However, I have .bat scripts that I schedule via Win task manager that I want to run at boot time. What I really need is an option in the HIPS rule creation where a command line string could be specified for rules pertaining to cmd.exe. It appears Eset can fully decipher the entire command line string as noted by the below screen shot.

My suggestion would be to add an input box to the existing Eset GUI HIPS app rule screen titled "Command string." The HIPS could then concatenate this data for any rule where the target app being monitored is cmd.exe and compare it to the full commandline attempting to execute:

Eset_HIPS_cmd.thumb.png.b9d609c1561ae632ce7d5c38a3d438ff.png

Edited by itman

Share this post


Link to post
Share on other sites

Description:  Firewall Outbound Protection
Detail:  I think it would be better if ESET scanned by default in "automatic" mode the outbound traffic as well, and create rules based on the application's credibility. The default "allow all outbound" is what Windows offers already. "Interactive" mode can serve that purpose but it creates dozens of popups and, same as "learning" mode, does not provide the user the necessary information to make the decision. Rules should be created either Automatically (both inbound and outbound) based on application reputation / trustworthiness, or manually with "interactive" mode. "Learning" mode also reduces security. Outbound filtering can be the last defense resort against a security threat that has not been detected by AV and tries to call-home. 

Edited by TzonZ

Share this post


Link to post
Share on other sites
1 hour ago, TzonZ said:

I think it would be better if ESET scanned by default in "automatic" mode the outbound traffic as well, and create rules based on the application's credibility.

I also have suggested at the minimum to create an option to allow default Win firewall outbound rules and alert for any other outbound traffic. This would get around the problem many have in creating outbound rules for Win 10 Microsoft package apps.

Share this post


Link to post
Share on other sites

Will there be VPN protection?

Edited by Marcos
Formatting

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...