mantra 1 Posted October 9, 2016 Share Posted October 9, 2016 hi can eset 10 block Ransomware and Recent Variants mbr with the hips ? in short there is a better hips in v10 that can avoid mbr inflected ? and is there another program to use with eset to block Ransomware and Recent Variants Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 201 Posted October 9, 2016 Most Valued Members Share Posted October 9, 2016 There is no AV product from any vendor that an detect 100% of any type of virus/malware/ransomware.Using ESET and common sense is a good combination Link to comment Share on other sites More sharing options...
adnage19 1 Posted October 9, 2016 Share Posted October 9, 2016 hi can eset 10 block Ransomware and Recent Variants mbr with the hips ? in short there is a better hips in v10 that can avoid mbr inflected ? and is there another program to use with eset to block Ransomware and Recent Variants I would say that ESET's HIPS can protect you but for sure not on default settings. You can set a rule to protect MBR, and after all, the best way is to enable learning mode for 1-2 weeks and then switch to interactive mode or even policy-based mode. This will provide high level protection. Link to comment Share on other sites More sharing options...
novice 20 Posted October 10, 2016 Share Posted October 10, 2016 There is no AV product from any vendor that an detect 100% of any type of virus/malware/ransomware. Using ESET and common sense is a good combination So , the short answer is NO. Link to comment Share on other sites More sharing options...
mantra 1 Posted October 11, 2016 Author Share Posted October 11, 2016 hi can eset 10 block Ransomware and Recent Variants mbr with the hips ? in short there is a better hips in v10 that can avoid mbr inflected ? and is there another program to use with eset to block Ransomware and Recent Variants I would say that ESET's HIPS can protect you but for sure not on default settings. You can set a rule to protect MBR, and after all, the best way is to enable learning mode for 1-2 weeks and then switch to interactive mode or even policy-based mode. This will provide high level protection. hi can not find how protect the MBR , where is the option ? thanks Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted October 11, 2016 Administrators Share Posted October 11, 2016 I reckon there's no such option as monitoring write attempts would cause unacceptable resource overhead. Link to comment Share on other sites More sharing options...
itman 1,789 Posted October 11, 2016 Share Posted October 11, 2016 can not find how protect the MBR , where is the option ? You can create an "ask" HIPS rule to monitor low level disk access on the drive where your OS is installed. Warning: This will cause issues with some OS processes such as shadow volume copy, defrag, etc. and the rule will have to be monitored closely. One possible work around is to also create an identical "allow" HIPS rule to allow low level disk access for all exe's in C:\Windows\System32\*.*. I would also disabled the "ask" rule when doing any Win 10 release upgrades. Link to comment Share on other sites More sharing options...
mantra 1 Posted October 12, 2016 Author Share Posted October 12, 2016 can not find how protect the MBR , where is the option ? You can create an "ask" HIPS rule to monitor low level disk access on the drive where your OS is installed. Warning: This will cause issues with some OS processes such as shadow volume copy, defrag, etc. and the rule will have to be monitored closely. One possible work around is to also create an identical "allow" HIPS rule to allow low level disk access for all exe's in C:\Windows\System32\*.*. I would also disabled the "ask" rule when doing any Win 10 release upgrades. hi do you mean direct acess to disk ? thanks Link to comment Share on other sites More sharing options...
adnage19 1 Posted October 12, 2016 Share Posted October 12, 2016 I reckon there's no such option as monitoring write attempts would cause unacceptable resource overhead. can not find how protect the MBR , where is the option ? You can create an "ask" HIPS rule to monitor low level disk access on the drive where your OS is installed. Warning: This will cause issues with some OS processes such as shadow volume copy, defrag, etc. and the rule will have to be monitored closely. One possible work around is to also create an identical "allow" HIPS rule to allow low level disk access for all exe's in C:\Windows\System32\*.*. I would also disabled the "ask" rule when doing any Win 10 release upgrades. I've found HIPS settings posted by an user, it includes MBR protection (that's what his post says) https://malwaretips.com/threads/petrovic-config.20748/#post-150572 Are these settings good? Link to comment Share on other sites More sharing options...
itman 1,789 Posted October 12, 2016 Share Posted October 12, 2016 (edited) I've found HIPS settings posted by an user, it includes MBR protection (that's what his post says) https://malwaretips....48/#post-150572 Are these settings good? Yes. Those settings were copied from a security configuration guide for an earlier ver. of Eset, ver. 6 I believe, that is posted also on the malwaretips.com web site. Many of the rules in the guide now exist as default HIPS rules such as the monitoring of the registry "run" keys. As I warned previously, any monitoring of drive direct access by the HIPS will cause issues with some existing Windows processes. The one most affected is shadow volume copying since it runs in the background. As such, you may not be present to respond to any alert with the result being a borked system backup occurring. So use of this type of HIPS monitoring is at the user's risk. I also have yet to try such monitoring in Win 10. I also use Emsisoft's Antimalware and its behavior blocker does monitor for direct/low level disk access. Edited October 12, 2016 by itman Link to comment Share on other sites More sharing options...
adnage19 1 Posted October 12, 2016 Share Posted October 12, 2016 I've found HIPS settings posted by an user, it includes MBR protection (that's what his post says) https://malwaretips....48/#post-150572 Are these settings good? Yes. Those settings were copied from a security configuration guide for an earlier ver. of Eset, ver. 6 I believe, that is posted also on the malwaretips.com web site. Many of the rules in the guide now exist as default HIPS rules such as the monitoring of the registry "run" keys. As I warned previously, any monitoring of drive direct access by the HIPS will cause issues with some existing Windows processes. The one most affected is shadow volume copying since it runs in the background. As such, you may not be present to respond to any alert with the result being a borked system backup occurring. So use of this type of HIPS monitoring is at the user's risk. I also have yet to try such monitoring in Win 10. I also use Emsisoft's Antimalware and its behavior blocker does monitor for direct/low level disk access. Is it possible to add custom rules in HIPS settings to improve ransomware protection? Or maybe Smart mode is enough? I'm asking because I've seen Youtube video, where user was testing ESET 10 Beta on default settings and it didn't protect OS from zero-day ransomware sample. Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 201 Posted October 12, 2016 Most Valued Members Share Posted October 12, 2016 I've found HIPS settings posted by an user, it includes MBR protection (that's what his post says) https://malwaretips....48/#post-150572 Are these settings good? Yes. Those settings were copied from a security configuration guide for an earlier ver. of Eset, ver. 6 I believe, that is posted also on the malwaretips.com web site. Many of the rules in the guide now exist as default HIPS rules such as the monitoring of the registry "run" keys. As I warned previously, any monitoring of drive direct access by the HIPS will cause issues with some existing Windows processes. The one most affected is shadow volume copying since it runs in the background. As such, you may not be present to respond to any alert with the result being a borked system backup occurring. So use of this type of HIPS monitoring is at the user's risk. I also have yet to try such monitoring in Win 10. I also use Emsisoft's Antimalware and its behavior blocker does monitor for direct/low level disk access. Is it possible to add custom rules in HIPS settings to improve ransomware protection? Or maybe Smart mode is enough? I'm asking because I've seen Youtube video, where user was testing ESET 10 Beta on default settings and it didn't protect OS from zero-day ransomware sample. That youtube video wont be unique to just ESET products ........... NO security product from any vendor can give 100% protection against zero day ransomware or other types of virus/malware. Like i said before, common sense is your best defence. Stay clear of sites offering pirated software and music and the like and always be skeptical of any attachments received in an email from anyone (including family). You can always add custom rules to HIPS, but you could also render your system unusable by causing problems with windows system files being denied access to the files it needs in the process. Link to comment Share on other sites More sharing options...
itman 1,789 Posted October 12, 2016 Share Posted October 12, 2016 Is it possible to add custom rules in HIPS settings to improve ransomware protection? Or maybe Smart mode is enough? I'm asking because I've seen Youtube video, where user was testing ESET 10 Beta on default settings and it didn't protect OS from zero-day ransomware sample. Below is a .pfd link to an Eset tech paper produced by their Romanian distributer I beleive. hxxp://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0ahUKEwjy4Of4t9DPAhUFWD4KHeQlBM8QFghdMAU&url=hxxp://www.nod32.com.hr/Portals/66/PDF/anti-ransomware-techbrief_en.pdf&usg=AFQjCNHN_-B-UcNEaldEAOXbtRNbA78xNg The article was written for Eset Endpoint but you can "glean enough" details to create corresponding rules for Smart Security HIPS and firewall. Basically, the rules are to block script and PowerShell execution or dialing out. I would also make the HIPS rules "ask" versus "block" so that you don't auto block some necessary app or system process that uses cscript, wscript, or Powershell. I personally have never received alerts from any of these processes. Note that there is a separate rule for explorer.exe of monitored processes. That is due to the way explorer.exe can be launched as a hidden process e.g. RegCleaner, SpywareBlaster, etc.. It is also possible like default HIPS rules have been created in ver. 10 since Eset states it now has script protection. Comment on this Marcos? Link to comment Share on other sites More sharing options...
ken1943 22 Posted October 12, 2016 Share Posted October 12, 2016 I have not gotten anything since the famous XP install virus, but I got a ramsomware a few months ago. Opened an email file that was similar to an email receipt I was waiting for. SS9 did not catch it when I opened the file. No security program is perfect. Glad I image my drive once a month. Link to comment Share on other sites More sharing options...
adnage19 1 Posted October 13, 2016 Share Posted October 13, 2016 Is it possible to add custom rules in HIPS settings to improve ransomware protection? Or maybe Smart mode is enough? I'm asking because I've seen Youtube video, where user was testing ESET 10 Beta on default settings and it didn't protect OS from zero-day ransomware sample. Below is a .pfd link to an Eset tech paper produced by their Romanian distributer I beleive. hxxp://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0ahUKEwjy4Of4t9DPAhUFWD4KHeQlBM8QFghdMAU&url=hxxp://www.nod32.com.hr/Portals/66/PDF/anti-ransomware-techbrief_en.pdf&usg=AFQjCNHN_-B-UcNEaldEAOXbtRNbA78xNg The article was written for Eset Endpoint but you can "glean enough" details to create corresponding rules for Smart Security HIPS and firewall. Basically, the rules are to block script and PowerShell execution or dialing out. I would also make the HIPS rules "ask" versus "block" so that you don't auto block some necessary app or system process that uses cscript, wscript, or Powershell. I personally have never received alerts from any of these processes. Note that there is a separate rule for explorer.exe of monitored processes. That is due to the way explorer.exe can be launched as a hidden process e.g. RegCleaner, SpywareBlaster, etc.. It is also possible like default HIPS rules have been created in ver. 10 since Eset states it now has script protection. Comment on this Marcos? Thank you very much, it seems to be very helpful! Link to comment Share on other sites More sharing options...
adnage19 1 Posted October 13, 2016 Share Posted October 13, 2016 (edited) I have not gotten anything since the famous XP install virus, but I got a ramsomware a few months ago. Opened an email file that was similar to an email receipt I was waiting for. SS9 did not catch it when I opened the file. No security program is perfect. Glad I image my drive once a month. You're right, backup is the best protection. Also you need to be strictly careful when opening email attachments. However, ESET can be tweaked to better protect from ransomware. This .pdf posted by @itman looks pretty nice. When English ESET 10, I will definitely set these rules. Also second good way is to enable learning mode for 2 weeks, use your PC as much as you can, and then set HIPS to interactive mode. Then every prompt by HIPS should be considered as a potential danger. Edited October 13, 2016 by adnage19 Link to comment Share on other sites More sharing options...
itman 1,789 Posted October 13, 2016 Share Posted October 13, 2016 Also second good way is to enable learning mode for 2 weeks, use your PC as much as you can, and then set HIPS to interactive mode. Then every prompt by HIPS should be considered as a potential danger. The best was to use HIPS interactive mode is right after an OS installation. In this status, you are insured that your PC is free of any malware. Remember that when running a HIPS in interactive mode, any activities by 0-day malware for example will be allowed. So it is essential any potential risky activities including Internet ones be restricted during the training period. Finally, there were initial duplicate rule creation issues with interactive mode when ver. 9 was released. Don't know if those were ever fully resolved. Link to comment Share on other sites More sharing options...
Recommended Posts