PDA

View Full Version : Why not eset self protection protect these..?

ashishsingh1508
June 13th, 2011, 11:20 AM
Hi'
I can easily delete files in these folders or even folders by just pressing delete. I can even delete HIPS Rules. Why don't eset self protection protect these files also???

"C:\Program Files\ESET\ESET NOD32 Antivirus\Drivers"
"C:\ProgramData\ESET\ESET NOD32 Antivirus"

In my opinion ESET should protect all files in the following folders

"C:\Program Files\ESET\ESET NOD32 Antivirus"
and
"C:\ProgramData\ESET\ESET NOD32 Antivirus"

I have to check registry entries for working of self protection.
I think thats why malware are able to disable ESET and remove.

Regards
Ashish Singh *puppy*
toxinon12345
June 13th, 2011, 11:30 AM
Self defense is not active until the user reboot the system
ESS3
June 13th, 2011, 11:37 AM
HIPS rules can not be removed :)
ashishsingh1508
June 13th, 2011, 09:29 PM
Well I can delete all these files
funkydude
June 13th, 2011, 09:34 PM
You can't delete anything in ProgramData without admin escalation. What exactly are you reporting?
ashishsingh1508
June 13th, 2011, 09:35 PM
I can even delete the installer contained in it
ashishsingh1508
June 13th, 2011, 09:37 PM
Look I am using Outpost Firewall Pro 7.5 with nod32. Whenever I try to delete any file from outpost folder it gives me an error that it can't be done because of self protection. Why don't eset protect its files from deletion?
toxinon12345
June 13th, 2011, 09:50 PM
In my case i cannot delete those files because of self defense
ashishsingh1508
June 14th, 2011, 11:36 AM
Today with ESET RC version installed from scratch I tried deleting this file
C:\ProgramData\ESET\ESET NOD32 Antivirus\Installer

And I could easily delete it
Also I can delete HIPS Rules .dat as well .xml file

is it normal ? Or these files are useless?
NOTE: I am using ESET Nod32 Antivirus 5 RC
toxinon12345
June 14th, 2011, 12:00 PM
I cannot reproduce that, eset denied me access to those files
BoerenkoolMetWorst
June 14th, 2011, 02:27 PM
-{ Quote: "Today with ESET RC version installed from scratch I tried deleting this file
C:\ProgramData\ESET\ESET NOD32 Antivirus\Installer

And I could easily delete it
Also I can delete HIPS Rules .dat as well .xml file

is it normal ? Or these files are useless?
NOTE: I am using ESET Nod32 Antivirus 5 RC" }-
Have you restarted after installing the RC?
ashishsingh1508
June 14th, 2011, 10:33 PM
Yes of course. Most of the files are protected but not all...
Marcos
June 15th, 2011, 12:51 AM
-{ Quote: "Yes of course. Most of the files are protected but not all..." }-
Which aren't? Msi is merely the installer, it has no effect on security and deleting it won't make your computer vulnerable to malware attacks. As for the xml, I couldn't find any, be more specific please.
ashishsingh1508
June 15th, 2011, 08:31 AM
"Msi is merely the installer, it has no effect on security".

Why ?? It is needed for repair of eset.
Ok leave it I can delete all the files(only outside the folders) in the following folder
"C:\ProgramData\ESET\ESET NOD32 Antivirus"

File names are
EpfwUser.dat
HipsRules.dat
HipsRules.xml
httpblk.dat
local (database file)
ashishsingh1508
June 15th, 2011, 08:34 AM
Also all files in this folder

"C:\ProgramData\ESET\ESET NOD32 Antivirus\Stats"
"C:\ProgramData\ESET\ESET NOD32 Antivirus\Charon"
"C:\ProgramData\ESET\ESET NOD32 Antivirus\Logs"
"C:\ProgramData\ESET\ESET NOD32 Antivirus\Stats"

AND MOST IMPORTANT

"C:\ProgramData\ESET\ESET NOD32 Antivirus\Updfiles"

Regards
Ashish
Marcos
June 15th, 2011, 09:15 AM
None of the above are critical files. They are merely statistics, logs or update files that are downloaded during every update so amending them has no effect on program's functionality.
toxinon12345
June 15th, 2011, 12:23 PM
-{ Quote: "None of the above are critical files. They are merely statistics, logs or update files that are downloaded during every update so amending them has no effect on program's functionality." }-
Hey Marcos, you are right, but seems files being critical in the %programdata% folder are HipsRules.???. After deleting and a restart, the manually created rules are no listed anymore in HIPS Rules Management.

This files (HipsRules.*) seems to need Self-Defense protection.
mbmalone
June 15th, 2011, 12:27 PM
-{ Quote: "Hey Marcos, you are right, but seems files being critical in the %programdata% folder are HipsRules.dat and HipsRules.xml. After a restart, the manually created rules are no listed anymore in HIPS Rules Management.

This files (HipsRules.dat and HipsRules.xml) seems to need Self-Defense protection." }-

I have never seen any HipsRules.dat :gack:
yongsua
June 17th, 2011, 03:09 AM
-{ Quote: "I have never seen any HipsRules.dat :gack:" }-

Maybe you can try to change your HIPS to interactive or learning mode?
NodboN
June 17th, 2011, 06:08 AM
-{ Quote: "Maybe you can try to change your HIPS to interactive or learning mode?" }- I'm on 'learning mode' and there's no HipsRules.dat - instead, there's an HipsRules.bin (can't spot the HipsRules.dat in the screenshot posted above, either.)