IS anybody here using Nod32 64 bit AV 5 AND Outpost Firewall Pro 7.5 (3720.574.1668) at the same time?

I'm doing this BUT back on Nod32 64 bit AV 4.2.71.2 latest update as of today.

My concern is potential conflict between the new feature of AV5 an OP.

Like the HIPS functions.

-{ Quote: "IS anybody here using Nod32 64 bit AV 5 AND Outpost Firewall Pro 7.5 (3720.574.1668) at the same time?

I'm doing this BUT back on Nod32 64 bit AV 4.2.71.2 latest update as of today.

My concern is potential conflict between the new feature of AV5 an OP.

Like the HIPS functions." }-

I use Outpost Firewall Pro Version: 7.5.1 (3791.596.1681) and Eset NOD32 x64 Version 5 whitout any problems. 8)

-{ Quote: "I use Outpost Firewall Pro Version: 7.5.1 (3791.596.1681) and Eset NOD32 x64 Version 5 whitout any problems. 8)" }-


Did you install these products on top of themselves or re-install "clean"

Did you have to turn OFF any features in OP or ESET? Which ones? Both have web control and my OP has that one disabled in favour of Esets' web access control.

My other concern is conflicting HIPS features in ESET it is called Real Time File Systems protection.

-{ Quote: "Did you install these products on top of themselves or re-install "clean"

Did you have to turn OFF any features in OP or ESET? Which ones? Both have web control and my OP has that one disabled in favour of Esets' web access control.

My other concern is conflicting HIPS features in ESET it is called Real Time File Systems protection." }-

I'm using nod32 v.5 and outpost latest and they play together very good.
Nod32 hips disabled and did not install outpost web control and anti-spyware modules. Web control 'cause using ad muncher..
It's amazing combo! :P

-{ Quote: "Did you install these products on top of themselves or re-install "clean"

Did you have to turn OFF any features in OP or ESET? Which ones? Both have web control and my OP has that one disabled in favour of Esets' web access control.

My other concern is conflicting HIPS features in ESET it is called Real Time File Systems protection." }-
hello, real-time file system protection is the on-access anti-malware scanner
HIPS feature is another independant module, it doesnt have blocking rules by default, just selfdefense, so conflicts should not happen

you should disable just the antivirus/antispyware scanners in Outpost

-{ Quote: "My other concern is conflicting HIPS features in ESET it is called Real Time File Systems protection.
-{ Quote: "HIPS feature is another independant module, it doesnt have blocking rules by default, just selfdefense, so conflicts should not happen" }-" }-

It would make no difference if rules are not in place for possible conflict, due the low level system(SSDT) hooks in place. If another HIPS also places the same Hooks, then there can be problems. NOD AV places 19 system hooks. I have not checked yet for possible conflicts/ or reactions from NOD with any other installed HIPS.

- Stem

-{ Quote: "It would make no difference if rules are not in place for possible conflict, due the low level system(SSDT) hooks in place. If another HIPS also places the same Hooks, then there can be problems. NOD AV places 19 system hooks. I have not checked yet for possible conflicts/ or reactions from NOD with any other installed HIPS.

- Stem" }-


Hello Stem:

How do users like me get a list of these Nod AV 19 hooks?

avoiding a potential conflict is my goal on all this.

-{ Quote: "I thought I would have a look at the AV+HIPS. I do like the fact that the protection is not excessive, but does cover the main needed areas.
I did find the HIPS to be quite buggy when attempting to place custom rules from popup. I was asked various times for one of my applications to be given read access to the same file. The popup informed me a access request was made, and in the popup I was informed that if I allowed the default rule, then also write access would be allowed. I did not want that. So expanded the rules to only allow access, but to any file, but was asked again (and again) until I placed a default path. On checking the created rules(s) I found that the rules created where not just for access (as I had made in the popup) but also for write permission.


Looks interesting for a beta, but certainly needs more work.

edit: One curious fact. I was not informed about the loading of a Kernel driver, even though the "load driver" protection was enabled in the rules


- Stem" }-



Further to this as it seems your initial findings that the ESET 5 is "buggy" on HIPS I think I'll just turn that function off for now and just use the AV.

On the HIPS I will activate OP FW Pro's HIPS feature as it is more mature, not perfect but hopefully had more testing.


Yes, I'm risk adverse, I admit it.;D

Hi Escalader,

-{ Quote: "How do users like me get a list of these Nod AV 19 hooks?" }-

This is on Win XP pro

228264


For actual detection, then a need for an antirootkit program. I prefer not to recommend any, as they can cause problems themselves at times with driver conflicts, depending on OS and what is installed.

- Stem

-{ Quote: "Further to this as it seems your initial findings that the ESET 5 is "buggy" on HIPS I think I'll just turn that function off for now and just use the AV." }-

I think like a number of these types of implementations, they expect the user to use default settings, or simply press allow or block based on popup. When any sort of customization is attempted, then problems start appearing.

I dont really have the time (or more so the inclination) to perform a lot of testing these days, but I will try and see if I can find time to check for conflicts between OP and NOD AV.


- Stem

-{ Quote: "due the low level system(SSDT) hooks in place. If another HIPS also places the same Hooks, then there can be problems." }-
... Some features are non functional when the File-system filter is not started, such as removable media scans or file operations in HIPS.
maybe they are using the same hooks for performance reasons.
Already noted that in beta version, still in RC

-{ Quote: "... Some features are non functional when the File-system filter is not started, such as removable media scans or file operations in HIPS." }-

Although functions may not be enabled, the hooks are still there. It depends on if the hooks are monitored/protected in any way. I have seen in the past where HIPS will have self protection not only on its applications/folder etc, but also on its hooks. If you have 2 (separate) HIPS, both having similar self protection (of hooks) then conflicts do happen.

The main point (IMHO) would be when 2 HIPS are installed, and what Hooks are actually left in place (for which HIPS) and functional for the HIPS to actually make correct detections/interceptions.

- Stem

-{ Quote: "maybe they are using the same hooks for performance reasons." }-

[Sorry, I meant to make comment of that in my last post.]

The hooks made depend on what protection is being attempted. System hooks are low level redirects, where internal commands/calls are redirected and captured by the HIPS.

- Stem

-{ Quote: "I think like a number of these types of implementations, they expect the user to use default settings, or simply press allow or block based on popup. When any sort of customization is attempted, then problems start appearing.

I dont really have the time (or more so the inclination) to perform a lot of testing these days, but I will try and see if I can find time to check for conflicts between OP and NOD AV.


- Stem" }-

I fully understand Stem!

I can work on this matter IF you gave me some hints on user level testing ideas. But then again that may also take too much time.

One thing I found when I had OP's 4 "Proactive"functions turned off in favour of Nod32 V5 was that OP continued to log anti-leak items as allowed ! I had purged out the 4 logs first and expected zero entries!

That is the sort of thing I could do. As to knowing why that happened well the vendor should explain that in my view.

Just discovered that as far as my 3rd party OP I was one version out of date!:-[

Anyway it seems that 1 of the changes deals with the issue of Proactive not being disabled so that might explain why I had log entries when there should have been none.

Here is their change bulletin:

-{ Quote: "Outpost 7.5.1 Performance Edition
Outpost Security Suite Pro 7.5.1
Outpost Firewall Pro 7.5.1
Outpost Antivirus Pro 7.5.1
Supported OS: (x86) / 107 (x64) (x86)
Build number: 3791.596.1681
Release Date: July 14, 2011

The following issues have been fixed:

Update errors when using proxy with authorization
Possible crash upon scanning a file packed with UPX
Disabling Proactive protection in Outpost interface could not disable it in fact
Progress bar window was always on top during the procession of quarantine objects
Several frequent crashes

The following improvements have been made:

Multiple compatibility improvements with third-party products
Improvements in detection, curing, and quarantining archives


Download: All Versions
View: Whats New" }-

-{ Quote: "I can work on this matter IF you gave me some hints on user level testing ideas. But then again that may also take too much time. " }-

From a user point of view, without resorting to leak tests, then a check of the basic protection offered, as simple example, such as file access.

I did make an install of OP(latest version) and checked its hooks, I then (after restoring HD image) installed NOD AV, then install OP pro.
On re-boot, I got a BSOD (no dumps created), not a good start, but a cold boot did work.
The hooks by NOD AV where still in place, but on a quick test, it appeared the protection was broken.
On my last install on NOD AV, I made some quick (simple) tests to check for file protection (access/write etc), which (although as I mentioned, a little buggy on my setup) did work. After the installation of both NOD AV and OP pro, that protection did not work.

Here are the hooks from OP pro:-

228268

The hooks for NOD AV I posted earlier, these are the hooks with both NOD AV and OP pro installed.

228269


From the initial look, it could be thought that the HIPS from NOD AV would still function, but OP pro may be piggy backing of NOD AV redirects and catching them instead of NOD. It would take some low level monitoring to confirm what is actually happening.

It could well be another problem, as due to the BSOD, I would really need to make another installation, as having a BSOD with no dumps or recovery log created does not help with actually finding the root cause of that problem.


- Stem

Stem:

Thanks for the separate thread on this great idea!

Allow me to make a couple of points here:

1) I'm on Windows 7 64 bit you are on xp... does this matter?
2) The vendor (OP) wants the user to install the AV first so that when OP installs it self the install logic adapts and make 3rd party compatibility adjustments. The way you installed seemed different?
3) The configuration file for OP is machine.ini and one can alter that (I've done that to get ID block working when OP has Web Control disabled as they "discovered" Nod32 on their install


Stem you know I have special abilities in asking dumb questions as I'm too old now to worry about embarrassing myself.;)

We have been talking about hooks.

What the h.ll are they? Logic? data? settings? :-\
Why do security sw's use them in the first place?:-[

I looked at your red lists and these hooks seem to be addresses before and after what? Sand box? What sand box I have not installed one knowingly.

Right now I have NOD32 V5 HIPS OFF and OP FW Pro's proactive protection ON. Or do your tests show that this is false? and I have NO HIPS at all? I'll go look at OP logs and see if there are any entries!



When you feel like it or have time post back! :thumb:

Hi Escalader,

1. Yes, due to Kernel Patch Protection, but I have not taken much time to investigate yet.

2. I did install NOD before OP. The compatibility you mention is probably OP adjusting and redirecting the hooks made by 3rd party.

3. I did not have much time, so did not delve into the setups.

-{ Quote: "
We have been talking about hooks.

What the h.ll are they? Logic? data? settings? :-\
Why do security sw's use them in the first place?" }-

A simplistic explanation:-
Windows has a table (a service descriptor table) that contains addresses for various functions (such as creating a file or executing a program), when a call is made, an address is there for the needed subroutine(s) for the function to run. An hook is a way to change the address of the subroutine(s) that will be used when a function is called. So instead of (for example) a file being executed when the call is made, an hips that has hooked into that call will redirect the system to a subroutine created by the HIPS.
[the explanation could be better and probably more correct, but we would need to go into the core executive system services implemented in ntoskrnl.exe]

-{ Quote: "I looked at your red lists and these hooks seem to be addresses before and after what? Sand box? What sand box I have not installed one knowingly. " }-The "sandbox" is a driver "sandbox.sys" that is used by OP.
The addresses: "Original address" could be described as the address of the original function/subroutine, the "current address" is where the call is being redirect to, which will be to a subroutine by the HIPS

-{ Quote: "Right now I have NOD32 V5 HIPS OFF and OP FW Pro's proactive protection ON. Or do your tests show that this is false? and I have NO HIPS at all? I'll go look at OP logs and see if there are any entries!" }-That appears (from my quick test) to be the correct way to use the combination.


- Stem

Also worth noting is the order in which you install NOD32 and OP Pro. You need to install NOD32 FIRST so that the OP Pro installer sees NOD32 and doesn't install certain elements of OP. This includes more than just the malware protection but also HTTP content filtering etc. This seems to cause issues with NOD's "Web Access Protection". If you install OP Pro first then NOD32 you will have issues... I don't know much about v5 HIPS and any hooks it uses. Seems at this point it's best to disable Stem? Seems you installed NOD32 first as well... Is Eset aware of this? And thanks Stem for informing us regarding the HIPS/ OP Pro issue!!! I was just about to install the RC!!!

-{ Quote: "Also worth noting is the order in which you install NOD32 and OP Pro. You need to install NOD32 FIRST so that the OP Pro installer sees NOD32 and doesn't install certain elements of OP. This includes more than just the malware protection but also HTTP content filtering etc. This seems to cause issues with NOD's "Web Access Protection". If you install OP Pro first then NOD32 you will have issues... I don't know much about v5 HIPS and any hooks it uses. Seems at this point it's best to disable Stem? Seems you installed NOD32 first as well... Is Eset aware of this? And thanks Stem for informing us regarding the HIPS/ OP Pro issue!!! I was just about to install the RC!!!" }-


It is my hope :'( that both vendors will read these threads on the OP/Nod32 combo/partnership and make it easier for users like us to run them together.

But I fear I'm to optimistic on these things based on past experience.

They see the other as competition where I see them as tools for me to exploit/maximize for my own gain.

Probably alone again on this one.

I have been running this combination for a week on windows 7x64. I installed NOD first and then outpost. I set the HIPS to automatic with rules and everything was good. Not sure however if the automatic rules in NOD work as of yet. Yesterday I changed the rules in NOD HIPS to interactive and my system froze on a HIPS popup for ACS. Had to pull the plug. Not as experienced as others on this HIPS stuff but thought I would share anyway.

-{ Quote: "I changed the rules in NOD HIPS to interactive" }-
have you disabled all features in outpost (except the firewall) before using the NOD32 HIPS?

No. I was thinking of trying with both in learning mode for a few days and see what happens.

If you're happy with OP's HIPS, then there is nothing to be gained security wise by also using ESET's HIPS. The only thing you can possibly get is more lag on your system, conflicts, system freezes etc

That is what I am finding out. Will disable the HIPS in NOD for now.

-{ Quote: "That is what I am finding out. Will disable the HIPS in NOD for now." }-
not necessary, just restore HIPS to default settings

-{ Quote: "not necessary, just restore HIPS to default settings" }-


We are forgetting Stems advice in post following:

http://www.wilderssecurity.com/showpost.php?p=1909683&postcount=18


Nod32 OFF on HIPS it is buggy, Outpost ON.

I'm following that.

BTW when I had Nod32 on interactive and OP on Rules wizard with OP's HIPS features OFF I got a freeze and had to reboot.

Since following the advice in post 18 no more BSOD's or freezes.

-{ Quote: "when I had Nod32 on interactive and OP on Rules wizard with OP's HIPS features OFF I got a freeze and had to reboot." }-
disable the realtime anti malware protection, the anti-leak control, the component control and the system guard and other components such as file/registry access control before switching NOD32 HIPS to interactive mode.

Even better if you can prevent the respective Outpost's drivers from loading, as that can be conflicting with NOD drivers and causing you performance problems.

-{ Quote: "Nod32 OFF on HIPS it is buggy," }-

That is actually an understatement.

I have been re-checking with just NOD AV installed.

If this was an alpha, or an early beta, then I would make some bug reports. But as it is classed as an RC, then it is a joke, and not worth the effort.

- Stem

-{ Quote: "That is actually an understatement.

I have been re-checking with just NOD AV installed.

If this was an alpha, or an early beta, then I would make some bug reports. But as it is classed as an RC, then it is a joke, and not worth the effort.

- Stem" }-


I hope that since NOD is here as a support forum that they will ask you for the bug reports and improve their product.

This practice of vendors (not just ESET) rushing products out before they are ready is a BIG issue in our business it really does need to be dealt with.

I am using NOD32 ver 5 RC with Outpost 7.5.1(with Web Control and without antispyware) and both are running like butter...:-)

I first did clean install of outpost with web control and left anti spyware and then installed nod32.
I have excluded outpost folder from nod32 realtime scanning and its running great

-{ Quote: "I first did clean install of outpost with web control and left anti spyware and then installed nod32.
I have excluded outpost folder from nod32 realtime scanning and its running great" }-

All I can offer you is:

1) Nod is supposed to install first so OP can "adjust" so as to avoid compatibility issues. You have forgone any benefits that may provide.
2) the support forum for OP is NOT here at Wilders but at

http://www.outpostfirewall.com/forum/forum.php

3) I'm gald you are excluding these products from each other and running smooth.

Whats the bottom line on this? Nod32 HIPS off, Outpost ON? Or is it perfectly alright to have both HIPS features enabled?

-{ Quote: "Whats the bottom line on this? Nod32 HIPS off, Outpost ON? Or is it perfectly alright to have both HIPS features enabled?" }-


Please see the post below for the bottom line.

http://www.wilderssecurity.com/showpost.php?p=1911338&postcount=27

interesting thread. any news on this?

One security suite is already too much, you are draining your system performance...

-{ Quote: "One security suite is already too much, you are draining your system performance..." }-

the op, escalader that is, is a computer savvy buddy. so i don't think he'd have a setup taht'd drain and drown his system performance.
besides, it ain't security suite but a standalone av sw & a standalone fw sw they're talking about here. moreover, he's talking about possible conflicts that might be caused by having hips component of that av sw enabled, so that he's asking other folks' opinions on whether to disable that component and the installation order that'd help getting over w/ conflict issues.
cheers