Self-defense in beta 6

[rcdailey]

I have checked and the HIPS setup in beta 6 appears to be the same as that in version 5.2.9.1. I tested with HIPS disabled (but self-defense still checked) and found that I could use the Task Manager to end egui.exe, though it would not remove ekrn.exe. I wonder if that is the way self-defense is intended to work? There is a difference in the way that beta 6 behaves when HIPS is disabled. Unlike version 5.2.9.1, beta 6 doesn't display a red icon and other flaky behavior, but simply indicates that HIPS is disabled. Also, if the egui.exe process is ended, the program can be restarted without issues. With version 5.2.9.1, the red icon and other complaints will follow when I attempt to restart the program after ending egui.exe.

The behavior in beta 6 seems to be a definite improvement, but I continue to wonder about the fact that egui.exe can be ended even when self-defense is still enabled.

I should add that I am running beta 6 on an old Dell 2350 with a Pentium 4 2GHz and 2GB of RAM. The OS is XP SP3 (Home Edition), fully patched. Other software is MalwareBytes (but real-time protection is disabled) and SuperAntiSpyware 5.0.1150 with live protection enabled. I already know about the conflict with MalwareBytes, having experienced it myself and reporting it previously, so that is why real-time protection is disabled. I have not experienced any conflict with SuperAntiSpyware. I also have Apache OpenOffice 3.4, but have the quick start of that suite disabled for other reasons not related to Eset NOD32. That OpenOffice quick start interferes with MacriumReflect backup (slows it down). MacriumReflect does not appear to conflict in any way with NOD32, though its service is loaded at startup.

I am now re-enabling HIPS and will restart.

[toxinon12345]

Because Self-Defense is a part of HIPS, you can't use it when disabled.

Maybe a checkbox alignment can leave this more easy to understand.

[Dark Shadow]

I am using ESET AV 6 Beta on window 7 32 bit and can not disable either one with the Hips unchecked and self Defense still in place.

[Dark Shadow]

Ok here is a bug I just found by playing with Hips. look at screen shots,whats wrong with this picture.Advanced tree doesn't match the setup UI.


Disregard the above a reboot is required after disabled hips.Confirmed then the egui.exe can then be killed off.

[rcdailey]

Quote:

Originally Posted by djohn

Ok here is a bug I just found by playing with Hips. look at screen shots,whats wrong with this picture.Advanced tree doesn't match the setup UI.


Disregard the above a reboot is required after disabled hips.Confirmed then the egui.exe can then be killed off.

Yes, that is what I discovered to be true. However, it is a fact that beta 6 is much more graceful in that you can restart egui.exe by starting the program again. This is not really true in 5.2.9.1. Something got fixed. I sort of wish that the egui.exe could be protected when HIPS is disabled but self-defense is still enabled. Maybe that is something for the next update of the beta. For me, since I don't use another HIPS, it makes sense to leave both options enabled, but a beta test isn't complete unless you try the things that other people are complaining about.

I did try one other thing in beta 6. I activated Anti-Theft protection. I don't have a camera on this system and it isn't a laptop, either. The feature does capture screens remotely and will send e-mail notification. If your system doesn't report location (my isn't doing that), then it won't show that. With the right hardware, this might work well. It's not all that useful for desktop systems since external cameras can usually be removed easily, and probably would be removed by a thief. Without an internet connection, nothing would be reported, so if the thief just stole the computer pulled out the parts and sold those or reused them, it wouldn't help. If the hard drive were reformatted, it would not help. However, if the thief didn't know about the feature, and installed the drive in a system connected to the internet, maybe something would be reported. I don't think this would be happen if the drive were secondary rather than primary, because system ID is in the registry of the boot drive.

[toxinon12345]

Quote:

Originally Posted by djohn

Disregard the above a reboot is required after disabled hips.Confirmed then the egui.exe can then be killed off.

Confirmed, Self-Defense rules are unable to protect you because you disabled the whole HIPS system.

[Dark Shadow]

Quote:

Originally Posted by toxinon12345

Confirmed, Self-Defense rules are unable to protect you because you disabled the whole HIPS system.

yes sir,I relized it after I rebooted that I forgot to do the first time to actually disable the hips.

[rcdailey]

Quote:

Originally Posted by toxinon12345

Confirmed, Self-Defense rules are unable to protect you because you disabled the whole HIPS system.

The options in HIPS don't make any sense. If you are permitted to disable HIPS but leave self-defense enabled, what is the purpose of that? If you can enable HIPS but disable self-defense, what would be the purpose of that configuration?
Since the settings don't seem to do what is described next to the check boxes, then it might be better not to even allow configuration other than HIPS on or HIPS off, period. Self-defense should be assumed anyway, since an anti-virus that can't defend itself against malware isn't worth much.

I realize that there could be a difference between the self-defense in HIPS and a basic self-defense mechanism in NOD32. The fact that ekrn.exe can't be removed by the task manager if self-defense is enabled suggests that some part of the feature works, but to me it seems to be a confused setup.

[toxinon12345]

egui.exe is protected by SelfDefense, if you can kill that process then it is disabled or the HIPS is disabled

[rcdailey]

Quote:

Originally Posted by toxinon12345

egui.exe is protected by SelfDefense, if you can kill that process then it is disabled or the HIPS is disabled

Yes. Regarding 6.0 beta, I also discovered something about the logging that you mentioned in a post in the regular NOD32 forum. If logging is enabled to report attempts against NOD32 _with_ HIPS disabled but self-defense still enabled, the first attempt to remove egui.exe and ekrn.exe using Task Manaager will be logged (so far as I can tell, it is removal of ekrn.exe that is reported as blocked). However, after egui.exe is removed, and then restarted by running NOD32 again, logging no longer takes place (note that in 6.0 beta, egui.exe appears to restart cleanly without rebooting the system). Task Manager still cannot remove ekrn.exe if self-defense remains enabled even though HIPS is disabled. Also, if HIPS is disabled, the advanced HIPS setting panel is blank. That probably does not matter since there would be no point in seeing the panel if HIPS is disabled.

I still think some of these settings should be better described in the panels or not even included if they do not work exactly as described.

[toxinon12345]

Another way to see if Self-defense is <operative+enabled> is by receiving a message from the OS telling you that access was denied when you tried to kill ekrn.exe or egui.exe

if you dont see that message, your self defense is non-operative

[rcdailey]

Quote:

Originally Posted by toxinon12345

Another way to see if Self-defense is <operative+enabled> is by receiving a message from the OS telling you that access was denied when you tried to kill ekrn.exe or egui.exe

if you dont see that message, your self defense is non-operative

Yes, when HIPS is disabled, there are no such messages. However, even when HIPS is disabled, but self-defense is still checked in the setup, task manager cannot removed the ekrn.exe process. There are no messages, but the process cannot be ended. Egui.exe, on the other hand, can be ended in that case. IF neither HIPS nor self-defense are checked in the setup, then BOTH egui.exe and ekrn.exe can be ended, and no messages are displayed. So, if self-defense remains checked then something is interfering with the power of task manager to end the ekrn.exe process. In that case, sefl-defense is not working the way it is intended, but the ekrn.exe process remains active according to task manager.

I think this just needs to be fixed so that it operates in a logical way.

[toxinon12345]

The correct way for stopping ekrn.exe is by using the Windows's services console (services.msc)

[Marcos]

Disabling HIPS will render the Self-defense box greyed out which means it's deactivated even if the box is ticked.

[rcdailey]

Quote:

Originally Posted by Marcos

Disabling HIPS will render the Self-defense box greyed out which means it's deactivated even if the box is ticked.

Ah yes, that makes sense.

More and more, it seems that disabling HIPS is a bad idea.

[rcdailey]

Quote:

Originally Posted by toxinon12345

The correct way for stopping ekrn.exe is by using the Windows's services console (services.msc)

Yes, I don't know why I did not try that before, since that is the way I stopped the MBAM service so that it would not conflict with Eset and cause a problem with USB drives.

If HIPS is disabled, then it is possible to disable the ESET service and if that service is disabled then ESET is disabled. Egui.exe will load at startup and the icon will display in the systray, but a right click will show the option to enable protection. Unfortunately, that doesn't work because the ESET service is disabled and won't start.

The bottom line is that if you don't want to make NOD32 vulnerable to attack, you don't disable HIPS. Those who have some other application that provides HIPS should think about disabling that application or the HIPS component.

[lodore]

Surely if you want to use another hips you could disable the hips in eset and use the other hips to protect eset?

[toxinon12345]

Assuming you know the items to protect and how to create a rule, then the answer is positive.

[rcdailey]

Quote:

Originally Posted by toxinon12345

Assuming you know the items to protect and how to create a rule, then the answer is positive.

Ah, but that's the rub, isn't it? Users who want to have some other application for HIPS probably won't want NOD32 because it will create a lot of extra work to protect NOD32 if HIPS is disabled in NOD32. Why bother? Just get a different AV that doesn't depend on HIPS to protect itself. I suppose that may become more difficult to find as time goes by and more vendors add HIPS to their offerings. My personal choice would be to use NOD32 with HIPS and not bother getting some other HIPS product.

[Q Section]

Quote:

Originally Posted by rcdailey

... My personal choice would be to use NOD32 with HIPS and not bother getting some other HIPS product.

Well all HIPS products are definitely not equal. Some may prefer the superior performance of NOD32 antivirus but prefer another HIPS product which they may have found to be significantly superior hence wanting to use NOD32 plus a different HIPS product.