ESET version 5.2.9.1

[Sacles]

Hello,

Restore the default settings in the main window of HIPS does not work correctly (bug already reported).

[Escalader]

Quote:

Originally Posted by Sacles

Hello,

Restore the default settings in the main window of HIPS is not working properly.

Please clarify why you say HIPS is not working properly.

[Ego_Dekker]

1. Why doesn't ESET add signatures for these files: 0A1E7DC1BBA68DAFA35C1B00D43F4EE432CA17D8, A0A32CAC3227C23AEEC6A7B4BB57872B0EC6D703, C804C14979CF34066B664C0F00A327EAA97C3B3A, E7865BDA2EDB8D80DCDBDB1206B48CE7ADF03DC7?
2. Why does ESET sometimes change the “a variant of Win32/Kryptik” or “probably a variant of Win32/Agent” signatures to “Win32/Oficla” or “Win32/MBRlock”, but not always? That confuses your users.
3. You recommend to use special ESET tools to clean malware. I wonder how to clean 1000 infected OS with these tools when your AV's cannot clean malware?

[Sacles]

Excuse me it's in the windows of the advanced parameters for the HIPS.

If you modify some parameters, the button "Default" does not work to restore the default advanced settings of HIPS

[toxinon12345]

"Probably a variant of"
"A variant of"
are heuristic detection of unknown threats

Heuristic detections are submitted to ESET (they will add the signature immediately if necessary)

[Escalader]

Well I can report today that the normal eset update notified me that a new version (5.2.9.1) was available.

I installed it after disabling OP FW Pro (avoid trouble was my thinking) and the install went okay.

It wanted a restart after the "upgrade" and I checked that HIPS was OFF before rebooting.

When the restart finished I see that no HIPS rules were generated this time and HIPS was disabled. The issue of self defense seems to be more clear as before UNLESS you tick HIPS on self defense remains greyed out.

The help page from Nod 32 relating to all this I include here for the thread.

I read this several times and then wondered if the whole product is now doing nothing as the help seems to refer to the imbedded self defense as primal. Seems odd to use the same words to decribe 2 types of self defense. Probably a language issue.

The help also refers to the firewall rules as similar to HIPS rules, but I don't have the Nod32 FW so this help page seems to be for the suite.

The more I read it the more confused I am. Do I have a FW from Nod32 that I don't want?

Take a look in your "about" and look at the dates on the various components. Some date back to 2010, 2011.

Quote:

from ESET NOD32 ANTIVIRUS 5 help

Host-based Intrusion Prevention System (HIPS)

Host-based Intrusion Prevention System (HIPS) protects your system from malware and unwanted activity attempting to negatively affect your computer. HIPS utilizes advanced behavioral analysis coupled with the detection capabilities of network filtering to monitor running processes, files and registry keys, actively blocking and preventing any such attempts.

HIPS can be found in Advanced setup (F5) by clicking on Computer > HIPS. The HIPS state (enabled/disabled) is shown in the ESET NOD32 Antivirus main window, in the Setup pane, on the right side of the Computer section.

Warning: Changes to the HIPS settings should only be made by an experienced user.

ESET NOD32 Antivirus has a built-in Self-defense technology that prevents malicious software from corrupting or disabling your antivirus and antispyware protection, so you can be sure your system is protected all the times. Changes to the Enable HIPS and Enable Self-defense settings take effect after the Windows operating system is restarted. Disabling the entire HIPS system will also require a computer restart. Filtering can be performed in one of four modes:

Automatic mode with rules – Operations are enabled, except pre-defined rules that protect your system.

Interactive mode – User will be prompted to confirm operations.

Policy-based mode – Operations are blocked.

Learning mode – Operations are enabled and a rule is created after each operation. Rules created in this mode can be viewed in the Rule editor, but their priority is lower than the priority of rules created manually or rules created in the automatic mode. After selecting Learning mode, the Notify about learning mode expiration in X days option becomes active. After that time period is over, learning mode is disabled again. The maximum time period is 14 days. After this time period is over, a pop-up window will open in which you can edit the rules and select a different filtering mode.

The HIPS system monitors events inside the operating system and reacts accordingly based on rules similar to the rules used by the personal firewall. Click Configure rules... to open the HIPS rule management window, where the rules are stored and you can select, create,edit or delete them. More details on rule creation and HIPS operations can be found in the Edit rule chapter.

In the following example, we will demonstrate how to restrict unwanted behavior of applications:

1. Name the rule and select Block from the Action drop-down menu.

2. Open the Target applications tab. Leave the Source applications tab blank to apply your new rule to all applications attempting to perform any of the checked operations in the Operations list on applications in the Over these applications list.

3. Select Modify state of another application.

4. Add one or several applications you wish to protect.

5. Enable the Notify user option to display a user notification whenever the rule is applied.

6. Click OK to save the new rule.



A dialog window is shown every time if Ask is the default action. It allows the user to choose to Deny or Allow the operation. If the user does not choose an action in the given time, a new action is selected based on the rules.



The dialog window allows rule creation based on the action that triggered it and the conditions for this action. The exact parameters can be set after clicking on Show Options. Rules created like this are considered equal to the rules created manually, so the rule created from a dialog window can be less specific than the rule that triggered the dialog window. This means that, after creating such a rule, the same operation can trigger the same window.

The Temporarily remember this action for this process option causes the action (Allow / Deny) to be remembered for this process and will be used every time this operation triggers a dialog window. These settings are only temporary. After a change of rules or filtering mode, a HIPS module update or a system restart, they will be deleted.

[toxinon12345]

Self-defense are predefined IPS rules for protecting ESET's processes, system services and files.

You could try to terminate egui.exe after checking the HIPS > Advanced setup > Log all blocked operations option; as an example for logging these rules.

As for the "Network filtering" mentioned in your quote, the only one I can see is the "Protocol scanning" used by the "Web access protection", but I can assure you Smart Security have more "Network Filtering" features, one of particular interest to me is the Firewall's IDS and Parental control

[Escalader]

Quote:

Originally Posted by toxinon12345

Self-defense are predefined IPS rules for protecting ESET's processes, system services and files.

You could try to terminate egui.exe after checking the HIPS > Advanced setup > Log all blocked operations option; as an example for logging these rules.

As for the "Network filtering" mentioned in your quote, the only one I can see is the "Protocol scanning" used by the "Web access protection", but I can assure you Smart Security have more "Network Filtering" features, one of particular interest to me is the Firewall's IDS and Parental control

Thanks for your post.

Unfortunatly I don't match your setup as I only use the AV from Nod32. The HIPS I get from OP FW Pro.


I looked in the HIPS log (why do I even have one?) and it is empty.

[toxinon12345]

You could create a rule in Outpost; protecting Nod32's processes, files and registry keys.

[Escalader]

Quote:

Originally Posted by toxinon12345

You could create a rule in Outpost; protecting Nod32's processes, files and registry keys.

I could. I have always practiced exclusion where any security tool/product I have excludes all the others. OP is no exception.

But the news I have now is not about that.
After the ESET Nod32 AV 5.2.9.1 "upgrade" I have had 3 BSOD. Missing driver for the HIPS feature in Nod.

So disabling HIPS prior to the upgrade I thought must be the issue.
Sadly I felt that if something this fundamental was flawed in the vendor code it must not have been tested. If you want to run OP for FW and HIPS and use Nod32 you are in trouble. I must be the only guy on earth doing it.

So I removed Nod32 from my W7 64 bit setup.

Once a week or so I will run online scans and for now I'll just run behind the router, with OP FW pro and SUPERAntispyware 5.0.1150 with real time protection enabled.

[screenname]

Does 5.0.xx work on your machine?
I have 3 PCs, 5.2.9.1 works fine on 2 but has problem on the third one. (Machine hung. Slow start up, no/slow intnet access)

[Escalader]

Quote:

Originally Posted by screenname

Does 5.0.xx work on your machine?
I have 3 PCs, 5.2.9.1 works fine on 2 but has problem on the third one. (Machine hung. Slow start up, no/slow intnet access)

Earlier versions all worked on my W7 64 bit machine.

with the introduction of 5.2.9.1 the partnership I had carefully build twixt OP FW Pro and Nod32 collapsed.

The goal at the time was OP did HIPS and FW work and Nod32 did web security and real time AV and ASW work.


What is hapening is this (IMHO) those (like me) who want to build layers of defense and search and destroy are in a techi "war" with the suite builders. I'm losing.

[rcdailey]

Disabling HIPS in NOD32 renders the program vulnerable because self-defense is disabled as well. With HIPS disabled, it is possible to completely disable the Eset service so that it will not load at boot. Without the kernel loaded, NOD32 is useless. Eset really needs to rethink this HIPS thing and how it affects the entire application, and especially the configuration options for HIPS and self-defense. At this point, I think that if you intend to use NOD32 (version 5.x and later), you just need to leave HIPS enabled. Otherwise, do not use NOD32. Find another solution.

[toxinon12345]

Usually the average user wont change the HIPS settings.

[Escalader]

Quote:

Originally Posted by toxinon12345

Usually the average user wont change the HIPS settings.

Thanks Guys:

1) I plead guilty to not being an average user (but I don't need 2 HIPS programs)

2) I have found another solution at the moment it doesn't include Nod32 V5


The idea of layers is one prevents trouble from getting into your castle via gates, moats, walls etc. Call this my 2 way SFW and a router for a 1 way HFW. Sandboxie is a variation on this theme.

The next layer is your swat team call it search and destroyfor the uninvited bad guests who get past your walls etc. Don't tell me it is not possible as we all know better. That was what I wanted Nod32 V5 AV (NOT THE SUITE) to do.


Your HIPS is sort of a bouncer where a guest with good credentials and an invite goes crazy at the party and BEHAVES badly so he has to be put in the sin bin.

If all this fails and the castle blows up I have the material and plans to rebuild it this is the image restore.

Enjoy the day!

[Escalader]

Well I just ran a week with no installed Nod32. I ran behind a router, using a 2 way SW FW and SAS with real time scanning installed.

During the week I visited all the usual (for me) sites and ran the same applications.

I just ran ON line (free scan) from Nod32 it took 30 minutes and found zip in the way of threats.

So far so good.