HIPS Automatic Mode

Discussion in 'ESET NOD32 Antivirus/Smart Security Beta' started by Coccinelle, Sep 13, 2011.

Thread Status:
Not open for further replies.
  1. Coccinelle
    Offline

    Coccinelle Registered Member

    Hello i test the new version Final 5.
    30 Links with HIPS in interactive mode.Results is zero.
    Hips in automatic mode the results is...
    http://i53.tinypic.com/2e54lj7.jpg

    ....Comodo in Automatic mode do better!
  2. toxinon12345
    Offline

    toxinon12345 Registered Member

    Hello, ESET states this feature is for preventing unauthorized changes in your system.
    As far as I know you have not created rules for unauthorize such changes.
  3. Coccinelle
    Offline

    Coccinelle Registered Member

    I now how the hips work!!!
    Hips of Comodo in automatic mode work ,here do nothin.The hips need to be relooking.
  4. toxinon12345
    Offline

    toxinon12345 Registered Member

    I can assure that automatic heuristic detections can block a large quantity of malware out there even faster than on-execution technologies.
  5. rekun
    Offline

    rekun Registered Member

    As stated here many times before, right now the HIPS wont do much in automatic mode, however that will change with module updates
  6. Coccinelle
    Offline

    Coccinelle Registered Member

    I realy hope ...to much.:thumb:
  7. SLE
    Offline

    SLE Registered Member

    Automode is a confusing terminology in ESETs Hips. So be careful!!

    Average users believe that automode means that ESET uses some information, predefined rules etc. to make auto decisons. Right as known from many other Hips solutions. But thats an illusion in ESETs case.

    Reality (and also the helpfile states this clear): Automode in ESETs Hips allows all except manually defined deny rules. So the default setting (HIPS=automode and no default deny rules existing) means: no working HIPS, the same results as without HIPS, no additional protection.

    To see it for yourself some testcases:
    - enable logging of all deny actions and execute what you want. Except self-defense messages there will be nothing.
    - or: disable realtime protection and enable HIPS only. Play with malware - all will pass.
    - or: do some leaktests: CLT on Win7x86 with ESET HIPS in automode 150/340 (the same result which my Win7 reaches without any security software)

    http://www.abload.de/image.php?img=cltesetautogkgw.jpg
    __

    Interactive Mode: 280/340 (other HIPSes are better)
    http://www.abload.de/browseGallery.php?gal=rGptr9L2&img=cltesetinteraktiv.juey.jpg

    Some real world malware testing (signatures off, to test HIPS only) besides the funny leaktests:
    - HIPS is able to alarm about TDL4 (Direct disc access) and can protect
    - actual ZeroAccess: no messages from ESETs HIPS - no change to protect from that
  8. Marcos
    Offline

    Marcos Eset Staff Account

    The statements above are not true. In automatic mode, a set of default rules (beyond the scope of configurable options) protecting crucial files is used. This set of rules will be updated further by module updates to provide even better protection against malware.
  9. SLE
    Offline

    SLE Registered Member

    Ok - i can say nothing about invisible rules. I just posted my observations and facts that everybody can test for himself.

    If your claims are true than some things make me wonder:
    - Your helpfile says about auto-mode that all is allowed except deny rules. (Sorry atm i can only cite the german helpfile "Vorgänge werden ausgeführt, mit Ausnahme vorab definierter Regeln zum Schutz Ihres Systems"). So exactly what i said.
    - And why all testet malware passes HIPS in automode (if AV is turned off of course)?
    - Why none of CLTs leaktests is blocked in automode?

    Everybody can easily retest for himself to see that I not postet lies as you claim.
    So two possibilites:
    - atm there are no rules in automode
    - atm those invisible rules are very few and weak

    The other things about TDL4 and ZeroAccess are true too. You can have MD5 of the zeroacces samples if you want - your signatures already know them.
    Last edited: Sep 14, 2011
  10. Coccinelle
    Offline

    Coccinelle Registered Member

    In fact the HIPS of Comodo work pretty good in automatic mode.
    Here in automatic mode allow all.
    I now very well Comodo ,Outpost,Online Armor.
    The Hips of Eset is the same kind like Malware Defender-"trouth hips).
    Today all theres company try to do the hips more automatic for the masses.(Look Comodo)
    If Logo of Droid is technology -here we are very far from the new technology of Hips.
    I hope that Eset will do better job very soon.

    .....p.s.Cloud-Powered Reputation the same think....very bad.Miss to much information for the programs.Be better if we make the reputation like Norton.
    Last edited: Sep 14, 2011
  11. SLE
    Offline

    SLE Registered Member

    In what point?
    Malware Defender Hips watches far more system activities than ESETS and is much more user friendly: you can define rule groups, have user defined presets etc. ...
    So IMO you can't compare them.
  12. ESS3
    Offline

    ESS3 Registered Member

    COMODO Leaktests v.1.1.0.3

    Interactive Mode:HIPS, Fiwewall

    Windows Vista Ultimate SP2 64 bit

    10. Injection: SetWinEventHook
    11. Injection: SetWindowsHookEx
    10, 11, this is a bug Leaktests? :)

    Attached Files:

    Last edited: Sep 15, 2011
  13. SLE
    Offline

    SLE Registered Member

    Be careful ;)
Thread Status:
Not open for further replies.