HIPS Automatic Mode

Hello i test the new version Final 5.
30 Links with HIPS in interactive mode.Results is zero.
Hips in automatic mode the results is...
http://i53.tinypic.com/2e54lj7.jpg

....Comodo in Automatic mode do better!

 

Hello, ESET states this feature is for preventing unauthorized changes in your system.
As far as I know you have not created rules for unauthorize such changes.

 

I now how the hips work!!!
Hips of Comodo in automatic mode work ,here do nothin.The hips need to be relooking.

 

I can assure that automatic heuristic detections can block a large quantity of malware out there even faster than on-execution technologies.

 

As stated here many times before, right now the HIPS wont do much in automatic mode, however that will change with module updates

 

I realy hope ...to much.

 

Automode is a confusing terminology in ESETs Hips. So be careful!!

Average users believe that automode means that ESET uses some information, predefined rules etc. to make auto decisons. Right as known from many other Hips solutions. But thats an illusion in ESETs case.

Reality (and also the helpfile states this clear): Automode in ESETs Hips allows all except manually defined deny rules. So the default setting (HIPS=automode and no default deny rules existing) means: no working HIPS, the same results as without HIPS, no additional protection.

To see it for yourself some testcases:
- enable logging of all deny actions and execute what you want. Except self-defense messages there will be nothing.
- or: disable realtime protection and enable HIPS only. Play with malware - all will pass.
- or: do some leaktests: CLT on Win7x86 with ESET HIPS in automode 150/340 (the same result which my Win7 reaches without any security software)

http://www.abload.de/image.php?img=cltesetautogkgw.jpg
__

Interactive Mode: 280/340 (other HIPSes are better)
http://www.abload.de/browseGallery.php?gal=rGptr9L2&img=cltesetinteraktiv.juey.jpg

Some real world malware testing (signatures off, to test HIPS only) besides the funny leaktests:
- HIPS is able to alarm about TDL4 (Direct disc access) and can protect
- actual ZeroAccess: no messages from ESETs HIPS - no change to protect from that

 

The statements above are not true. In automatic mode, a set of default rules (beyond the scope of configurable options) protecting crucial files is used. This set of rules will be updated further by module updates to provide even better protection against malware.

 

Ok - i can say nothing about invisible rules. I just posted my observations and facts that everybody can test for himself.

If your claims are true than some things make me wonder:
- Your helpfile says about auto-mode that all is allowed except deny rules. (Sorry atm i can only cite the german helpfile "Vorgänge werden ausgeführt, mit Ausnahme vorab definierter Regeln zum Schutz Ihres Systems"). So exactly what i said.
- And why all testet malware passes HIPS in automode (if AV is turned off of course)?
- Why none of CLTs leaktests is blocked in automode?

Everybody can easily retest for himself to see that I not postet lies as you claim.
So two possibilites:
- atm there are no rules in automode
- atm those invisible rules are very few and weak

The other things about TDL4 and ZeroAccess are true too. You can have MD5 of the zeroacces samples if you want - your signatures already know them.

 

In fact the HIPS of Comodo work pretty good in automatic mode.
Here in automatic mode allow all.
I now very well Comodo ,Outpost,Online Armor.
The Hips of Eset is the same kind like Malware Defender-"trouth hips).
Today all theres company try to do the hips more automatic for the masses.(Look Comodo)
If Logo of Droid is technology -here we are very far from the new technology of Hips.
I hope that Eset will do better job very soon.

.....p.s.Cloud-Powered Reputation the same think....very bad.Miss to much information for the programs.Be better if we make the reputation like Norton.

 

In what point?
Malware Defender Hips watches far more system activities than ESETS and is much more user friendly: you can define rule groups, have user defined presets etc. ...
So IMO you can't compare them.

 

COMODO Leaktests v.1.1.0.3

Interactive Mode:HIPS, Fiwewall

Windows Vista Ultimate SP2 64 bit

10. Injection: SetWinEventHook
11. Injection: SetWindowsHookEx
10, 11, this is a bug Leaktests?

 

Be careful