How to prevent automatic quarantine in Ess or Eess v5?

Discussion in 'ESET Smart Security' started by Gao Hongming, Apr 6, 2012.

Thread Status:
Not open for further replies.
  1. Gao Hongming
    Offline

    Gao Hongming Registered Member

    How to prevent automatic quarantine in Eset Smart Security v5?

    Ess or Eess shouldn’t automatically remove files into quarantine, especially when false positive conditions apply. This breaks the software without even an option to ask for permission. How to make Ess v5 quarantine ASK before automatically removing files? A popup window should ask for confirmation or ADD an exclusion first!
    Last edited by a moderator: Apr 6, 2012
  2. Cudni
    Offline

    Cudni Global Moderator

    When the false positive (assuming it is one and you are 100% sure) applies then it should be reported so that it is fixed and in the meantime restore from quarantine and exclude from scanning. Otherwise for more options see
    http://kb.eset.com/esetkb/index?page=content&id=SOLN2909
  3. Gao Hongming
    Offline

    Gao Hongming Registered Member

    What has "How do I enable all of the capabilities of the ESET Computer scan? (5.x) " to do with "How to prevent automatic quarantine in Eset Smart Security v5"?

    Note: Ess and Eess v5 both automatically quarantining files without user confirmation or permission! This lead to a condition that caused the need of reinstalling the software program (AutoCAD Civil Engineering 3D 2012) as it detected the application was damaged and began the auto repair process that couldn't recover until I disabled Eset and manually excluded the false positive. (sigh) ;-(

    If the Eset provided the OPTION to confirm before removing files or ADD as an exclusion then this wouldn't break applications, which Eset should avoid doing in the first place.

    Doctors take an oath, do NO HARM to their patients, but clearly the Eset policies regarding the quarantine just automatically assume GUILTY plea.

    I suspect the false positive was using the same digital hash as one of your digital signatures. Since your list isn't made public, everyone MUST submit their proprietary files to Eset in hopes it will be approved?

    So as to insure the AutoCAD files were original I ran a SHA1 hash on the original DVD disk containing the files and compared them to the files Eset removed to discover they had matched the same cryptographic signatures.

    Note:
    what hash is Eset using to check the digital signatures, as switching to another algorithm could resolve the issue, instead of having to force a new binary compilation. Just a thought...

    How about just allowing the OPTION when the quarantine detects a threat, the CHOICE to confirm or exclude, thus would be a better choice to give the end users and owners of their computers to decided.

    Why shouldn't a quarantine confirmation be given before removing files that damage programs?

    Would any skilled hacker just need to match one of your signatures with a vital operating system file/s thereby taking out millions of computers? What is prevent this from happening when it's clear false positives are occurring?
  4. Cudni
    Offline

    Cudni Global Moderator

    There is a reason why files are classified as good or bad. Most of the time AV is correct and when a good file is classified as bad then it needs to be checked and the classification corrected accordingly. AV doesn't know if something is false positive hence the name. AV is there to protect and err on side of caution. User deciding if something is bad or good file is not a good idea. Might as well not run an AV. Otherwise, the link I included earlier was meant for you to see if you can modify the behaviour when malware is detected.

    And yes any AV is prone to actually blocking vital file in error. They usually do it only once and never again after the bad publicity that generates. And that is nothing to do with some skilled hackers matching anything, just a simple human error.
  5. Gao Hongming
    Offline

    Gao Hongming Registered Member

    @Cudni (thanks for your reply) :shifty:

    You wrote, "AV doesn't know if something ises fal positive...". So basically Eset software cannot distinguish friend from foe!

    Since you wrote better to error on the side of caution, should Eset quarantine remove files without confirmation or exclusion? Assuming Eset must error, than to ASK the user?

    Just what is your logic?

    I want to add a third option here, that Eset should consider as a better method of resolving errors. Just the user the CHOICE, to CONFIRM before removing files, or ADD an exclusion and or SUBMIT the file/s for investigation.

    It would seem more logical to NOT exclude out the end user, as that assumes Eset knows what is best, when clearly you wrote above, Eset AV cannot determine a false positive, right?

    If your attempting to build a security program that excludes out the user, that would indicate a dumb down approach, where the program does the decisions instead.

    If you want to really improve security, then EDUCATE the users which then can improve security. Which is the wiser thing to do. What do you think about this approach?
  6. Cudni
    Offline

    Cudni Global Moderator

    How do you know or determine some file is good (and guarantee it with reasonable degree) and should not be classed as bad? False positive is simply a good file classed as bad. Otherwise, Eset is already prompting the user to submit file which are not classified neither good nor bad. So if you have a file that you believe is good and yet Eset blocked it then submit it and help AV learn. User participation would be and is indeed helpful.
  7. get_it
    Offline

    get_it Registered Member

    The majority of users machines that i spend alot of my free time cleaning are lagging behind in the latest windows updates, that is, when alerted they simply postpone/pause or cancel updates altogether.

    Similarly when alerted by their antimalware application, users dismiss the notifications and continue with their current task. Here ESET provides a fully autonomous solution, set and forget if you will where, the most appropriate/best course of action is taken independent of the users decision. Alerts are displayed when absolutely necessary where user interaction is required. Given ESET's reputation of generating very low false positives id say that i am personally confident in the resultant action so as to let the security suite decide.
    As a side note a potential false positive has a 50:50 (from a users point) chance of being malicious or good, in other words you have a 50:50 chance of being infected or not.
    Conversely the same quarantined potentially false positive file has 0 chance of infecting your system.
    Which of these odds would you rather play? Needless to say it is all about minimizing risk.
  8. mikiki
    Offline

    mikiki Registered Member

    That users dismiss warnings of quarantining files is a not the best of reasoning to why there shouldn't be an option to confirm quarantining a file. It most certainly shouldn't be a default option just an option. So how many users will go out of their way into advanced options, then change that option to include confirmation and then deliberately dismissing every quarantine as false positive? Such weak argument for making it harder for the rest of us.

    Worst of all is option to restore file from quarantine and put on exclusion list is always greyed out. What is the purpose of always greyed out option? User has to do extra step of going into advanced options and putting in such exclusion.
Thread Status:
Not open for further replies.