ESET Smart Security & ESET NOD32 Antivirus 9 Beta Available

@NSG001 You are most welcome my friend

 

Smart Security 9 Beta HTTPS Scanning results with SSL Labs Client test:


Note that some things are not tested with the SSL Labs client test:
-ESET does not warn about a revoked certificate (tested with revoked.grc.com)
-ESET does not support HPKP (tested with the manual tests from: https://projects.dm.id.lv/Public-Key-Pins_test)
-ESET does support HSTS (tested with the manual tests from: https://projects.dm.id.lv/Public-Key-Pins_test)

 

Eset has updated now it's Beta Version today to 117
Now is loading default values, in settings working.


Version 9.0.117.0 is now out there

 

I also bet it doesn't warn on invalid certs.; expired, improperly signed, etc.. SS 8 doesn't. Also pay close attention to how they are pinning certs. by creating an exception. Then examine what is stored and you will observe that only the intermediate CA cert is stored versus the root CA; at least it is that way in SS ver. 8.

Given their response to all the complaints about these SSL issues to date, I doubt they will change anything on this topic for ver. 9. Appears they are moving in the opposite direction by forcing SSL protocol scanning by default in ver. 9. And as far as I am concerned, the "banking mode" is a marketing gimmick to compete with BitDefender, Avast, and Kapersky. And I anticipate Eset's feature will have all the problems that have plagued Bitdefender(integrated) Safe Pay and Kapersky's Safe Money.

Only thing Eset appears to have relented on is scanning sites with EV certs..

I and others have already suggest to Eset to provide a simple way to temporarily turn off SSL protocol scanning on demand; task bar icon option, browser plug-in option etc.. One poster in the Eset forum had the right approach to this; scan the HTTPS traffic after the browser has unencrypted it. That will never happen since presently Eset does the unencrypting at the network level; the easiest and least costly way to implement.

 

I'm running Eset AV 9 Beta 9.0.117.0 and while it may not be as informative as i'd like it is definitely warning me when i go to revoked.grc.com. Not sure if this is new as of the 117 build though?

 

Might still be an issue with SS 9. I believe that is what BoerenkoolMetWorst used for testing?

 

I installed and updated it yesterday, but it was still the old build. It auto-updated to 117 today, but still no warning. Tried with both IE11 and FF38.0.5, not Chrome though.
EDIT: No warning with Chrome either (v43 build .124)

Do you have any handy test links for that?

Yes, that would be way better than MitMing encrypted traffic.

 

Try this one: https://testssl-expire.disig.sk/index.en.html . Works for me using IE10.

-EDIT- I should also add that the instance I found was subtle. As I explained in the 'Kapersky Makes You Vulnerable To A Freak Attack' thread and the Eset SS 8 forum, the web page had multiple HTTPS link refs.. One of those had an expired cert.. IE handles that instance with a display message stating "some content has been blocked due to cert. errors" on the initial web page display. This is the instance that "zipped" right by SS 8 SSL protocol scanning. Testing this specific instance would be difficult. You would need to find a web page that has a ref. to an expired cert.. Whalla! Found a web page link test site. All I had to do is modify it to point to another test web site that has an expired cert.. PM me with your e-mail address and I will send it to you as a zip file. Just unzip and open IE. Then open the .html file in IE and click on the link shown on the web page. Note that even this test does not accurately duplicates the instance Eset SS 8 missed since the site with the expired cert. was auto linked to using code as follows:

{"TITLE":"iucookie"},"transport":"xhr":"/_td_api"},"context":"bucket":"900","device":"desktop","lang":"en-US","region":"US","site":"fp"}};
window.Af = window.Af || {};
window.Af.config = window.Af.config || {};
window.Af.config.spaceid = "1197744451";
window.Af.context= {
crumb : 'bwif9Jhdhnv',
guid : '',
mcCrumb: 'W.OssiqlfoL',
ucsCrumb: 'rXk5WMjg/5o',
device: 'desktop',
rid : '2r3j1d1anom49',
default_page : 'p1',
_p : 'p1',
site : 'fp',
lang : 'en-US',
r egion : 'US',
authed: 0,
enable_dd : '',
default_appletinit : 'viewport',
locdrop_crumb: 'ci4xL1ZzV2NzUi4-', woeid: '12776656',
ssl: 1,

bucket: '900'


};
window.Af.config.transport = {
crumbForGET: true,
xhr: '/fpjs',
consolidate: true,
timeout: 6000
};
window.Af.config.onepush = {
subscribeTimeout : 5000,
subscribeMaxTries : 1,
trackInitComet : true,
trackLatency : true,
latencySampleSize : 50,
publicCometHost: 'https://comet.yahoo.com/comet',
shutdown: false,
trackShutdown: false
};

Also in IE11, make sure you have publisher and server certificate revocation checking enabled in advanced settings. SS 8 SSL protocol scanning might be interacting with those settings?

 

All they have to do is sandbox the browser and scan the .html code there. Would also prevent 0-day threats at the same time. Off course, sandboxing could break other apps like EMET.

 

For once I am not running the beta but I am dying to take a look at it when it's released.

Fingers crossed.

 

thanks man.

Does seem eset are not handling ssl with care, revocation, ciphers both now very important things, too many ciphers in that list. OCSP stapling also important, I am also curious if they have any CRL support which I dont know a way to test.

 

yep that was me who said to scan after decrypted. SSL is a fast moving target security wise, my view is if eset are not prepared to keep up they shouldnt be intercepting ssl traffic.

 

I'm running version 8 in a trial. Memory usage right about 100 MB. Has version 9 used about that much and how long is the license good for with the trial?

 

Hello sportsfan7700,

On my system (Windows 8.1 Pro 64 bit fully updated/patched), I see on average about 110 MB for the service and 15 MB for the GUI.
The version 9 beta licences are set to expire on November 30, 2015.
HTH...

 

Hi Kent,
I wonder if it's a good idea then to run the beta until I can grab a license for NOD 32

 

Hello sportsfan7700,

I personally always beta test the ESET products. Most of their betas tend to run as good as others released software. The version 9 betas so far have seemed to be a little bit buggier than their previous betas, but nothing major. You can check out the progress over on the ESET forums. Some have reported it seems a little heavier on their systems but I have not noticed any slowdowns at all, it even seems a bit lighter on my system than version 8. The only issue I have had is a few SSL errors occasionally while browsing, nothing major as it happens rarely and a page refresh always works. There has already been an upgrade from 9.0.111.0 to 9.0.117.0 which was automatic and went flawless here. The individual modules are being updated quite often which also is making the beta better so improvements are coming a good rate. I am currently running it with no regrets and plan to continue, so obviously I would recommend it but that decision is up to you. If you do decide to give it a run, you must do a clean install as during the beta, installation over the top is not recommended. I would uninstall version 8 first followed by a reboot and then boot into safe mode and use the ESET uninstall tool to fully remove version 8. You should then be good to boot back into normal Windows and install version 9. If you do decide to give the beta a run, let us know how it goes...

 

The memory usage is perfectly fine for your V8 install...Personally, I experience a memory leak with V9 (on XP at least that I beta test on) ekrn.exe used 740mb at one point. Since I beta test on XP, it doesn't mean you would experience the leak if you use Win 7 or later, it might be OS, or even system specific, impossible to say. But it's a stable build, it doesn't crash or anything like that, just a few minor issues that I have experienced this far. So either you can wait a little bit longer, or jump on it right away.

And good post by Puffy above

 

I think I will give the beta a run. I've been using since version 5 and just recently registered. I'll report anything I see out of the ordinary, and this wll allow me to look for deals on a license as well.

 

Came across a link to SS 9 help file that I though people that don't install the beta might like to review to see what's new: http://help.eset.com/ess/9/en-US/index.html?I

A couple of clarifications from the help.

Bypass EV cert. scanning is not automatic; it needs to be manually selected.

Eset also added a "Known Certificate" category to SSL protocol scanning with options to turn off unencrypting. This appears to be where you will be able to add certs. for web sites you wish to exclude. Good move since I never could get the SS 8 "excluded domain name" option to bypass HTTPS web sites. On the other hand, doing it this way will be a pain for anyone using a major bank web site. Mine has over 15 linked SSL certs. it uses; each would have to be added manually. I recommended to Eset a friendlier user approach; to add an on/off option for SSL protocol scanning to the desktop icon similar to that which currently exists for 'Gamer Mode."

I don't even want to thing about all the problems that "armored" banking browser mode is going to cause. Have no intention of using that.

 

Just booted my ESET VM today and updated it, now it warns about revoked certificates, tested with expired as well, that works too. Both warnings talk about an untrusted certificate, no other details though.

Thanks

Yes, both were enabled.

 

Also please try this.

Switch SSL protocol scanning to "Interactive" mode and exclude a cert. from scanning. Then open up the exclusions and view what is stored. In SS 8, all that is stored is the excluded cert. and the intermediate cert. it is pinned to. This has lead me to strongly assume that Eset is validating the cert. pinning chain by only using the intermediate cert.. Not good .........
Additionally, I had at least one instance of Eset SS 8 pinning the wrong intermediate cert. in my testing. Retesting resulted in the correct intermediate cert. being pinned in the exclusion. Again, not good ...............

 

i wanted to try ESET's nod32 av-program, then i saw this thread and wanted to try the beta-version, instead.. however, when i tried to install it, just now, all i got was an error-message:
--------------------------

update: the regular version of NOD32, build 8.x, installed without any problems..

 

I added it from the URL, it only shows the intermediate cert:


IMO, even if SSL Scanning is implemented properly, there are just too many edge cases, like here when the domain name is checked, but not the alternative domain name:
https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/

 

Here are ESET's root certificate from Firefox's cert manager, would be interesting to see if others got the same or they at least use unique certs.

 

As I am sure you are aware off but other readers may not be, an example of why you can't trust intermediate CA's - the TurkTrust fiasco: https://nakedsecurity.sophos.com/20...e-fiasco-what-happened-and-what-happens-next/