Eset NOD32 Antivirus and Eset Smart Security version 9

Discussion in 'other anti-virus software' started by Blackcat, Oct 26, 2015.

  1. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,611
    Location:
    Outer space
    Yes, it's a PC with more casual security, as it is also used by 'noobs'.

    From their description it sounds more like it has some EMET like features and/or it has a higher sensitivity for blocking processes launched by frequently exploited processes, such as the browser and PDF reader. If that is the case it shouldn't matter wheter SSL scanning is on or not if it is a HTTPS website.
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    I did some testing with IE x64 and Surfright's x64 exploit test tool that yielded some interesting results.

    If I ran the tests w/o IE open, Eset's exploit protection failed almost all the tests. Pondering that and observing what was going on with Process Explorer, I saw that IE was launched by the test tool and ran under it as a subprocess. I then realized that what was happening was the test tool IE launched instance had not actually established network connectivity before the individual exploit test had completed. Each test ran almost instaneously.

    So I opened IE and then ran each test again. In this case, the IE instance the test tool launched ran under the main IE process. Eset blocked every test payload.

    What this showed me was all the exploit protection in Eset is located in Eset's network filter. This filter also decrypts SSL traffic when SSL protocol scanning is enabled. So if SSL protocol scanning is disabled, none of the encrypted traffic is being monitored by Eset's exploit protection. This testing also verified to me that exploit scanning protection is actually part of Eset's behavior blocker which also operates at the network level using Eset's network filter driver. The behavior blocker does do sandboxing and monitors for malware like activity.

    -EDIT-

    I know Eset states that exploit protection is part of the HIPS since located in that section are the on/off setting for each feature. Note that the real-time AV scan engine interfaces with the behavior blocker. All Eset did was use the same type of interface to the behavior blocker for the HIPS; most likely with hard coded rules to monitor for non-process modification activity; setting of global hook, event interception, execution of the exploit stager and payload, and the like.

    I think where the confusion is pertaining to HTTPS scanning is with SSL protocol filter set to off, port 443 traffic is being scanned for malware activities but only for non-encrypted traffic.

    Finally if you carefully read the user manual, memory scanning is only done "post execution." This is a clear reference to HIPS process modification processing. The same is accomplished by defining a HIPS rule for your browser as target to prevent any source process from performing process modification. In this instance, it does not matter if the threat actor is an encrypted malicious script.
     
    Last edited: Nov 2, 2015
  3. jjc225

    jjc225 Registered Member

    Joined:
    Nov 25, 2010
    Posts:
    275
    I had ESET version 9 on one of my computers for awhile and then had to remove it for some testing. It was uninstalled completely with the ESET uninstaller, but now that I am trying to reinstall it I am getting an error message saying the program is already installed on the computer. What to do now?
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    123,636
    Location:
    Texas
  5. jadinolf

    jadinolf Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    1,047
    Location:
    Southern California
    Don't know but when I uninstalled Version 9 from my four Win 7 computers and went back to Version 8, it was one of the happiest days of my life.:):):):):)
     
  6. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,662
    Location:
    Throughout the USA and Canada
    I will look into the firewall next time we get one - but each of them was using a license key already. We were installing them after renewal and issue of the license key.
     
  7. jjc225

    jjc225 Registered Member

    Joined:
    Nov 25, 2010
    Posts:
    275
    The ESET uninstaller worked, thanks. Was able to reinstall version 9.
     
  8. jpcummins

    jpcummins Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    543
    Location:
    Terre Haute, IN
    My system is Windows XP Professional, SP 3, 32bit. I am running the following security programs: 1) Zemana AntiLogger (paid), 2) ZoneAlarm (free, only the firewall), 3) WinPatrol (paid), and 4) Malwarebytes Anti-Malware Home Premium (paid). I have been experimenting with AntiVirus programs and have experienced problems with each one I tried. I recently downloaded and installed ESET NOD32 Antivirus 9.0.318.0 (trial). So far I have noticed no significant loss of response time and it appears to be doing what I want. I am hoping to find a good deal on ESET Security Suite or NOD32 Antivirus on Newegg.com so I will be uninstalling the trial in the next few days. I am hoping someone can tell me if I will have problems using Revo Uninstaller Pro. From what I have read it appears that uninstalling the program can cause considerable problems. As always I appreciate all replies and would thank you in advance.

    John
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    I have used it for a few years with various AVs on WIN 7 x64. Currently running Emsisoft Anti-Malware and Eset Smart Security 8 and have no issues with Revo Uninstaller Pro. Can't comment on uninstall issues from it since I have never uninstalled it.

    I don't know if Revo supports WIN XP anymore though?
     
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    123,636
    Location:
    Texas
    Good to hear. :thumb:
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    One reason below why SSL protocol scanning should be enabled. Since the feature doesn't currently work properly on ver.9, best to stay with ver. 8 if SSL protocol scanning is used.

    GovRAT tool uses Microsoft SignTool and WinTrust to digitally sign malicious code and evade antivirus detection. And once malware signed with the tool is embedded, it can communicate over SSL, obscuring the exfiltration of sensitive data. It also has advanced self-encryption and anti-debugging tools.

    http://www.infosecurity-magazine.com/news/malicious-signing-dark-web-cottage/
     
  12. zach

    zach Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    272
    Location:
    Wisconsin,USA
    Where can I find Eset antivirus version 8
     
  13. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    5,997
    Location:
    New York City
    Last edited: Nov 6, 2015
  14. zach

    zach Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    272
    Location:
    Wisconsin,USA
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
  16. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Changelog for Build 9.0.349
    08/12/2015

    Added: Support for screen reader software (JAWS)
    Added: Support for Outlook 2016 (Antispam plugin)
    Added: License info about seat count
    Fixed: Issues with printing and Windows updates
    Fixed: Wrong categorization of virtual networks
    Fixed: Issues with settings migration when upgrading from previous versions
    Changed: Updated list of application status messages
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    I will stick with ver. 8 for the time being. From what is listed in the change log, they haven't fixed any of the major issues like SSL protocol scanning, etc..

    Frankly, I am tired of wasting my time debugging their software.
     
  18. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,761
    Location:
    USA
    The SSL scanning is still broken. I never used it anyway and don't care much about it. Aside from that, on Windows 10 I am liking it. You just kind of forget it is there. It stays out of my way.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Figured as much. Eset should revert back to what they do in ver. 8, or get rid of it entirely. Given the bugs in it in ver. 9, no one should have it turned on in that ver..
     
  20. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,761
    Location:
    USA
    As a producer of software myself, I absolutely believe that it should not be enabled by default if it does not work. It probably should be hidden as an option until it works right. I like their products, but it seems to take them painfully long to fix issues. And usually more than one build to do so.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    And this is what is really starting to turn me off about Eset. In their favor is the fact they still support their old releases for a quite a long time.
     
  22. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,447
    Location:
    Slovenia
    Yes and you can use your licence for whichever version you want to use.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Came across an interesting posting on the Eset NOD32 forum part of which I copied below. Appears that they might be getting ready to "throw in the towel" on part or all of the SSL protocol changes made in ver. 9. The fact that Macros recommended replacing existing .dat files with ver. 8 ones points to the fact they probably contain whitelisted web sites to be bypassed. This is slowing down browsing speeds and other issues with SSL protocol scanning.

    I previously posted a ver. 8 suggestion that they chose not to act upon to bypass scanning of all web sites with EV certs. Appears they were headed that way with ver. 9 since I saw that option in preliminary ver. 9 documentation that wasn't present in the final ver. 9 that was released. They could have also provided an option prompt when entering any web site in banking mode to exclude that web site from SSL scanning by using the ver. 8 notation of https: //*.sitename.com/* etc. and let the user dynamically build his own whitelist of sites not to be scanned.

    -EDIT- What I don't like with the ver. 8 SSL exclusion capability noted above is that Eset's root cert. still shows on the site's web page. As such, you have no way to visually verify the site's certificate path. Again another case of Eset "knows best" and they are performing the root cert. pinning check:rolleyes:

    lso v9 currently uses a newer Internet protection module than v8 so if disabling SSL scanning doesn't help, install Internet protection module 1173.12 (the same that v8 has) as follows:

    - download and extract the files from the attached archive to your disk
    - temporarily disable automatic update tasks in scheduler so that the module is not updated during the test
    - start Windows in safe mode
    - back up em019_32.dat and em019_64.dat in the ESET install folder and replace them with the attached ones
    - boot to normal mode and try to reproduce the issue.

    Attached Files

    Attached File em019_1173.rar 385.22KB
     
    Last edited: Dec 11, 2015
  24. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    does HIPS in Version 8 work with Windows 10. I know I read the new version currently doesn't.
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Appears so based on Eset forum postings but only for initial release of WIN 10. I would suspect problems with it if the latest WIN 10 update is applied.

    Also there was a recent Eset forum posting where someone couldn't even install it on WIN 10. Those that installed ver. .319 and then upgraded to WIN 10 also appear to have no issues.

    One reason I am still WIN 7. Don't need all these new OS hassles. Been there, done that in the past, now older and wiser. Will wait to install WIN 10 till just before the one year free upgrade expires. Hopefully by that time, Eset will have all the bugs worked out of ver. 9.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.