Eset NOD32 Antivirus and Eset Smart Security version 9

Is there any real advantage to use version 9 vs. version 8 ? (besides banking protection, I never could figure out what that was good for ...) I did try version 9 for a while, didn't like the GUI and the rest of the program.

 

The main change is the firewall if using outbound protection, now will create rule for svchost.exe by specifying the service used. That is more secure than having to allow all svchost.exe outbound traffic as exists in ver. 8.

Also Eset's hook is now always injected into Internet facing apps versus only being set on if Eset's kernel detects something amiss as occurs in ver. 8..

 

I was hoping that V9 would be lighter than V8, while the AV itself is lighter, but the HTTP scanning slows down my browsing and downloads so much

 

How good is Eset Banking Browser? Does it protects keystrokes?

 

My test with SpyShelter's AntiTest tool showed it did. Eset's hook is now permanently set in the browser. They are also protecting the hook from being tampered with; abet the way they do it is the flakiest way I have seen in some time. See my reply #4 on that.

 

I had no luck with the latest version of NOD32 and I would like to try it again.

Any comments on this version GOOD or BAD?

I'm using Version 8 presently and it seems to be fine.

Many thanks

 

SSL protocol filtering is still screwy. It wasn't good in v8, and broke lots of sites (I had an unresolved forum post regarding issues with google that involved lots of module replacements and ultimate. I'd say v9 is slightly better and will at least leave EV certs alone, but it's still not great (and I prefer security products not screwing with SSL, tbh).

The banking and payment protection is likewise pretty screwy, and doesn't reliably detect browser sessions with banks they have in their database. Sometimes it opens a protected browser, sometimes it doesn't.

That being said, it's still a pretty fast product, and their customer service is still pretty good. Oh, and their PUA/PUP detection is still incredibly good.

 

I'm using it currently but have the SSL filtering turned off. I have not had any issues with it. I forget it is installed most of the time, which is the way it should be.

 

I had SSL protocol scanning turned on using ver. 8 and had no issues with it. However, I recently turned it off after discovering that it was bypassing all intermediate root cert. revocation server validations thereby exposing you to man-in-the-middle attacks. You can verify this by enabling CAPI2 operational event logging and viewing the slew of revocation check errors present.

This was also confirmed by this recent study of all AVs that have SSL protocol scanning options:

Finally, proxies may entirely fail to detect invalid certificates, exposing browsers to generic MITM attacks (“Accept”).

Only Kaspersky and Net Nanny successfully detected all our invalid certificates; however, when detected, the user is asked to handle the error.

Ref: https://madiba.encs.concordia.ca/~x_decarn/papers/tls-proxy-ndss2016.pdf
​

 

Does disabling SSL/HTTPS scan affects the protection of Eset Banking Browser?

 

No. Actually due to the whitelisting of SSL sites now incorporated in ver. 9, most bank web sites are not scanned using SSL protocol scanning. I believe Eset now excludes all web sites with EV certs. and most bank web sites have those. My complaint with the feature in ver. 9 was there appeared to be "no rhyme or reason" to what web sites Eset whitelisted. I saw it not scanning Google search for example and other web sites that did not have EV certs.

What ver. 9 did not provide is a complete way to exclude a web site except by the same cert. exclusion method present in ver. 8. The problem with it is many SSL web sites might have multiple certs. associated with it e.g. one per web page. Also I found out in ver. 8 that if for some reason the Eset root cert. changes, all your previous cert. exclusions no longer work since they are all pinned to the original Eset root cert..

The bank browser protection is as follows:

1. A lock down of your browser when in banking mode.
2. Keylogging protection.
3. Increased protection against browser code injection by always having Eset's hook set in the browser to detect any code manipulation. I also suspect Eset added to the default HIPS rules to also perform the same protections. I did not have ver. 9 installed long enough to test how effective this is against memory based code injection and the like. I accomplish the same in ver. 8 by creating like HIPS rules for all my Internet facing aps..

 

Manually whitelisted SSL sites are also not scanned using SSL protocol scanning, right?

 

Note, I don't have ver. 9 installed but I don't think they changed this. As far as I am aware of, the SSL whitelist Eset uses internally in ver. 9 is not accessible by the user.

In ver. 8, the only way you can exclude by url with SSL protocol scanning enabled in web filtering is to exclude the url from all web filtering scanning; i.e. HTTP, HTTPS, etc.. as shown below. Note: this is no longer in effect on my installation since I have disabled SSL protocol scanning. If you use this option, make sure to enable the "List active" checkbox.

I still want my HTTPS sites i.e. port 443 unencrypted incoming data scanned; I just don't want Eset to unencrypt or perform other SSL validations. The former also applies to IP address exclusions.

Confusing as hell, isn't it? Only Eset would think up a convoluted mess like this.



-EDIT- When the above exclusions are set, I used the Eset option in that same section to verify that SSL protocol scanning was not being done for those urls. Eset indicated it was so. But when I went to those excluded web sites, Eset's root cert. still showed as being used as the root of the certificate chain? Worse, you have no way of visually verifying the actually certificate chain being used.

 

I went back to Version 9 on one sacrificial computer.

The jury is out on the verdict but I will let it run several days until I decide on it.

 

to swex

The name doesnt imply anything its too vague.

Since I already use software which mitigates memory overflow attacks, I cannot enable the eset options incase they do the same thing. I also need to be sure I wont get compatibility issues, I cannot be sure if I dont know what they doing.

Really for the "exploit blocker" they need to explain why its needed and show an example exploit that would infect an eset machine with it disabled. (whilst other parts of eset are enabled)

 

yeah 100% agree on the SSL stuff, me and others also raised this on eset's forums but seems they dont care, I guess its something extra to market so they will intercept https traffic when they shouldnt be doing so, as you said they not RFC complaint and not implementing modern SSL practices.

Also when I beta tested v9 on win10 HIPS completely broke, I tried to report it but got a laid back reply telling me the beta is over and as such the bug report wasnt logged, ummm.

Still using v8 on my main machine here.

 

I thought it was pretty clear that the Exploit Blocker had something to do with blocking exploits. Yes sure, I understand how you mean. The best way to get an answer for a ESET + "other" combo is to start a thread and name your specific combo that you use or would like to use. I use AMS, EB and the HIPS in ESET as they are effective, but I have seen other people that have used e.g NOD32 + one or two standalone apps, so there surely is a few combos that works fine with NOD32 + something else. But I can't suggest any combos myself.

 

Below is Eset's description of it's exploit protection:

Exploit Blocker

Exploit Blocker is designed to fortify applications on users’ systems that are often exploited, such as web browsers, PDF readers, email clients or MS Office components. It adds another layer of protection, one step closer to attackers, by using a technology that is completely different to those that focus on detection of malicious files themselves.

Instead, it monitors the behavior of processes and looks out for suspicious activities that are typical for exploits. When triggered, the behavior of the process is analyzed and, if considered suspicious, the threat may be blocked immediately on the machine, with further metadata about the attack sent to our LiveGrid cloud system. This information is further processed and correlated, which enables us to spot previously unknown threats, so-called zero-day attacks, and provides our lab with valuable threat intelligence.


Java Exploit Blocker

Java Exploit Blocker uncovers attempts to take advantage of weaknesses in Java. It keeps a constant lookout over processes for any signs of suspicious activity or behavior. Threats are blocked and their fingerprint is sent to the ESET LiveGrid cloud system to ward off future attacks.
​

A couple of comments.

1. Eset states it only protects web browsers, PDF readers, email clients or MS Office components. Note that not all browsers and e-mail clients are supported.
2. Since Eset does not have a behavior blocker, the scanning of exploit like activity has be done using ThreatSense real-time advanced heuristics and internal sandboxing. I at first was skeptical of its effectiveness with this setup. However, NSS Labs last year did perform exploit testing using WIN 7 32 bit platform and Eset was the top scoring of security products tested.

 

I'm still hoping Eset will incorporate a Behavior Blocker into their arsenal. I would like to see them develope something like Emsisoft has.

 

yeah I already harden those apps significantly so I dont think the exploit blocker offers a lot to me anyway.
Regarding the NSS tests unless they tested again with those options off we dont know which part of nod32 blocked their exploit.

 

You can test using HitmanPro Alert Test Tool. For the browser tests, just make sure your browser is open before starting those tests. Eset passed every exploit test when I used the tool a while back.

 

Anyone who uses Eset's HIPS extensively as I do might want to follow this discussion I have been having with Eset on their forum here: https://forum.eset.com/topic/6867-new-build-available-349/?p=38943

Appears Eset in their infinite wisdom has decided to change the order in which HIPS rules are executed in ver. 9. In this holds true, this for me is the last straw in the proverbial bale of MCFs that have occurred in ver. 9. There comes a time when "enough is enough" and I have reached that point. I do like Eset Smart Security and felt it was a solid product up though ver. 8. I do not feel that way for ver. 9.

My Eset license is expiring soon and I will not be renewing it. Since I also use Emsisoft Anti-Malware, I will either upgrade to EIS or use Comodo's firewall and Defense+ combo as my firewall and HIPS protection.

 

comodo does have what seems a very advanced hips but be prepared for a large performance hit on your system.

 

That's surprising. Whether you like or dislike Comodo, it seemed a general consensus was how very light Comodo was.

 

yes and I dont know how that consensus came about, the performance hit for me (on different systems as well) is pretty large, if you search for it there is other people reporting the issue as well The fix used to be to disable defense+ (which hosts the hips module) but that isnt possible on the latest comodo and if you only using comodo for the hips then you wouldnt do that anyway.

Now regarding the hitman exploit tester the results were interesting.

When I added the test tool to EMET it blocked about 60% of the tests, a few tests were also blocked by existing configuration to restrict rule execution in unauthorised locations but some tests were successful. Now obviously a big part of this is down to using its own exploit to run a legitimate windows application calc.exe. So how big an issue this is to me is dependent on if malware needs to start existing trusted executables to run its payload. If it does, then its a problem, if it doesnt then its not so much a problem. The hitman pdf file says calc.exe test is a proof of concept and malware would normally push to run its own executable not existing trusted executables.

Now when I looked at the hitman pro alert website it specifically lists what the tool protects against, this is what I like and what I think eset should be doing with its exploit blocker. If eset is blocking the ROP, stack and DEP exploits then it is as I suspected hooking onto memory allocations and as such conflicting with other tools on my system. Now what I dont know about the free hitman pro alert yet as I havent used it, is if it allows toggling of set protections and if you can customise what executables it protects. So as mentioned earlier eset only protects browsers, MBAE free also only protects browsers unless you buy the paid version. EMET can protect anything but you have to blacklist first, so e.g. if a unknown executable managed to run on your system EMET would not be blocking it from accessing unauthorised memory space unless it did so via OS level DEP, SEHOP and ASLR mitigations. I dont know enough about malware to know whats important, blocking unauthorised memory access in existing software that is an attack vector such as browsers and any services that access the internet and are open to exploits. Or if its the case of needing to block any future executable that would be unknown to the system of accessing unauthorised memory space, my understanding is its the former and which is why existing securiy tools concentrate on protecting browsers and such.

I am definitely going to try hitman pro alert on my desktop, it would seem a potential shoe in replacement for EMET and/or MBAE providing it can be configured as much as EMET can, if it cannot be configured then I would like some kind of visual confirmation when a browser is protected e.g. MBAE logs and alerts when it protects a browser process, and to avoid conflict I would then disable hooking in EMET on the same applications that hitman protects but keep EMET for other applications I may want to protect. Based on this it seems MBAE would be the one to remove if hitman pro alert is installed. Whilst keeping EMET only for its added protections via customisation. I will post back later after I have run this on my laptop for a while.

update, found this post here, which puts my idea to bed, the hitman pro alert free version doesnt have all these cool mitigations. https://malwaretips.com/threads/ant...ebytes-anti-exploit-vs-hitmanpro-alert.51090/

I may try out the trial version (if there is one) still just out of curiosity, but my budget doesnt stretch to paying for so many security software.