ESET version 5.2.9.1

Hello,

Restore the default settings in the main window of HIPS does not work correctly (bug already reported).

 

Please clarify why you say HIPS is not working properly.

 

1. Why doesn't ESET add signatures for these files: 0A1E7DC1BBA68DAFA35C1B00D43F4EE432CA17D8, A0A32CAC3227C23AEEC6A7B4BB57872B0EC6D703, C804C14979CF34066B664C0F00A327EAA97C3B3A, E7865BDA2EDB8D80DCDBDB1206B48CE7ADF03DC7?
2. Why does ESET sometimes change the “a variant of Win32/Kryptik” or “probably a variant of Win32/Agent” signatures to “Win32/Oficla” or “Win32/MBRlock”, but not always? That confuses your users.
3. You recommend to use special ESET tools to clean malware. I wonder how to clean 1000 infected OS with these tools when your AV's cannot clean malware?

 

Excuse me it's in the windows of the advanced parameters for the HIPS.

If you modify some parameters, the button "Default" does not work to restore the default advanced settings of HIPS

 

"Probably a variant of"
"A variant of"
are heuristic detection of unknown threats

Heuristic detections are submitted to ESET (they will add the signature immediately if necessary)

 

My Status re: ESET version 5.2.9.1

Well I can report today that the normal eset update notified me that a new version (5.2.9.1) was available.

I installed it after disabling OP FW Pro (avoid trouble was my thinking) and the install went okay.

It wanted a restart after the "upgrade" and I checked that HIPS was OFF before rebooting.

When the restart finished I see that no HIPS rules were generated this time and HIPS was disabled. The issue of self defense seems to be more clear as before UNLESS you tick HIPS on self defense remains greyed out.

The help page from Nod 32 relating to all this I include here for the thread.

I read this several times and then wondered if the whole product is now doing nothing as the help seems to refer to the imbedded self defense as primal. Seems odd to use the same words to decribe 2 types of self defense. Probably a language issue.

The help also refers to the firewall rules as similar to HIPS rules, but I don't have the Nod32 FW so this help page seems to be for the suite.

The more I read it the more confused I am. Do I have a FW from Nod32 that I don't want?

Take a look in your "about" and look at the dates on the various components. Some date back to 2010, 2011.

 

Self-defense are predefined IPS rules for protecting ESET's processes, system services and files.

You could try to terminate egui.exe after checking the HIPS > Advanced setup > Log all blocked operations option; as an example for logging these rules.

As for the "Network filtering" mentioned in your quote, the only one I can see is the "Protocol scanning" used by the "Web access protection", but I can assure you Smart Security have more "Network Filtering" features, one of particular interest to me is the Firewall's IDS and Parental control

 

Thanks for your post.

Unfortunatly I don't match your setup as I only use the AV from Nod32. The HIPS I get from OP FW Pro.


I looked in the HIPS log (why do I even have one?) and it is empty.

 

You could create a rule in Outpost; protecting Nod32's processes, files and registry keys.

 

I could. I have always practiced exclusion where any security tool/product I have excludes all the others. OP is no exception.

But the news I have now is not about that.
After the ESET Nod32 AV 5.2.9.1 "upgrade" I have had 3 BSOD. Missing driver for the HIPS feature in Nod.

So disabling HIPS prior to the upgrade I thought must be the issue.
Sadly I felt that if something this fundamental was flawed in the vendor code it must not have been tested. If you want to run OP for FW and HIPS and use Nod32 you are in trouble. I must be the only guy on earth doing it.

So I removed Nod32 from my W7 64 bit setup.

Once a week or so I will run online scans and for now I'll just run behind the router, with OP FW pro and SUPERAntispyware 5.0.1150 with real time protection enabled.

 

Does 5.0.xx work on your machine?
I have 3 PCs, 5.2.9.1 works fine on 2 but has problem on the third one. (Machine hung. Slow start up, no/slow intnet access)

 

Earlier versions all worked on my W7 64 bit machine.

with the introduction of 5.2.9.1 the partnership I had carefully build twixt OP FW Pro and Nod32 collapsed.

The goal at the time was OP did HIPS and FW work and Nod32 did web security and real time AV and ASW work.


What is hapening is this (IMHO) those (like me) who want to build layers of defense and search and destroy are in a techi "war" with the suite builders. I'm losing.

 

Disabling HIPS in NOD32 renders the program vulnerable because self-defense is disabled as well. With HIPS disabled, it is possible to completely disable the Eset service so that it will not load at boot. Without the kernel loaded, NOD32 is useless. Eset really needs to rethink this HIPS thing and how it affects the entire application, and especially the configuration options for HIPS and self-defense. At this point, I think that if you intend to use NOD32 (version 5.x and later), you just need to leave HIPS enabled. Otherwise, do not use NOD32. Find another solution.

 

Usually the average user wont change the HIPS settings.

 

Thanks Guys:

1) I plead guilty to not being an average user (but I don't need 2 HIPS programs)

2) I have found another solution at the moment it doesn't include Nod32 V5


The idea of layers is one prevents trouble from getting into your castle via gates, moats, walls etc. Call this my 2 way SFW and a router for a 1 way HFW. Sandboxie is a variation on this theme.

The next layer is your swat team call it search and destroyfor the uninvited bad guests who get past your walls etc. Don't tell me it is not possible as we all know better. That was what I wanted Nod32 V5 AV (NOT THE SUITE) to do.


Your HIPS is sort of a bouncer where a guest with good credentials and an invite goes crazy at the party and BEHAVES badly so he has to be put in the sin bin.

If all this fails and the castle blows up I have the material and plans to rebuild it this is the image restore.

Enjoy the day!

 

Well I just ran a week with no installed Nod32. I ran behind a router, using a 2 way SW FW and SAS with real time scanning installed.

During the week I visited all the usual (for me) sites and ran the same applications.

I just ran ON line (free scan) from Nod32 it took 30 minutes and found zip in the way of threats.

So far so good.