No HIPS in Eset products is a mystery..

I think it's very strange that Eset doesn't have a HIPS module in any of there anti-malware products.

Everyone knows today, that you cannot rely simply on signatures and heuristics.

Why doesn't Eset have some sort of a HIPS or BB?

 

https://www.wilderssecurity.com/showpost.php?p=1824996&postcount=42

 

Isnt that a way of saying, " We aint got one".

3GUSER is going love this thread.

 

Hi OracleJMT, thanks for your feedback; this topic has been discussed here before. We understand that our approach to HIPS isn't ideal for some people, but we do appreciate your feedback and promise to keep the members of this forum updated on any improvements.

 

Thanks for starting this thread OracleJMT! I have a related question that I can just post here. I always knew that Eset did not contain a classical HIPS, but on several occasions Eset Smart Security demonstrated HIPS like behavior while I was updating or upgrading a program. I do not remember the exact message, but it went something like this. Such, and such program has changed since last .... Do you want to allow this behavior. Is this some sort of light HIPS or behavior blocker?

 

I always wanted ESET to incorporate HIPS into their security suite, but now it would make not difference to me if they did or didn't. I would just prefer to use a firewall that already contains the features I desire. For me it was Online Armor, and for someone else it may be Private Firewall, Comodo, Outpost, LnS, or some other Firewall. It does not even have to be a firewall. It could be a BB, AE, etc.. If a vendor decides such features are not the best for the well being of their company then that's fine, and that's their right to decide. I've gave more than my share of feedback to Eset, and many other security vendors about what features I would like to see in their products. If they decide my needs are not best for their company then I should support a company that is working hard to provide the features I desire. Many of the companies that do provide such features usually do not last long so i'm going to spend my money to support them, and do what I can to promote them because if I don't then their product may not be there tomorrow for me to use. I like NOD 32 so I use it. If I don't like their other products then I will find someone else that has what I need. This is my thoughts in regards to any vendor. I wish Eset the best of luck, and I have no hard feelings toward them. I would suggest anyone that wants a feature that Eset does not have to make a post over on the future changes of Eset thread. If they do not add it then just find something else that better suits your needs. No reason to get your hopes up or feel let down.

 

My guess is that checking an executable to see if it has changed is most likely based on static properties of the file, rather than the behaviour of the file when executed. If so, this feature would be more akin to signature definition checking than to heuristics or HIPS.

 

Given that the ESS firewall doesn't do any parent/child network access monitoring, I've never understood why ESET don't incorporate a simple anti-executable into ESS that would alert whenever the first time an unknown program tries to execute or a known program tries to execute another known program, with the usual options to allow or deny.

Just because I allow my browser Internet access through the firewall doesn't mean that I automatically want to allow any program that tries to launch the browser the ability to connect out, but with the ESS firewall that is exactly what happens.

This would be a simple addition to ESS that wouldn't require building a full featured HIPS if that doesn't fit with ESET's philosophy. Even without a HIPS to monitor subsequent behaviour, the ability of an AE to deny the unknown would go a long way to mitigate against drive-by downloads. If it can't execute, it can't harm.

 

You're wrong, Eset NOD32 has a HIPS module...but it's I think is just a milder version compared to others. When you see an orange colored alarm notice that'll pop-up in your screen...that I think that was the HIPS part of NOD32. It gives you message that some kind of malicious program or applications wants to access or modify other program. I've seen that many times already in my pc, even when I'm just uninstalling some program using Revo Uninstaller Pro.

Fully functioning HIPS are good but I don't like it be incorporated into an antivirus program like NOD32. It just makes an antivirus more buggy and heavy. If you want HIPS program then just install another protective program that especializes this thing like DefenseWall HIPS.

 

I really love the way it is now. You dont have to decide everything for yourself, it is the AV which decides if it is allowed or not.

You cant expect regular users to decide if every program is allowed to do some action

 

Agreed

But if ESET decide to put in an HIPS module similar to a classic HIPS.
Then I will for sure stop use ESS or NOD32 for that matter.

Since it's the silence that I like about this product.
And ESET don't need to follow the competitors way.

Instead of an HIPS, I would like ESET to expand the Cloud service into something similar to an reputation system wich should increas the detection.

 

But silence has a cost... - What if Eset developed a secure AND user friendly HIPS a bit like D+, but more intergrated with av, and more user friendly/automatic? Wouldn't it raise the prevention capabillities?

By the way, a silent firewall does have a cost too..

 

How do you see that working? As some kind of peer-reviewed system or some kind of automated prioritization system where samples submitted from accounts with a high rate correctly identifying new malware get analyzed sooner?

 

+1

Simplicity is why i chose ESET. I do not need all the other marketing hype modules installed. Somehow each year, a newer "detection technology" appears on the market, which really lets face it probably makes zero difference in the real world.

A user with bad habits will always have bad habits unless they wish to change their frame of mind, regardless of which ever security product they are using.

"Test 12" shows security product "xx" with a detection rate of 99%...What does this actually mean to me? Well should i come across a sample which was part of this test then 99% of the time i will be protected. Ok thats reassuring.

However given that the sample sizes are so minute in comparison to the enormous amount of active malware circulating the cyber realm, id say the 99% isnt quite reassuring as i thought it may be. And what if im hit by a sample which was not in the test sample set?

Doesnt matter which security product you are using, a virus infection isnt far away. Im forever cleaning my mates computers due to their habits of surfing the dark side of the web. Alot of them actually run more than one anti-malware app, in realtime, with the logic that it'll double their protection. Rather amusing. Go figure.

 

While having perhaps a little more then average knowledge of computer security, I have to say I don't like the idea of counting on one company to provide an all purpose security product. I believe that different producers of defense programs specific to the task a more secure defense option.

Should Eset consider the inclusion of additional defense products please make it an option as you presently do with the firewall. NOD32 is my first line of defense, on the other side of the keyboard, as an AV product and that's all I expect or want it to do.

Just my novice 2 cents worth, devalue accordingly.

 

I was thinking about something like the reputation systems that Symantec and maybe Prevx are using.
If you know how they work?

 

many users give for granted that everyone wants a HIPS module in their AV.

i personally dont want to get nowhere near...

in fact eset works great cause i havent had to push a single button in years

 

Amen to that.

 

i wuldnt want a classical HIPS, but a behaviour blocker would be a welcomed addition IMO

 

I'm curious. What would you want from a behavioural that the already intergrated advanced heuristics doesn't do?

 

What exactly is the purpose of a behavioural shield/module/blocker and what separates it from traditional methods utilised by antivirus apps to determine whether a file or piece of code does indeed exhibit "virus-like" behaviour?

Isn't this the role of an antivirus app in the first place? To analyse a file assess its "behaviour" using heuristics, adv heuristics and whatever other methods to determine if it actually is good or bad? In this regard, the entire app could be called a "behaviour" blocker?

Sorry for the noob questions.

 

More traditional HIPS implementations basically watch processes during their normal operation and when something unexpected happens (patching, using features you haven't before) it flags that as suspicious behavior potentially from a virus. Those kinds of implementations are noisy to the end user and can hit a lot of false positives. Eset's approach is to monitor system files and registry locations that are commonly associated with compromising a system combined with their generic definitions, which gets you good detection rates with few false positives and not having a bunch of nagging messages coming up. Especially important in a business environment.

The one thing I fault Eset with at this point is it doesn't seem to flag heavily enough on processes adding entries in to HKCU\Software\Microsoft\Windows\CurrentVersion\Run, ESPECIALLY for entries trying to launch processes out of the All Users folder, user temp, or Application Data which are all highly suspicious and is generally how profile viruses are getting in these days.