V5 and Outpost

Discussion in 'ESET NOD32 Antivirus/Smart Security Beta' started by Escalader, Jul 19, 2011.

Thread Status:
Not open for further replies.
  1. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: ESET NOD32 Antivirus 5 and ESET Smart Security 5 Release Candidate available

    IS anybody here using Nod32 64 bit AV 5 AND Outpost Firewall Pro 7.5 (3720.574.166:cool: at the same time?

    I'm doing this BUT back on Nod32 64 bit AV 4.2.71.2 latest update as of today.

    My concern is potential conflict between the new feature of AV5 an OP.

    Like the HIPS functions.
     
  2. Darkling

    Darkling Registered Member

    Joined:
    Aug 26, 2009
    Posts:
    26
    Re: ESET NOD32 Antivirus 5 and ESET Smart Security 5 Release Candidate available

    I use Outpost Firewall Pro Version: 7.5.1 (3791.596.1681) and Eset NOD32 x64 Version 5 whitout any problems. :cool:
     
  3. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: ESET NOD32 Antivirus 5 and ESET Smart Security 5 Release Candidate available


    Did you install these products on top of themselves or re-install "clean"

    Did you have to turn OFF any features in OP or ESET? Which ones? Both have web control and my OP has that one disabled in favour of Esets' web access control.

    My other concern is conflicting HIPS features in ESET it is called Real Time File Systems protection.
     
  4. Lucius

    Lucius Registered Member

    Joined:
    Dec 9, 2010
    Posts:
    72
    Re: ESET NOD32 Antivirus 5 and ESET Smart Security 5 Release Candidate available

    I'm using nod32 v.5 and outpost latest and they play together very good.
    Nod32 hips disabled and did not install outpost web control and anti-spyware modules. Web control 'cause using ad muncher..
    It's amazing combo! :p
     
  5. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    Re: ESET NOD32 Antivirus 5 and ESET Smart Security 5 Release Candidate available

    hello, real-time file system protection is the on-access anti-malware scanner
    HIPS feature is another independant module, it doesnt have blocking rules by default, just selfdefense, so conflicts should not happen

    you should disable just the antivirus/antispyware scanners in Outpost
     
    Last edited: Jul 22, 2011
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: ESET NOD32 Antivirus 5 and ESET Smart Security 5 Release Candidate available

    It would make no difference if rules are not in place for possible conflict, due the low level system(SSDT) hooks in place. If another HIPS also places the same Hooks, then there can be problems. NOD AV places 19 system hooks. I have not checked yet for possible conflicts/ or reactions from NOD with any other installed HIPS.

    - Stem
     
  7. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: ESET NOD32 Antivirus 5 and ESET Smart Security 5 Release Candidate available


    Hello Stem:

    How do users like me get a list of these Nod AV 19 hooks?

    avoiding a potential conflict is my goal on all this.
     
  8. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: ESET NOD32 Antivirus 5 and ESET Smart Security 5 Release Candidate available



    Further to this as it seems your initial findings that the ESET 5 is "buggy" on HIPS I think I'll just turn that function off for now and just use the AV.

    On the HIPS I will activate OP FW Pro's HIPS feature as it is more mature, not perfect but hopefully had more testing.


    Yes, I'm risk adverse, I admit it.:D
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: ESET NOD32 Antivirus 5 and ESET Smart Security 5 Release Candidate available

    Hi Escalader,

    This is on Win XP pro

    hooks.png


    For actual detection, then a need for an antirootkit program. I prefer not to recommend any, as they can cause problems themselves at times with driver conflicts, depending on OS and what is installed.

    - Stem
     
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: ESET NOD32 Antivirus 5 and ESET Smart Security 5 Release Candidate available

    I think like a number of these types of implementations, they expect the user to use default settings, or simply press allow or block based on popup. When any sort of customization is attempted, then problems start appearing.

    I dont really have the time (or more so the inclination) to perform a lot of testing these days, but I will try and see if I can find time to check for conflicts between OP and NOD AV.


    - Stem
     
  11. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    Re: ESET NOD32 Antivirus 5 and ESET Smart Security 5 Release Candidate available

    ... Some features are non functional when the File-system filter is not started, such as removable media scans or file operations in HIPS.
    maybe they are using the same hooks for performance reasons.
    Already noted that in beta version, still in RC
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: ESET NOD32 Antivirus 5 and ESET Smart Security 5 Release Candidate available

    Although functions may not be enabled, the hooks are still there. It depends on if the hooks are monitored/protected in any way. I have seen in the past where HIPS will have self protection not only on its applications/folder etc, but also on its hooks. If you have 2 (separate) HIPS, both having similar self protection (of hooks) then conflicts do happen.

    The main point (IMHO) would be when 2 HIPS are installed, and what Hooks are actually left in place (for which HIPS) and functional for the HIPS to actually make correct detections/interceptions.

    - Stem
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: ESET NOD32 Antivirus 5 and ESET Smart Security 5 Release Candidate available

    [Sorry, I meant to make comment of that in my last post.]

    The hooks made depend on what protection is being attempted. System hooks are low level redirects, where internal commands/calls are redirected and captured by the HIPS.

    - Stem
     
  14. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: ESET NOD32 Antivirus 5 and ESET Smart Security 5 Release Candidate available

    I fully understand Stem!

    I can work on this matter IF you gave me some hints on user level testing ideas. But then again that may also take too much time.

    One thing I found when I had OP's 4 "Proactive"functions turned off in favour of Nod32 V5 was that OP continued to log anti-leak items as allowed ! I had purged out the 4 logs first and expected zero entries!

    That is the sort of thing I could do. As to knowing why that happened well the vendor should explain that in my view.
     
  15. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: ESET NOD32 Antivirus 5 and ESET Smart Security 5 Release Candidate available

    Just discovered that as far as my 3rd party OP I was one version out of date!:oops:

    Anyway it seems that 1 of the changes deals with the issue of Proactive not being disabled so that might explain why I had log entries when there should have been none.

    Here is their change bulletin:

     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: ESET NOD32 Antivirus 5 and ESET Smart Security 5 Release Candidate available

    From a user point of view, without resorting to leak tests, then a check of the basic protection offered, as simple example, such as file access.

    I did make an install of OP(latest version) and checked its hooks, I then (after restoring HD image) installed NOD AV, then install OP pro.
    On re-boot, I got a BSOD (no dumps created), not a good start, but a cold boot did work.
    The hooks by NOD AV where still in place, but on a quick test, it appeared the protection was broken.
    On my last install on NOD AV, I made some quick (simple) tests to check for file protection (access/write etc), which (although as I mentioned, a little buggy on my setup) did work. After the installation of both NOD AV and OP pro, that protection did not work.

    Here are the hooks from OP pro:-

    outpost hooks.png

    The hooks for NOD AV I posted earlier, these are the hooks with both NOD AV and OP pro installed.

    OP+NOD.png


    From the initial look, it could be thought that the HIPS from NOD AV would still function, but OP pro may be piggy backing of NOD AV redirects and catching them instead of NOD. It would take some low level monitoring to confirm what is actually happening.

    It could well be another problem, as due to the BSOD, I would really need to make another installation, as having a BSOD with no dumps or recovery log created does not help with actually finding the root cause of that problem.


    - Stem
     
  17. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Stem:

    Thanks for the separate thread on this great idea!

    Allow me to make a couple of points here:

    1) I'm on Windows 7 64 bit you are on xp... does this matter?
    2) The vendor (OP) wants the user to install the AV first so that when OP installs it self the install logic adapts and make 3rd party compatibility adjustments. The way you installed seemed different?
    3) The configuration file for OP is machine.ini and one can alter that (I've done that to get ID block working when OP has Web Control disabled as they "discovered" Nod32 on their install


    Stem you know I have special abilities in asking dumb questions as I'm too old now to worry about embarrassing myself.;)

    We have been talking about hooks.

    What the h.ll are they? Logic? data? settings? :doubt:
    Why do security sw's use them in the first place?:oops:

    I looked at your red lists and these hooks seem to be addresses before and after what? Sand box? What sand box I have not installed one knowingly.

    Right now I have NOD32 V5 HIPS OFF and OP FW Pro's proactive protection ON. Or do your tests show that this is false? and I have NO HIPS at all? I'll go look at OP logs and see if there are any entries!



    When you feel like it or have time post back! :thumb:
     
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Escalader,

    1. Yes, due to Kernel Patch Protection, but I have not taken much time to investigate yet.

    2. I did install NOD before OP. The compatibility you mention is probably OP adjusting and redirecting the hooks made by 3rd party.

    3. I did not have much time, so did not delve into the setups.

    A simplistic explanation:-
    Windows has a table (a service descriptor table) that contains addresses for various functions (such as creating a file or executing a program), when a call is made, an address is there for the needed subroutine(s) for the function to run. An hook is a way to change the address of the subroutine(s) that will be used when a function is called. So instead of (for example) a file being executed when the call is made, an hips that has hooked into that call will redirect the system to a subroutine created by the HIPS.
    [the explanation could be better and probably more correct, but we would need to go into the core executive system services implemented in ntoskrnl.exe]

    The "sandbox" is a driver "sandbox.sys" that is used by OP.
    The addresses: "Original address" could be described as the address of the original function/subroutine, the "current address" is where the call is being redirect to, which will be to a subroutine by the HIPS

    That appears (from my quick test) to be the correct way to use the combination.


    - Stem
     
  19. SolidState

    SolidState Registered Member

    Joined:
    Dec 18, 2007
    Posts:
    92
    Also worth noting is the order in which you install NOD32 and OP Pro. You need to install NOD32 FIRST so that the OP Pro installer sees NOD32 and doesn't install certain elements of OP. This includes more than just the malware protection but also HTTP content filtering etc. This seems to cause issues with NOD's "Web Access Protection". If you install OP Pro first then NOD32 you will have issues... I don't know much about v5 HIPS and any hooks it uses. Seems at this point it's best to disable Stem? Seems you installed NOD32 first as well... Is Eset aware of this? And thanks Stem for informing us regarding the HIPS/ OP Pro issue!!! I was just about to install the RC!!!
     
    Last edited: Jul 25, 2011
  20. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    It is my hope :'( that both vendors will read these threads on the OP/Nod32 combo/partnership and make it easier for users like us to run them together.

    But I fear I'm to optimistic on these things based on past experience.

    They see the other as competition where I see them as tools for me to exploit/maximize for my own gain.

    Probably alone again on this one.
     
  21. Motherroad

    Motherroad Registered Member

    Joined:
    Feb 13, 2006
    Posts:
    234
    Location:
    Florida
    I have been running this combination for a week on windows 7x64. I installed NOD first and then outpost. I set the HIPS to automatic with rules and everything was good. Not sure however if the automatic rules in NOD work as of yet. Yesterday I changed the rules in NOD HIPS to interactive and my system froze on a HIPS popup for ACS. Had to pull the plug. Not as experienced as others on this HIPS stuff but thought I would share anyway.
     
  22. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    have you disabled all features in outpost (except the firewall) before using the NOD32 HIPS?
     
  23. Motherroad

    Motherroad Registered Member

    Joined:
    Feb 13, 2006
    Posts:
    234
    Location:
    Florida
    No. I was thinking of trying with both in learning mode for a few days and see what happens.
     
  24. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    If you're happy with OP's HIPS, then there is nothing to be gained security wise by also using ESET's HIPS. The only thing you can possibly get is more lag on your system, conflicts, system freezes etc
     
  25. Motherroad

    Motherroad Registered Member

    Joined:
    Feb 13, 2006
    Posts:
    234
    Location:
    Florida
    That is what I am finding out. Will disable the HIPS in NOD for now.
     
Thread Status:
Not open for further replies.