Question Configure ESET Antivirus for Maximum Security (by RoboMan)

czesetfan

Level 2
Dec 3, 2021
85
My friend, have in mind this is my personal opinion, and defines the answer as the way I see home security.

I believe BitDefender is a great standalone product, that's made to install and forget, since it's extremely automatic. Regarding its protection capabilities, it's a top notch product.

On the other hand, ESET offers a different type of security. With this configuration, ESET is the total opposite of "install and forget". This product has the advantage that it can be configured to the way you want to sense security. This thread aims at a user-dependant type of product. This setup will not look to be smart and decide for you, it will prompt you whenever something's not right, because you gave it rules to do so.

Aside from that, the automatic mode from ESET is very smart and its signatures are rather good.

So it's more of a: what am I looking for? Rather than what's best.

If you don't wanna get involved in your security, BitDefender is your choice.
If you want to know everything that's going on within your system, ESET is your choice.

PS: but you must be careful and study your product, because modules such as a HIPS can be extremely smart and secure, but will definitely break your system if you fail to understand how it works.
To compare BitDefender and ESET. I understand that this thread is for people who want to understand things and set up AV to suit themselves. I see it as questionable whether ESET also takes it that way. Looking at ESET's corporate communications, I see the message everywhere: The important thing is the perfect balance.
Security solutions that install in minutes. You simply set them up and then you can leave them to work independently and seamlessly in the background. So install and worry no more. The concept of Balance also implies, in my opinion, a certain caution in the "aggressiveness" of the various default settings, as ESET sees it as better to miss something occasionally than to deal with FP more often. This can be seen in the Default settings of the firewall (everything "out" open), HIPS (almost no blocking) and even the AV engine itself (PUA disabled). ˇProtection effectiveness in various tests should be (and is mostly measured) just in the most user-friendly Default settings.
I also think that AV should work "autonomously" without user interaction. He is working on the PC, not "fighting" with malware. :unsure:

Translated with www.DeepL.com/Translator (free version)
 

Zorro

Level 8
Well-known
Jun 11, 2019
384
The list of keys to supplement the protection of the registry (some of the keys from this list I have already written here and they have already been added). Register these keys in hips at your own peril and risk. The action for hips is to ask the user.

Startup keys (individual custom)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (only on 64-bit systems)
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce (runs the program/command only once, clears it as soon as it is run)
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx (runs the program/command only once, clears it as soon as execution completes)
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Startup Keys (all users)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (only on 64-bit systems)
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce (runs the program/command only once, clears it as soon as it is run)
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx (runs the program/command only once, clears it as soon as execution completes)
HKLM\System\CurrentControlSet\Services
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Active Setup - To run the command once for each user at login.
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components

Undocumented

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

Keys indicate drivers that are loaded at startup
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32

Startup Miscellaneous
HKLM\Software\Classes\Filter
HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
HKLM\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
HKLM\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
HKLM\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
KLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
HKCU\Control Panel\Desktop\Scrnsave.exe
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64

Group Policy Editor
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

==============================================================
Shell entries related to startup, such as items displayed when you right-click on files or folders.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Drive\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Drive\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\*\ShellEx\PropertySheetHandlers
HKLM\Software\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers
HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Directory\Shellex\DragDropHandlers
HKLM\Software\Classes\Directory\Shellex\DragDropHandlers
HKLM\Software\Wow6432Node\Classes\Directory\Shellex\DragDropHandlers
HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers
HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOve
 
Last edited:

czesetfan

Level 2
Dec 3, 2021
85
What about keys that are listed as recommended but are not on the registry? Could it be that the HIPS rule protects them from being created by malware?
 

czesetfan

Level 2
Dec 3, 2021
85
Maybe here's a better thread on the topic: User Feedback Eset Smart Security Premium HIPS problem

It seems that due to a work method/error (?) it is actually non-functional to protect files from being changed in the "protected" folder. Implementation instructions here:
Implement Protected Folders via HIPS

Just rename the directory and the protection is broken.

The moderator says that a separate protection rule needs to be created for each parent folder.
You cannot use \* at the end of the path. That's why I wrote:

You must create another similar rule for the folder itself, with the target path set exactly to
D:\frog

ESET's "official" instructions (2/2020) for creating a HIPS rule to protect a folder: hips-configuration

Can anyone verify this? How is it then? :unsure:
 
Top