Advice Request Configure ESET Antivirus for Maximum Security (by RoboMan)

[czesetfan]

My friend, have in mind this is my personal opinion, and defines the answer as the way I see home security.

I believe BitDefender is a great standalone product, that's made to install and forget, since it's extremely automatic. Regarding its protection capabilities, it's a top notch product.

On the other hand, ESET offers a different type of security. With this configuration, ESET is the total opposite of "install and forget". This product has the advantage that it can be configured to the way you want to sense security. This thread aims at a user-dependant type of product. This setup will not look to be smart and decide for you, it will prompt you whenever something's not right, because you gave it rules to do so.

Aside from that, the automatic mode from ESET is very smart and its signatures are rather good.

So it's more of a: what am I looking for? Rather than what's best.

If you don't wanna get involved in your security, BitDefender is your choice.
If you want to know everything that's going on within your system, ESET is your choice.

PS: but you must be careful and study your product, because modules such as a HIPS can be extremely smart and secure, but will definitely break your system if you fail to understand how it works.

To compare BitDefender and ESET. I understand that this thread is for people who want to understand things and set up AV to suit themselves. I see it as questionable whether ESET also takes it that way. Looking at ESET's corporate communications, I see the message everywhere: The important thing is the perfect balance.
Security solutions that install in minutes. You simply set them up and then you can leave them to work independently and seamlessly in the background. So install and worry no more. The concept of Balance also implies, in my opinion, a certain caution in the "aggressiveness" of the various default settings, as ESET sees it as better to miss something occasionally than to deal with FP more often. This can be seen in the Default settings of the firewall (everything "out" open), HIPS (almost no blocking) and even the AV engine itself (PUA disabled). ˇProtection effectiveness in various tests should be (and is mostly measured) just in the most user-friendly Default settings.
I also think that AV should work "autonomously" without user interaction. He is working on the PC, not "fighting" with malware.

Translated with www.DeepL.com/Translator (free version)

 

[Zorro]

The list of keys to supplement the protection of the registry (some of the keys from this list I have already written here and they have already been added). Register these keys in hips at your own peril and risk. The action for hips is to ask the user.

Startup keys (individual custom)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (only on 64-bit systems)
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce (runs the program/command only once, clears it as soon as it is run)
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx (runs the program/command only once, clears it as soon as execution completes)
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Startup Keys (all users)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (only on 64-bit systems)
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce (runs the program/command only once, clears it as soon as it is run)
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx (runs the program/command only once, clears it as soon as execution completes)
HKLM\System\CurrentControlSet\Services
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Active Setup - To run the command once for each user at login.
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components

Undocumented
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

Keys indicate drivers that are loaded at startup
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32

Startup Miscellaneous
HKLM\Software\Classes\Filter
HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
HKLM\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
HKLM\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
HKLM\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
KLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
HKCU\Control Panel\Desktop\Scrnsave.exe
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64

Group Policy Editor
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

==============================================================
Shell entries related to startup, such as items displayed when you right-click on files or folders.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Drive\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Drive\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\*\ShellEx\PropertySheetHandlers
HKLM\Software\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers
HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Directory\Shellex\DragDropHandlers
HKLM\Software\Classes\Directory\Shellex\DragDropHandlers
HKLM\Software\Wow6432Node\Classes\Directory\Shellex\DragDropHandlers
HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers
HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOve

 

[harlan4096]

Please edit the previous post and translate Russian text into English, thanks

 

[Zorro]

Please edit the previous post and translate Russian text into English, thanks

Translated.

 

[czesetfan]

What about keys that are listed as recommended but are not on the registry? Could it be that the HIPS rule protects them from being created by malware?

 

[czesetfan]

Maybe here's a better thread on the topic: User Feedback Eset Smart Security Premium HIPS problem

It seems that due to a work method/error (?) it is actually non-functional to protect files from being changed in the "protected" folder. Implementation instructions here:
Implement Protected Folders via HIPS

Just rename the directory and the protection is broken.

The moderator says that a separate protection rule needs to be created for each parent folder.

You cannot use \* at the end of the path. That's why I wrote:

You must create another similar rule for the folder itself, with the target path set exactly to
D:\frog

ESET's "official" instructions (2/2020) for creating a HIPS rule to protect a folder: hips-configuration

Can anyone verify this? How is it then?

 

[tipo]

@RoboMan , king of robots, do you know any settings for the hips to alert when something tries to acces the personal data? And by that I mean passwords, usernames, cookies, sensitive areas etc.? (At least for web browsers)

 

[carl fish]

Last update: November 2021

If you're here you may probably have been delighted already by the majestic features of ESET Maybe the signatures convinced you? Great static detection for sure. In this thread I will guide you a bit on how to configure your ESET product for maximum security without compromising performance.

Spoiler: FAQ's

• Why ESET?

ESET's great with signatures, being one of the fastest to add them to their database. It also provides an amazing web filters and phishing protection. As for dynamic protection (real time execution of files) it can be either weak or really smart if configured correctly.

• Where does this configuration point to?

Of course, security. It will prioritize the maximum lockdown to avoid infection (which may happen if you don't acquire safe habits!). Still, we will make sure it's as light as possible.

• Is ESET a heavy product?

On the contrary, it's one of the lighter if not the lightest. Almost unnoticable system impact.

• Should I use it paired with other software?

If necessary, but evaluate which product. For example, OSArmor or VoodooShield can pair up really great, but some extra anti-malware products with real time protection (like HMP.A) may interfere with its features.

• Can I disable firewall to enable a 3rd party one?

Strongly recommended against. Do not disable any of the components that are not disabled in this configuration. A product works on its whole as a standalone solution, meaning firewall could be connected to real time protection in order to work fully.

• How does the thing that motivate the world function?

Cannot tell yet. May have that answer on my next firmware upgrade: Roboman 3.51b (beta testing through www.robomanAI.com/betatesting).

---------------------------------
CONFIGURATION

The following configuration setup is intended for maximum protection and interactive user approval. This means, you will be consulted about almost everything, in order for you to have full knowledge and control over your system. If you want an install and forget setup, this is not your thread. And probably not your AV lol.

We will start from the premise you just installed ESET, let it update and restarted the machine. Through the installation process you may have found out you're asked if you want to enable two options:

View attachment 196836

Just click YES on both.

If a section is skipped here on the thread it means you should leave it default. Only change what it's specifically told here. Compare the pictures with your configuration and enable/disable.

1. Right click ESET---Advanced setup

View attachment 196837

Spoiler: DETECTION ENGINE

View attachment 196838

Real-time system protection

View attachment 196839View attachment 196840View attachment 196841

Cloud based protection

View attachment 196842

Malware scans

1. Select "smart scan" and apply the following configuration

View attachment 196843View attachment 196844View attachment 196845
View attachment 196846View attachment 196847View attachment 196848View attachment 196849View attachment 196850View attachment 196851View attachment 196852

HIPS

View attachment 196853View attachment 196854

Spoiler: NETWORK PROTECTION

Firewall
Recommendation: set on learning mode for a week so all Windows and used software connections are learned, then switch to interactive to be notified about every connections.

View attachment 196855View attachment 196856View attachment 196857

Network attack protection

View attachment 196858View attachment 196859

Spoiler: DEVICE CONTROL

View attachment 196860

Spoiler: TOOLS

View attachment 196861

Spoiler: HIPS

Here I've added:

• Ransomware Protection rules: as per [KB6119] Configure HIPS rules for ESET business products to protect against ransomware (8.x))
• Registry Protection rules:

• Hosts file Protection rules

To add these 3 (three) groups of HIPS rules, just use my configuration file and import it into the product: UPLOAD.EE - https://www.upload.ee/files/13687257/ESET_NOD32_December_2021.xml.html

---------------------------------
WAIT, ROBO! I'm too lazy! Can't I just import your configuration file to my ESET product?
Well sir, yes you can. Download it from here:

UPLOAD.EE - ESET_NOD32_December_2021.xml - Download

ESET_NOD32_December_2021.xml - Download. Upload.ee

www.upload.ee

This link includes all the modules configuration, and HIPS rules for:

• Ransomware Protection rules
• Registry Protection rules
• Hosts file Protection rules
• Protected Folders

For instructions on successfully settings up the Protected Folders rules, check this post#60
Q&A - Configure ESET Antivirus for Maximum Security (by RoboMan)

is it ok to use this file in the current version, I have eset premium?

 

[czesetfan]

If I see correctly, this is an Antivirus only configuration.
It doesn't include all the options of the Premium version, mainly the firewall and others.
And similarly, I would prefer not to import the settings for an older version, lest unexpected problems arise.
A better way is to set things up manually according to the instructions (even with firewall) and other things.

 

[blueblackwow65]

Hi how is eset for protection and performance?.
I see on here eset firewall and hips gives some major problems to win 10 or 11.
I see the latest av test does not give it as recommended.
Can endpoint av work the same has eset nod32 av?
Thks

 

[Nevi]

Hi how is eset for protection and performance?.
I see on here eset firewall and hips gives some major problems to win 10 or 11.
I see the latest av test does not give it as recommended.
Can endpoint av work the same has eset nod32 av?
Thks

Good. It's one of the lightest brands regarding performance. It's protection is also in the good end. I use it myself. Our house antivirus expert use it too (at the moment.)
It's the same antivirus engine in both endpoint and nod32.

 

[RoboMan]

is it ok to use this file in the current version, I have eset premium?

Yes, but it will not configure those modules which aren't included in the NOD32 version.

I will update the configuration file for ESET 17 soon.

 

[blackice]

Yes, but it will not configure those modules which aren't included in the NOD32 version.

I will update the configuration file for ESET 17 soon.

This thread was the reason I joined MalwareTips and the community. Glad to see you still at it Robo!

 

[ForgottenSeer 103564]

For maximum security. I would change a couple things but if we are talking max security while usable, I would change your pick of HIPS setting.
Smart mode is like a placebo effect basically. I think for maximum effort "could say lock in policy mode" but most couldn't handle that so next best thing is placing the HIPS in learning mode to create a majority of rules, then after the set period switch to interactive mode to continue training the ruleset. After that point, when a user would have to run an installer though, they would either, throw it in learning mode "which is risky with new installer" or leave it in interactive mode and chose the rule set placing manually which requires a little knowledge of the system.

Even if a user chose smart mode they would need to start creating rules in order to get any real benefit from it.

So I know you laughed at my other post @RoboMan about the car with computer but left at default settings, but it's accurate. Advanced settings in eset are just that. Throw in custom rule creation for HIPS and FIREWALL and that computer would be gasping for breath from the restrictions.

 

[simmerskool]

For maximum security. I would change a couple things but if we are talking max security while usable, I would change your pick of HIPS setting.
Smart mode is like a placebo effect basically. I think for maximum effort "could say lock in policy mode" but most couldn't handle that so next best thing is placing the HIPS in learning mode to create a majority of rules, then after the set period switch to interactive mode to continue training the ruleset. After that point, when a user would have to run an installer though, they would either, throw it in learning mode "which is risky with new installer" or leave it in interactive mode and chose the rule set placing manually which requires a little knowledge of the system.

Even if a user chose smart mode they would need to start creating rules in order to get any real benefit from it.

So I know you laughed at my other post @RoboMan about the car with computer but left at default settings, but it's accurate. Advanced settings in eset are just that. Throw in custom rule creation for HIPS and FIREWALL and that computer would be gasping for breath from the restrictions.

can you elaborate on HIPS "Smart mode is like a placebo effect" or where to read more & why. I am not disagreeing with you, just wonder why default HIPS setting does nothing...

 

[ForgottenSeer 103564]

can you elaborate on HIPS "Smart mode is like a placebo effect" or where to read more & why. I am not disagreeing with you, just wonder why default HIPS setting does nothing...

It's in how restrictive the rules are per setting.

Prevention | ESET Internet Security 17

When you work with your computer, and especially when you browse the internet, please keep in mind that no antivirus system in the world can completely eliminate the risk of...

help.eset.com

 

[blackice]

ESET HIPS is mostly worthless without manual rules.

 

[simmerskool]

It's in how restrictive the rules are per setting.

Prevention | ESET Internet Security 17

When you work with your computer, and especially when you browse the internet, please keep in mind that no antivirus system in the world can completely eliminate the risk of...

help.eset.com

I may have seen this in past: Smart mode= "user will only be notified about very suspicious events" ergo I must not be having very suspicious events In long ago past, I ran a dedicated HIPS app, so I'll play with ESET HIPS modes to see what happens.

 

[Ashish1+1]

After @Shadowra recent app review of Eset Smart Security 2024 - by the way it was a great comprehensive test.
I am curious on how resilient is Eset Antivirus Nod 32 and how to tweak it now for security and performance- since it was last updated in Nov' 2021

Could I ask for an update for this thread? Thanks in advance

 

[tofargone]

I think this is a great idea