Advice Request Configure ESET Antivirus for Maximum Security (by RoboMan)

Please provide comments and solutions that are helpful to the author of this topic.

czesetfan

Level 3
Dec 3, 2021
149
My friend, have in mind this is my personal opinion, and defines the answer as the way I see home security.

I believe BitDefender is a great standalone product, that's made to install and forget, since it's extremely automatic. Regarding its protection capabilities, it's a top notch product.

On the other hand, ESET offers a different type of security. With this configuration, ESET is the total opposite of "install and forget". This product has the advantage that it can be configured to the way you want to sense security. This thread aims at a user-dependant type of product. This setup will not look to be smart and decide for you, it will prompt you whenever something's not right, because you gave it rules to do so.

Aside from that, the automatic mode from ESET is very smart and its signatures are rather good.

So it's more of a: what am I looking for? Rather than what's best.

If you don't wanna get involved in your security, BitDefender is your choice.
If you want to know everything that's going on within your system, ESET is your choice.

PS: but you must be careful and study your product, because modules such as a HIPS can be extremely smart and secure, but will definitely break your system if you fail to understand how it works.
To compare BitDefender and ESET. I understand that this thread is for people who want to understand things and set up AV to suit themselves. I see it as questionable whether ESET also takes it that way. Looking at ESET's corporate communications, I see the message everywhere: The important thing is the perfect balance.
Security solutions that install in minutes. You simply set them up and then you can leave them to work independently and seamlessly in the background. So install and worry no more. The concept of Balance also implies, in my opinion, a certain caution in the "aggressiveness" of the various default settings, as ESET sees it as better to miss something occasionally than to deal with FP more often. This can be seen in the Default settings of the firewall (everything "out" open), HIPS (almost no blocking) and even the AV engine itself (PUA disabled). ˇProtection effectiveness in various tests should be (and is mostly measured) just in the most user-friendly Default settings.
I also think that AV should work "autonomously" without user interaction. He is working on the PC, not "fighting" with malware. :unsure:

Translated with www.DeepL.com/Translator (free version)
 

Zorro

Level 9
Verified
Well-known
Jun 11, 2019
404
The list of keys to supplement the protection of the registry (some of the keys from this list I have already written here and they have already been added). Register these keys in hips at your own peril and risk. The action for hips is to ask the user.

Startup keys (individual custom)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (only on 64-bit systems)
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce (runs the program/command only once, clears it as soon as it is run)
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx (runs the program/command only once, clears it as soon as execution completes)
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Startup Keys (all users)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (only on 64-bit systems)
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce (runs the program/command only once, clears it as soon as it is run)
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx (runs the program/command only once, clears it as soon as execution completes)
HKLM\System\CurrentControlSet\Services
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Active Setup - To run the command once for each user at login.
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components

Undocumented

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

Keys indicate drivers that are loaded at startup
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32

Startup Miscellaneous
HKLM\Software\Classes\Filter
HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
HKLM\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
HKLM\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
HKLM\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
KLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
HKCU\Control Panel\Desktop\Scrnsave.exe
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64

Group Policy Editor
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

==============================================================
Shell entries related to startup, such as items displayed when you right-click on files or folders.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Drive\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Drive\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\*\ShellEx\PropertySheetHandlers
HKLM\Software\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers
HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Directory\Shellex\DragDropHandlers
HKLM\Software\Classes\Directory\Shellex\DragDropHandlers
HKLM\Software\Wow6432Node\Classes\Directory\Shellex\DragDropHandlers
HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers
HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOve
 
Last edited:

czesetfan

Level 3
Dec 3, 2021
149
What about keys that are listed as recommended but are not on the registry? Could it be that the HIPS rule protects them from being created by malware?
 
  • Like
Reactions: Sorrento

czesetfan

Level 3
Dec 3, 2021
149
Maybe here's a better thread on the topic: User Feedback Eset Smart Security Premium HIPS problem

It seems that due to a work method/error (?) it is actually non-functional to protect files from being changed in the "protected" folder. Implementation instructions here:
Implement Protected Folders via HIPS

Just rename the directory and the protection is broken.

The moderator says that a separate protection rule needs to be created for each parent folder.
You cannot use \* at the end of the path. That's why I wrote:

You must create another similar rule for the folder itself, with the target path set exactly to
D:\frog

ESET's "official" instructions (2/2020) for creating a HIPS rule to protect a folder: hips-configuration

Can anyone verify this? How is it then? :unsure:
 

carl fish

Level 7
Verified
Mar 6, 2012
330
Last update: November 2021

If you're here you may probably have been delighted already by the majestic features of ESET :) Maybe the signatures convinced you? Great static detection for sure. In this thread I will guide you a bit on how to configure your ESET product for maximum security without compromising performance.

  • Why ESET?
ESET's great with signatures, being one of the fastest to add them to their database. It also provides an amazing web filters and phishing protection. As for dynamic protection (real time execution of files) it can be either weak or really smart if configured correctly.
  • Where does this configuration point to?
Of course, security. It will prioritize the maximum lockdown to avoid infection (which may happen if you don't acquire safe habits!). Still, we will make sure it's as light as possible.
  • Is ESET a heavy product?
On the contrary, it's one of the lighter if not the lightest. Almost unnoticable system impact.
  • Should I use it paired with other software?
If necessary, but evaluate which product. For example, OSArmor or VoodooShield can pair up really great, but some extra anti-malware products with real time protection (like HMP.A) may interfere with its features.
  • Can I disable firewall to enable a 3rd party one?
Strongly recommended against. Do not disable any of the components that are not disabled in this configuration. A product works on its whole as a standalone solution, meaning firewall could be connected to real time protection in order to work fully.
  • How does the thing that motivate the world function?
Cannot tell yet. May have that answer on my next firmware upgrade: Roboman 3.51b (beta testing through www.robomanAI.com/betatesting).
---------------------------------
CONFIGURATION

The following configuration setup is intended for maximum protection and interactive user approval. This means, you will be consulted about almost everything, in order for you to have full knowledge and control over your system. If you want an install and forget setup, this is not your thread. And probably not your AV lol.

We will start from the premise you just installed ESET, let it update and restarted the machine. Through the installation process you may have found out you're asked if you want to enable two options:

View attachment 196836

Just click YES on both.

If a section is skipped here on the thread it means you should leave it default. Only change what it's specifically told here. Compare the pictures with your configuration and enable/disable.

1. Right click ESET---Advanced setup

View attachment 196837

Firewall
Recommendation: set on learning mode for a week so all Windows and used software connections are learned, then switch to interactive to be notified about every connections.


View attachment 196855View attachment 196856View attachment 196857

Network attack protection

View attachment 196858View attachment 196859
Here I've added:

  • Hosts file Protection rules
To add these 3 (three) groups of HIPS rules, just use my configuration file and import it into the product: UPLOAD.EE - https://www.upload.ee/files/13687257/ESET_NOD32_December_2021.xml.html
---------------------------------
WAIT, ROBO! I'm too lazy! Can't I just import your configuration file to my ESET product?
Well sir, yes you can. Download it from here:


This link includes all the modules configuration, and HIPS rules for:
  • Ransomware Protection rules
  • Registry Protection rules
  • Hosts file Protection rules
  • Protected Folders
For instructions on successfully settings up the Protected Folders rules, check this post#60
Q&A - Configure ESET Antivirus for Maximum Security (by RoboMan)
is it ok to use this file in the current version, I have eset premium?
 

czesetfan

Level 3
Dec 3, 2021
149
If I see correctly, this is an Antivirus only configuration.
It doesn't include all the options of the Premium version, mainly the firewall and others.
And similarly, I would prefer not to import the settings for an older version, lest unexpected problems arise.
A better way is to set things up manually according to the instructions (even with firewall) and other things.
 

blueblackwow65

Level 23
Verified
Well-known
Dec 19, 2012
1,243
Hi how is eset for protection and performance?.
I see on here eset firewall and hips gives some major problems to win 10 or 11.
I see the latest av test does not give it as recommended.
Can endpoint av work the same has eset nod32 av?
Thks
 

Nevi

Level 11
Verified
Top Poster
Well-known
Apr 7, 2016
500
Hi how is eset for protection and performance?.
I see on here eset firewall and hips gives some major problems to win 10 or 11.
I see the latest av test does not give it as recommended.
Can endpoint av work the same has eset nod32 av?
Thks
Good. It's one of the lightest brands regarding performance. It's protection is also in the good end. I use it myself. Our house antivirus expert use it too (at the moment.)
It's the same antivirus engine in both endpoint and nod32.
 
F

ForgottenSeer 103564

For maximum security. I would change a couple things but if we are talking max security while usable, I would change your pick of HIPS setting.
Smart mode is like a placebo effect basically. I think for maximum effort "could say lock in policy mode" but most couldn't handle that so next best thing is placing the HIPS in learning mode to create a majority of rules, then after the set period switch to interactive mode to continue training the ruleset. After that point, when a user would have to run an installer though, they would either, throw it in learning mode "which is risky with new installer" or leave it in interactive mode and chose the rule set placing manually which requires a little knowledge of the system.

Even if a user chose smart mode they would need to start creating rules in order to get any real benefit from it.

So I know you laughed at my other post @RoboMan about the car with computer but left at default settings, but it's accurate. Advanced settings in eset are just that. Throw in custom rule creation for HIPS and FIREWALL and that computer would be gasping for breath from the restrictions.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
For maximum security. I would change a couple things but if we are talking max security while usable, I would change your pick of HIPS setting.
Smart mode is like a placebo effect basically. I think for maximum effort "could say lock in policy mode" but most couldn't handle that so next best thing is placing the HIPS in learning mode to create a majority of rules, then after the set period switch to interactive mode to continue training the ruleset. After that point, when a user would have to run an installer though, they would either, throw it in learning mode "which is risky with new installer" or leave it in interactive mode and chose the rule set placing manually which requires a little knowledge of the system.

Even if a user chose smart mode they would need to start creating rules in order to get any real benefit from it.

So I know you laughed at my other post @RoboMan about the car with computer but left at default settings, but it's accurate. Advanced settings in eset are just that. Throw in custom rule creation for HIPS and FIREWALL and that computer would be gasping for breath from the restrictions.
can you elaborate on HIPS "Smart mode is like a placebo effect" or where to read more & why. I am not disagreeing with you, just wonder why default HIPS setting does nothing... :unsure:
 
F

ForgottenSeer 103564

can you elaborate on HIPS "Smart mode is like a placebo effect" or where to read more & why. I am not disagreeing with you, just wonder why default HIPS setting does nothing... :unsure:
It's in how restrictive the rules are per setting.

 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
It's in how restrictive the rules are per setting.

I may have seen this in past: Smart mode= "user will only be notified about very suspicious events" ergo I must not be having very suspicious events :D In long ago past, I ran a dedicated HIPS app, so I'll play with ESET HIPS modes to see what happens.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top