ESET Internet Security 10 : Recommended settings

[viktik]

General Settings

Spoiler: General Settings

• Click “Advanced setup“

• Enable “integrate into system“

HIPS RULE SETTINGS

Spoiler: Hips Rule Settings

• HIPS rule can be created to protect user files stored in certain folders.
• Click “Edit” next to Rules

• Click “Add“

• Set “Rule name” as “PROTECTED FILES“
• Set “Action” as “Ask“
• Under “Operations affecting“, enable “Files“
• Click “Next“

• Select “All applications“

• Enable “Delete file“, “Write to File” and “Direct access to disk” as shown below

• Select “Specific files” as shown below
• Click “Add“

• Click “…” as shown below

• Select D:\ partition
• Click “OK“

• Click “OK“

• Similarly add other partitions in which files has been stored, as shown below
• Don’t add C: partition in which Windows OS is installed
• Click “Finish“

• Click “OK“

• Click “OK“

HIPS Alerts

Spoiler: HIPS Alerts

• When an application tries to access files, ESET HIPS generates alerts as shown below.
• Allow only safe applications. Deny if you don’t want application to modify protected files.
• To permanently allow safe application access to files, select “Create rule and remember permanently“
• Tick “Only for operation” and select “All file operations“

• To check the reputation of the application, click “Details“

• Next to “Reputation:” you can see the Eset rating of the application.
• Green color means the application is safe.
• Yellow color means application is unknown
• Red color means Application unsafe

FIREWALL INTERACTIVE MODE

Spoiler: Firewall interactive mode

• Set “Filtering mode” to “Interactive Mode“
• Click “OK“

• When an application tries to connect to Internet (network), Eset Firewall shows this alert.
• If application is safe then click “Allow“, otherwise “Deny“
• If you want to permanently allow a safe application to have access to internet, then select “create rule and remember permanently“
• Click “Allow“

• If you want to block access to the Internet for an application click “Deny” when Firewall alert is shown.

• To see Reputation of an application click “details“

• When installing an application, if application tries to connect to internet, then select “Remember until application quits“
• Click “allow” or “deny” as you wish

 

[Oxygen]

Thanks for taking the time to post all of this @viktik.

 

[ant_gamal]

Thanks alot

 

[Adz.]

Great tutorial, was looking for this.

 

[novocaine]

thanks @viktik well done, have you tried the HIPS settings against ransomware?

 

[viktik]

thanks @viktik well done, have you tried the HIPS settings against ransomware?

tested one time.
HIPS does protect from ransomware, if user takes correct decision.

 

[cryogent]

@viktik Thanks for sharing with us such good info.
I only have one problem , in my ESET IS 10 HIPS section i don't have "Enable Protected Service" !!!

And other problem although HIPS remain in Automatic Mode I can not delete any folder created even in the C partition.
I don't no why is doing that, but does that after i make this settings in HIPS rules.
I had to reset ESET to default.
Remained the only settings for firewall and document protection.

Ok...its a complet mistery for me but after 4 times trying to make the HIPS settings now its working.
I'm sure i have done the right settings from the first time.

 

[Syafiq]

Hmm.. you should enable the Advanced Heuristics/DNA(Smart Signatures) on Real Time Protection ThreatSense Parameters.

 

[Malware Person]

thanks for this post! Very useful for ESET users!

 

[HarborFront]

Thanks

I'm late but I'll catch up

One question. I'm not using any desktop email client (using only web based emails) so should I disable EVERYTHING under the 'Email Client Protection' section. This will include the

Email Clients
Email Protocols
Threatsense Parameters
Alerts and Notifications
Antispam Protection
Antispam Address Book

My thinking is that disabling all those not needed will help to speed up ESET. Parental Control is another example which I disabled since I'm the only one using my tablet

Thanks again

 

[clyde]

Wow,I haven't seen this around in a while.Thanks again.

 

[Rebsat]

Thank you very much for posting this great tutorial bro

 

[jadinolf]

Great information.
Many thanks

 

[Sunshine-boy]

@viktik
Your rules are not correct! with such rule, every 30 sec you have an ugly alert from HIPS.
1-Because the windows stuff tries to write To C.
2-When you browse the web the browser want to write to his folders(Again C).
3-It will make a lot of alerts If you want to install an App!Also a lot of pain for user:notworthy:
I have no idea why did you create such rules!?
If someone wants the right way to protect his files with Eset Hips:
Place your important files on somewhere and inside a folder then set a block rule for all file operation! like I put my Text files on D:\new folder\example.rtf and set block rules for this file via HIPS. don't forget that Eset Hips will not protect your files from access or copy.it only protect from writing to file or delete the file(doesn't work/probably bug?!).
There is another bug in Eset Hips that Auto allow an operation if you don't answer the alert in provided time(around 45 sec)!So an ask rule for your files is the worst thing that you can do lol! it should be a block rule not ask because the asks rule will auto allow the access so ransomware will encrypt your files if you don't answer the alert fast(as I said about 45 sec) I used to answer Eset alerts fast!
I use Easy File Locker(but also Eset hips) which protects my files in a better way than Eset!
i just gave you another reason that why you shouldn't pay for any Av

 

[ForgottenSeer 58943]

Speaking as a network security guy, ESET has a REALLY GOOD Firewall if you tweak it. I don't run ESET, but there is no denying it's efficacy.

I'll have to put it in a VM and go through the settings. But the ability to block WSD polling, LLMNR, UPNP, SMB, IGMP, RD, Bridging, Metro Apps and other crap is priceless really.. ARP request blocking outside of trusted zones is also awesome to avoid ARP spoofing or poisons. It makes me feel like I should use ESET if my network wasn't already well protected. I'd certainly recommend it based on the firewall alone to be honest.

Oh, the ability to disable some of the logging, disable sending in files and turning off the 'sharing with community' stuff is icing on the cake. Good stuff.

 

[Sunshine-boy]

ForgottenSeer 58943 I also Love Eset and the Hips in policy mode is strong(lockdown mode for HIPS) I have no problem with it because I learned how to handle the bugs! Ofc it has the best firewall among others, A smart hips and its the lightest av in the world! but there are HIPS bugs that Eset doesn't care much about them(because no one uses their hips maybe rare ppl)! that's why I say you shouldn't pay for any Av because the developers don't fix bugs fast or even ignore you its true for all other Avs as well! the good thing is Eset fix the bugs but so late...Eset is my first choice! but I will not pay for any Av never xd
For fixing bugs you need to run it in interactive mode+some custom rules +asnwer the alert fast or bb protection it needs learning curve like I wasted about 4 months of my life on it haha.anyway I like it

is priceless really.

For you but not for Asian countries!

 

[Hero7]

would love that you make one for norton

 

[dja2k]

Thanks viktik for the setup guide!

Can all these services can be disabled and not compromise security. My internet is working fine with everything off, just want to confirm. Thanks!

 

[ForgottenSeer 58943]

Thanks viktikfor the setup guide!

Can all these services can be disabled and not compromise security. My internet is working fine with everything off, just want to confirm. Thanks!

It depends on the network. I'd recommend keeping TCP connections open or you may truncate some app communications. Everything else like WSD, LLMNR and RPC are probably not needed, especially if you have no servers or a local DNS resolver and don't use WSD assigned printers. ARP outside of trusted zone could in theory, totally wipe out your network if you have multiple subnets and they aren't assigned as trusted zones inside of Eset.

Otherwise? Probably good to go.

 

[dja2k]

It depends on the network. I'd recommend keeping TCP connections open or you may truncate some app communications. Everything else like WSD, LLMNR and RPC are probably not needed, especially if you have no servers or a local DNS resolver and don't use WSD assigned printers. ARP outside of trusted zone could in theory, totally wipe out your network if you have multiple subnets and they aren't assigned as trusted zones inside of Eset.

Otherwise? Probably good to go.

Perfect and thanks!