App Review NOD32 10.0 HIPS Test (Catastrophic failure)

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

RejZoR

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2016
699


NOD32 was hugely requested and to my surprise, it was absolute and total letdown. Not only it failed after FIRST executed sample, the HIPS component did exactly NOTHING through the entire test. It hasn't done anything for ransomware samples either. Granted, I don't know NOD32 in depth as much as I do avast! (and many others), but in this case, either HIPS component heavily relies on Real-Time part or it was really this bad. In which case, it is annoying to have a toggle for separate functions which later don't work at all without any disclaimer or notification about potentially limited protection. I mean, during tests, I sometimes disable real-time components of my AV, but I want to be sure on-execution, HIPS or behavior blocker components still protect me in case I by mistake somehow execute test samples on my host system. In case of NOD32, things would end up pretty badly, where in case of AVG, Kaspersky and Bitdefender, that wouldn't be the case as their proactive components work fully independently and also highly efficiently. I know ESET is pretty strong on file heuristics, but they really have to send their HIPS component back to the drawing board...

Version used in this test was: NOD32 Antivirus 10.0.369.0 (fully updated before the test)
 
Last edited:

Venustus

Level 59
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
NOD32 was hugely requested and to my surprise, it was absolute and total letdown. Not only it failed after FIRST executed sample, the HIPS component did exactly NOTHING through the entire test. It hasn't done anything for ransomware samples either. Granted, I don't know NOD32 in depth as much as I do avast! (and many others), but in this case, either HIPS component heavily relies on Real-Time part or it was really this bad. In which case, it is annoying to have a toggle for separate functions which later don't work at all without any disclaimer or notification about potentially limited protection. I mean, during tests, I sometimes disable real-time components of my AV, but I want to be sure on-execution, HIPS or behavior blocker components still protect me in case I by mistake somehow execute test samples on my host system. In case of NOD32, things would end up pretty badly, where in case of AVG, Kaspersky and Bitdefender, that wouldn't be the case as their proactive components work fully independently and also highly efficiently. I know ESET is pretty strong on file heuristics, but they really have to send their HIPS component back to the drawing board...

Version used in this test was: NOD32 Antivirus 10.0.369.0 (fully updated before the test)
Thanks!!:)
 
Last edited:

RejZoR

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2016
699
But doesn't that kinda defeat the purpose of it? I mean, it came in Automatic mode out of the box. This means, 99% of users will get results like this. Which is just rubbish. AVG, Bitdefender and Kaspersky were also tested on default settings and they all exhibited vastly different (better) results.

Might try in other modes, but Interactive kinda defeats the purpose of it as well. I mean, fair enough, they call it HIPS where user is expected to make decisions, but for me, any solution that entirely depends on user decisions as next to useless, because I know psychology behind users. Casuals just click ALLOW for everything and people like us often click BLOCK even on things that are most likely fine, because we want to be sure. Intelligent behavior blockers kinda do both. They don't bother users, but they deliver excellent results. Which is why I'm not a huge fan of HIPS. May just as well get "Are you sure?" popup on everything you run and get same end results...
 

BoraMurdar

Community Manager
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
I know what you're talking about, I am also kinda disappointed as ESET didn't improve their HIPS for quite a few versions (in Automatic mode) as far as I am aware. But HIPS in interactive mode will gave you so much popups that you will go crazy. Auto -> does nothing ; Interactive - Asks everything
 

adnage19

Level 5
Verified
Well-known
Sep 22, 2016
211
I'm very dissapointed... The only module that is effective in default settings, is Advanced Memory Scanner. Eset's HIPS is useful after hours of configuration but default Automatic mode is a joke. Of course, when we look at an overall protection with all modules enabled, Eset is very good, but it fails so badly in terms of proactive protection modules in compare to Kaspersky, Bitdefender or Emsisoft.
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
The HIPS besides of having ineffective on Automatic Mode, they don't have adequate ruleset by default in order to lessen the pop-ups from interactive mode.

Way back before, ESET has little bit difficulties on implementing HIPS.
 

Marcos

From ESET
Verified
Developer
Jun 13, 2013
17
This is really a very bad test as disabling functionality like real-time protection that can catch a lot of malware and also provides HIPS with information about execution of files that serves for further behavior monitoring and is utilized by HIPS and HIPS-based protection modules like Advanced memory scanner, Exploit Blocker, Self-Defense and Ransomware protection.
Protection features in ESET's products are interconnected and disabling one crucial protection feature may affect other protection features as well.

I'd strongly suggest to use default settings for testing with all protection features enabled and do not cripple ESET's functionality by disabling the most crucial component, the real-time protection.

While other products may use HIPS as a stand-alone component, in the case of ESET HIPS itself may appear to users to not do anything in automatic mode, however, it provides other protection components with important information about applications' behavior which then act accordingly.
 

RejZoR

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2016
699
This is really a very bad test as disabling functionality like real-time protection that can catch a lot of malware and also provides HIPS with information about execution of files that serves for further behavior monitoring and is utilized by HIPS and HIPS-based protection modules like Advanced memory scanner, Exploit Blocker, Self-Defense and Ransomware protection.
Protection features in ESET's products are interconnected and disabling one crucial protection feature may affect other protection features as well.

I'd strongly suggest to use default settings for testing with all protection features enabled and do not cripple ESET's functionality by disabling the most crucial component, the real-time protection.

While other products may use HIPS as a stand-alone component, in the case of ESET HIPS itself may appear to users to not do anything in automatic mode, however, it provides other protection components with important information about applications' behavior which then act accordingly.

I know it's not intended use, but this is how I test individual components, particularly behavior blockers. AVG, Kaspersky and Bitdefender, despite not using any signature scanning had amazing results. I do take into account the fact it's not fully enabled as mentioned during the test, but one would expect at least something. But it did nothing through all the samples (over 100 of them). At least 1 should trigger something.

I will test other modes out of curiosity, but if HIPS relies so heavily on Real-Time, what's the purpose of having it as a separate setting, giving users illusion it's a stand alone component while in fact it is not? I'd suggest moving HIPS under Real-Time component settings then, where it apparently belongs.
 
M

MalwareBlockerYT

I have tested ESET Internet Security on default settings & if all the components are On then it's actually pretty darn good as an AV I'd say it's in my top 5 :)

Although saying that a Ransomware file did encrypt all my files when doing the Prevention Test
:(

It's fine to test individual components & you should continue doing so since most other Youtubers (including myself) test the whole program - you put a unique spin on things so keep it up ;)
 

RejZoR

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2016
699
Yeah, that was my intention. No point in copying you guys, but advanced proactive systems always intrigued me. Too bad not all allow separate usage of such modules. I'd love to test avast DeepScreen alone, but since it's tied to real-time part, I can't. Same goes for NOD32 apparently, even though they have it as separate toggle.
 

Marcos

From ESET
Verified
Developer
Jun 13, 2013
17
We will improve the wording of the warning when real-time protection is disabled. HIPS can work as a separate module for protecting the registry but for file operations real-time protection is inevitable as it provides HIPS with information about execution of files and with other filesystem-related operations that are further used by HIPS and other HIPS-dependent modules (EB, AMS, Ransomware protection) for evaluation of suspicious behavior.
 
5

509322

One thing that is very often undocumented are module\settings inter-dependencies. In such cases it can lead to unexpected behaviors and can produce disappointing results.

Disable one module - like real-time protection - and it limits the functionality of another module.

It is possible that is what happened in this case.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
This is really a very bad test as disabling functionality like real-time protection that can catch a lot of malware and also provides HIPS with information about execution of files that serves for further behavior monitoring and is utilized by HIPS and HIPS-based protection modules like Advanced memory scanner, Exploit Blocker, Self-Defense and Ransomware protection.
Protection features in ESET's products are interconnected and disabling one crucial protection feature may affect other protection features as well.

I'd strongly suggest to use default settings for testing with all protection features enabled and do not cripple ESET's functionality by disabling the most crucial component, the real-time protection.

While other products may use HIPS as a stand-alone component, in the case of ESET HIPS itself may appear to users to not do anything in automatic mode, however, it provides other protection components with important information about applications' behavior which then act accordingly.
The HIPS didn't react in this other test.
Video Review - ESET Internet Security prevention and detection Test
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
Speaking of general HIPS detection, for example, we can have a specific common encrypted malcode that automatically decrypts itself on the HDD.
This malware can perform an array of bytes (a simple JMP) in a memory segment and the executable reads the encrypted file and stores it in a buffer. At this point, the buffer is decrypted by jumping to the address pointed by the buffer, to run the decrypted code.

But yes, the virtual address does not match, for example, we admit the first istruction of the malware in the buffer, the CPU jumps to the instruction in the address but into that address there is already a instruction of the executable.

Sure, to bypass this problem is complicated for malware, but many samples change the virtual address of the decrypted code with the related address by setting the registry "code base" to the address pointed by the buffer.

In this case, many HIPS do not detect this behavior.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top