zakazak's Config

[zakazak]

Hey there,

I am using ESET Smart Security v8 with the firewall in interactive mode. This means I need to create a rule for every file that want's to communicate (or not).

I am wondering which rules I should set for stuff like svchost.exe (comes with pre-defined rules), rundll32.exe or spoolsv.exe ?

So far I have allowed svchost.exe to communicate to the windows update servers via port 443 and port 80.

What about:
rundll32.exe
dashost.exe
spoolsv.exe
and others?

Thanks

 

[Exterminator]

Looks good although you could probably go with MBAM Pro as just an on demand scanner.Thanks for sharing your config

 

[zakazak]

Looks good although you could probably go with MBAM Pro as just an on demand scanner.Thanks for sharing your config

Actually I didn't want to share my configuration but get help with my firewall rule settings ;P

But thanks !

 

[Exterminator]

Actually I didn't want to share my configuration but get help with my firewall rule settings ;P

But thanks !

I understand however this is to post your security configuration. This might help you though http://malwaretips.com/threads/how-to-set-eset-smart-security-for-max-protection.14466/

 

[BoraMurdar]

Thanks for sharing your config.
Well, after you install ESS8 on previously clean system, you just enable the Learning Mode. Run every software you have initially installed on your system and Firewall will learn the I/O connections. Don't worry, if anything suspicious comes out ESET will warn you. After a couple of days, set Firewall to Interactive mode and on any new connection ESET will prompt you what to do.
System processes will be automatically analyzed and categorized.

 

[zakazak]

I understand however this is to post your security configuration. This might help you though http://malwaretips.com/threads/how-to-set-eset-smart-security-for-max-protection.14466/

Thanks, I asked for help in the thread.

Thanks for sharing your config.
Well, after you install ESS8 on previously clean system, you just enable the Learning Mode. Run every software you have initially installed on your system and Firewall will learn the I/O connections. Don't worry, if anything suspicious comes out ESET will warn you. After a couple of days, set Firewall to Interactive mode and on any new connection ESET will prompt you what to do.
System processes will be automatically analyzed and categorized.

This isn't really secure and also useless/unsafe rules will be created. I rather prefer to set interactive mode and create each rule when I get the first warning. That why I will look and think about the rule (e.g. I will not allow windows homecalling to its statistic and adware servers) instead of simply allowing a windows process to do what ever it wants. To be honest, there aren't too many rules anyway. I have about 30 files that I needed to create rules for. Most of them have been a 2 minute task

But a few hard ones are remaining and maybe someone got a good "default rule set"

 

[BoraMurdar]

Thanks, I asked for help in the thread.



This isn't really secure and also useless/unsafe rules will be created. I rather prefer to set interactive mode and create each rule when I get the first warning. That why I will look and think about the rule (e.g. I will not allow windows homecalling to its statistic and adware servers) instead of simply allowing a windows process to do what ever it wants. To be honest, there aren't too many rules anyway. I have about 30 files that I needed to create rules for. Most of them have been a 2 minute task

But a few hard ones are remaining and maybe someone got a good "default rule set"

I always set Interactive Mode on the first run, but avoid to recommend it as it's going to be annoying as long as all the rules are created. So I propose you above solution.
If you don't trust Microsoft why do you use Windows?

 

[zakazak]

I always set Interactive Mode on the first run, but avoid to recommend it as it's going to be annoying as long as all the rules are created. So I propose you above solution.
If you don't trust Microsoft why do you use Windows?

It isn't a microsoft problem, it is a general problem. Download any software and check the connections it makes. cdburner, ccleaner, imgburn, crystaldiskmark,.... they all connect to statistic/adware servers. Besides that, allowing the to connect to "safe locations" only makes them less vulnerable if they get exploited.

Also, why would I allow "metro app" or "windows store" connections when I don't even use those?

Yes interactive mode can be annoying until configured. That's why I am asking here, to get some of the rules that I have not created yet and need to configure it ;-)

 

[BoraMurdar]

It isn't a microsoft problem, it is a general problem. Download any software and check the connections it makes. cdburner, ccleaner, imgburn, crystaldiskmark,.... they all connect to statistic/adware servers. Besides that, allowing the to connect to "safe locations" only makes them less vulnerable if they get exploited.

Also, why would I allow "metro app" or "windows store" connections when I don't even use those?

Yes interactive mode can be annoying until configured. That's why I am asking here, to get some of the rules that I have not created yet and need to configure it ;-)

Well, if you use/download software bundled with toolbars, or software that doesn't include adwares in its installer but demands a connection to specific servers in order to download one (like KMPlayer does), then it's normal. You can always deny those connections.
If you don't use metro apps then you can even disable them, and block all their connections. For that combination of needs you have, I think that it's the best way to make a rules manually... for every program.

 

[zakazak]

Well, if you use/download software bundled with toolbars, or software that doesn't include adwares in its installer but demands a connection to specific servers in order to download one (like KMPlayer does), then it's normal. You can always deny those connections.
If you don't use metro apps then you can even disable them, and block all their connections. For that combination of needs you have, I think that it's the best way to make a rules manually... for every program.

Exactly, that'S why interactive mode is nice, to deny some connections of "bundled" software.

I have metro apps uninstalled and deactived.. still connections (although very very rare)... hai ineractive mode ;-)

 

[akshay1189]

I think you can keep one of those !
MBAM Pro
HitmanProAlert 3.x

 

[BoraMurdar]

Exactly, that'S why interactive mode is nice, to deny some connections of "bundled" software.

I have metro apps uninstalled and deactived.. still connections (although very very rare)... hai ineractive mode ;-)

I think that all connections to the known adware servers are automatically blocked by ESET (if you enable detection of Potentially Unwanted and Unsafe Applications), and cleaning options are set to strict cleaning.

 

[zakazak]

I think you can keep one of those !
MBAM Pro
HitmanProAlert 3.x

They are two completely different apps and have different purpose. So deciding between those two isn't an option

I think that all connections to the known adware servers are automatically blocked by ESET (if you enable detection of Potentially Unwanted and Unsafe Applications), and cleaning options are set to strict cleaning.

Nope it does not because ESET (like every other fw) allows the apps traffic as those apps are trustes. Only thanks to interactive mode u are able to block the communication.

How ever, ESET has a good standart rule set for system apps and has a good HIPS

 

[BoraMurdar]

Nope it does not because ESET (like every other fw) allows the apps traffic as those apps are trustes. Only thanks to interactive mode u are able to block the communication.

I wanted to say, when you try to install a program that tries to contact the adware server in order to download an adware/toolbar, ESET will automatically block it. Page and IP. It happens all the time when I update Burnaware for example.