14
Application modification detection helps guard against malicious code which presents itself as a legitimate process.
Consider a malicious program which replaces the O
utlook.exe
process with its own code for the purpose of sending
unsolicited email via SMTP. Without application modification detection, the malicious code would not be stopped,
since a rule exists which allows the legitimate process
Outlook.exe
to send and receive email (SMTP).
The modification detection feature also has its cons, but these can be alleviated through the use of exclusions.
For example, a regular, legitimate upgrade to a newer version of Adobe Acrobat Reader may result in a process
modification, since it automatically updates itself and downloads PDF documents from the Internet. Thus, a
specific rule (exclusion) would need to be defined to allow this activity.
3..2 Logging network activity
Information about processed or blocked activity can be saved to a log and analyzed. Logging can be useful in
determining why the Personal firewall blocked a certain communication. Press F5 to display the Advanced Setup
window and then click
Personal firewall > IDS and advanced options
and select
Log all blocked connections
. Use
the same dialog window to configure the IDS (Intrusion Detection System) as well as other general options (
Allow
file and printer sharing in the Trusted zone
,
UPnP
, etc.).
To find the reason for a blocked communication look in the Personal firewall log by clicking
Tools > Log files > ESET
personal firewall log
. The most important information is under
Rule/worm name
, where you can often find the
name of a rule that’s disrupting communication.
