bbahes 29 Posted November 22, 2016 Share Posted November 22, 2016 (edited) Hi! I have noticed in HIPS logs strange Operation unknown operation and strange Rule int3rn4l. Included in attachment is list of HIPS rules I have defined on ERA. As I look configuration from clients I also don't notice this rule. What could be generating this strange rule name? ERA 5.3.39.0 EES 5.0.2265 Edited November 22, 2016 by bbahes Link to comment Share on other sites More sharing options...
Administrators Marcos 4,705 Posted November 22, 2016 Administrators Share Posted November 22, 2016 It's an internal rule which is logged only in diagnostic mode, ie. when logging of blocked operations is enabled. You should enable this option only while troubleshooting a HIPS-related issue, otherwise huge logs may be generated and the system performance may be affected too. Link to comment Share on other sites More sharing options...
bbahes 29 Posted November 22, 2016 Author Share Posted November 22, 2016 It's an internal rule which is logged only in diagnostic mode, ie. when logging of blocked operations is enabled. You should enable this option only while troubleshooting a HIPS-related issue, otherwise huge logs may be generated and the system performance may be affected too. In Windows Desktop v5 > Kernel > Settings > Log Files > Save logs from level: Informative records is selected and unmarked. Is there any other policy rule that could activate this diagnostics? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,705 Posted November 22, 2016 Administrators Share Posted November 22, 2016 You can find the setting here: Link to comment Share on other sites More sharing options...
bbahes 29 Posted November 22, 2016 Author Share Posted November 22, 2016 You can find the setting here: erav5_hips_debuglogging.png It's off. Should I turn it on? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,705 Posted November 22, 2016 Administrators Share Posted November 22, 2016 It's turn off by default. So either enabled it in a policy that was applied on clients or it was enabled manually if the advanced HIPS setup on clients. Link to comment Share on other sites More sharing options...
bbahes 29 Posted November 22, 2016 Author Share Posted November 22, 2016 It's turn off by default. So either enabled it in a policy that was applied on clients or it was enabled manually if the advanced HIPS setup on clients. Clients are all controlled by policy in which this setting is unchecked. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,705 Posted November 22, 2016 Administrators Share Posted November 22, 2016 If you check Endpoint's configuration on such client manually,is the setting enabled? Link to comment Share on other sites More sharing options...
bbahes 29 Posted November 22, 2016 Author Share Posted November 22, 2016 If you check Endpoint's configuration on such client manually,is the setting enabled? No, it's disabled (unchecked). Link to comment Share on other sites More sharing options...
Administrators Marcos 4,705 Posted November 22, 2016 Administrators Share Posted November 22, 2016 The thing is HIPS doesn't log basically anything by default. Please collect logs from a computer where this message is still being logged using ESET Log Collector and pm me the output archive. If too large to send via pm, upload it to a safe location and pm me the download link. Link to comment Share on other sites More sharing options...
Recommended Posts