Jump to content

HIPS rules


novice

Recommended Posts

Hi,

I want to insert several rules in HIPS v.8 to get radsomware  protection, as per this article  "Configure HIPS rules for ESET business products to protect against ransomware"

hxxp://support.eset.com/kb6119/

 All the rules are "Block".

Where do I insert this rules, before the existing "Allow" rules or after? Or doesn't matter?

One more thing, shall I switch HIPS in "Smart mode" ? (Order of evaluation: rules, ask on suspicion action, allow on failure) What is exactly "failure"?

Thanks!

Edited by novice
Link to comment
Share on other sites

  • Administrators

It depends on rules that you have created. E.g. if you have created a more specific rule for wscript.exe with a specific path to files and then you create a general rule with no path specified, the former rule must be placed above the latter as the rule with the first matched condition is applied. The order of HIPS rules cannot be changed; more specific rules take precedence over generic rules; if there are very same allowing and blocking rules, the blocking rule will take precedence.

I'd suggest upgrading to v10 to gain true ransomware protection and using Smart HIPS mode. With Smart HIPS mode you can enable the option to be notified about changes that occur in autostart locations in the advanced HIPS setup. If an application with bad reputation attempted to make changes to the run key for instance, you would be notified about that then.

Edited by Marcos
Correction
Link to comment
Share on other sites

Hi Marcos,

Thank you for your answer!

The article mentioned (hxxp://support.eset.com/kb6119/ ) is a KB from ESET, about how "Configure HIPS rules for ESET business products to protect against ransomware"

It doesn't say to "almost protect" , so my understanding is that , creating these rules we can get  full ransomware protection on version 8.

Anyway, exploring v8 HIPS, I found an option on "Target files"  which you can select "Potential ransomware behavior", never used in the original configuration.  Why is that not used somehow and is left blank????

I do not understand the constant push for version 10, push never seen before on ESET products.

Version 8 has full potential , and with a little help from you (the developers) can add some HIPS rules to get full ransomware protection, in my opinion.

Thanks!

ESET v8.jpg

Edited by novice
Link to comment
Share on other sites

  • Administrators

I can't find such operation in my v8 HIPS rule editor. "Potential ransomware behavior" is not supposed to be there and I can't imagine how you made it appear in the list.

It's a matter of fact that v8 cannot provide as good protection as v10 does. It misses a lot of new features, such as the AMSI and script scanner, network (botnet) protection, ransomware protection, etc.

Link to comment
Share on other sites

Hi Marcos,

Thank you for your answer!

I installed (and reinstalled) NOD32 v8 .0.304 at least 5 times so far and yes ,"Potential ransomware behavior" is there, unused and not added by me!!!!.

For the time being IM AM NOT INTERESTED IN V10, which is , at least 3 times slower than v8.

Version 8 has 2 more years of support, so why don't you convince your team to release an update which will automatically add HIPS rules recommended for your business product , in order to add ransomware protection , and to use the option ","Potential ransomware behavior" , which is there and I DID NOT MADE IT APPEAR ON THE LIST.

 

Thanks!!!

Edited by novice
Link to comment
Share on other sites

8 hours ago, Marcos said:

I can't find such operation in my v8 HIPS rule editor. "Potential ransomware behavior" is not supposed to be there and I can't imagine how you made it appear in the list.

Actually, this was posted a while back and I comment on it as to functionality. No reply every received on that query.

Link to comment
Share on other sites

  • Administrators
9 hours ago, novice said:

I installed (and reinstalled) NOD32 v8 .0.304 at least 5 times so far and yes ,"Potential ransomware behavior" is there, unused and not added by me!.

This was confirmed by developers as a bug. We plan to look into it tomorrow. Anyways, I was unable to reproduce it with v8 and that option did not appear in the HIPS rule editor no matter what I tried.

 

Quote

For the time being IM AM NOT INTERESTED IN V10, which is , at least 3 times slower than v8.

V10 contains various enhancements and optimizations to make scanning faster and to use less memory. Better performance was also proved by testing organizations. We will be happy to assist you with resolving issue. To start off, we'd need to know if temporarily disabling real-time protection or HIPS (requires a computer restart) makes a difference in order to narrow it down.

 

Quote

why don't you convince your team to release an update which will automatically add HIPS rules recommended for your business product , in order to add ransomware protection

Endpoint does not have any special HIPS rules included. It was our Dutch partner who prepared a set of rules for administrators to improve protection against ransomware. However, since the rules may also prevent running legitimate scripts and applications, they should be applied only in environments where administrators are aware of possible issues and know how to react to them by editing the appropriate rule.

Link to comment
Share on other sites

On ‎2‎/‎14‎/‎2017 at 2:02 PM, Marcos said:

This was confirmed by developers as a bug. We plan to look into it tomorrow. Anyways, I was unable to reproduce it with v8 and that option did not appear in the HIPS rule editor no matter what I tried.

Hi,

I do not understand how you were "unable to reproduce it with v8"  as long as "this was confirmed by developers as a bug"

If this is a bug in version 8 , so you should be able to reproduce it with version 8 .

Moreover, according to itman: "Actually, this was posted a while back and I comment on it as to functionality. No reply every received on that query"

Something doesn't sound right in this exchange of answers....I can clearly see the option there and I believe was supposed to be functional at a certain point but the idea was abandoned once version 9-10 was released on the market and now there is a constant push to embrace version 10.

 

 

Edited by novice
Link to comment
Share on other sites

  • Administrators

The reason why I was unable to reproduce it with v8 was that I didn't reboot the computer after update. It will be fixed as of the HIPS module 1268.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...