novice 20 Posted February 12, 2017 Share Posted February 12, 2017 (edited) Hi, I want to insert several rules in HIPS v.8 to get radsomware protection, as per this article "Configure HIPS rules for ESET business products to protect against ransomware" hxxp://support.eset.com/kb6119/ All the rules are "Block". Where do I insert this rules, before the existing "Allow" rules or after? Or doesn't matter? One more thing, shall I switch HIPS in "Smart mode" ? (Order of evaluation: rules, ask on suspicion action, allow on failure) What is exactly "failure"? Thanks! Edited February 12, 2017 by novice Link to comment Share on other sites More sharing options...
Administrators Marcos 5,281 Posted February 12, 2017 Administrators Share Posted February 12, 2017 (edited) It depends on rules that you have created. E.g. if you have created a more specific rule for wscript.exe with a specific path to files and then you create a general rule with no path specified, the former rule must be placed above the latter as the rule with the first matched condition is applied. The order of HIPS rules cannot be changed; more specific rules take precedence over generic rules; if there are very same allowing and blocking rules, the blocking rule will take precedence. I'd suggest upgrading to v10 to gain true ransomware protection and using Smart HIPS mode. With Smart HIPS mode you can enable the option to be notified about changes that occur in autostart locations in the advanced HIPS setup. If an application with bad reputation attempted to make changes to the run key for instance, you would be notified about that then. Edited February 27, 2017 by Marcos Correction Link to comment Share on other sites More sharing options...
novice 20 Posted February 12, 2017 Author Share Posted February 12, 2017 (edited) Hi Marcos, Thank you for your answer! The article mentioned (hxxp://support.eset.com/kb6119/ ) is a KB from ESET, about how "Configure HIPS rules for ESET business products to protect against ransomware" It doesn't say to "almost protect" , so my understanding is that , creating these rules we can get full ransomware protection on version 8. Anyway, exploring v8 HIPS, I found an option on "Target files" which you can select "Potential ransomware behavior", never used in the original configuration. Why is that not used somehow and is left blank???? I do not understand the constant push for version 10, push never seen before on ESET products. Version 8 has full potential , and with a little help from you (the developers) can add some HIPS rules to get full ransomware protection, in my opinion. Thanks! Edited February 12, 2017 by novice Link to comment Share on other sites More sharing options...
Administrators Marcos 5,281 Posted February 14, 2017 Administrators Share Posted February 14, 2017 I can't find such operation in my v8 HIPS rule editor. "Potential ransomware behavior" is not supposed to be there and I can't imagine how you made it appear in the list. It's a matter of fact that v8 cannot provide as good protection as v10 does. It misses a lot of new features, such as the AMSI and script scanner, network (botnet) protection, ransomware protection, etc. Link to comment Share on other sites More sharing options...
novice 20 Posted February 14, 2017 Author Share Posted February 14, 2017 (edited) Hi Marcos, Thank you for your answer! I installed (and reinstalled) NOD32 v8 .0.304 at least 5 times so far and yes ,"Potential ransomware behavior" is there, unused and not added by me!!!!. For the time being IM AM NOT INTERESTED IN V10, which is , at least 3 times slower than v8. Version 8 has 2 more years of support, so why don't you convince your team to release an update which will automatically add HIPS rules recommended for your business product , in order to add ransomware protection , and to use the option ","Potential ransomware behavior" , which is there and I DID NOT MADE IT APPEAR ON THE LIST. Thanks!!! Edited February 14, 2017 by novice Link to comment Share on other sites More sharing options...
itman 1,752 Posted February 14, 2017 Share Posted February 14, 2017 8 hours ago, Marcos said: I can't find such operation in my v8 HIPS rule editor. "Potential ransomware behavior" is not supposed to be there and I can't imagine how you made it appear in the list. Actually, this was posted a while back and I comment on it as to functionality. No reply every received on that query. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,281 Posted February 14, 2017 Administrators Share Posted February 14, 2017 9 hours ago, novice said: I installed (and reinstalled) NOD32 v8 .0.304 at least 5 times so far and yes ,"Potential ransomware behavior" is there, unused and not added by me!. This was confirmed by developers as a bug. We plan to look into it tomorrow. Anyways, I was unable to reproduce it with v8 and that option did not appear in the HIPS rule editor no matter what I tried. Quote For the time being IM AM NOT INTERESTED IN V10, which is , at least 3 times slower than v8. V10 contains various enhancements and optimizations to make scanning faster and to use less memory. Better performance was also proved by testing organizations. We will be happy to assist you with resolving issue. To start off, we'd need to know if temporarily disabling real-time protection or HIPS (requires a computer restart) makes a difference in order to narrow it down. Quote why don't you convince your team to release an update which will automatically add HIPS rules recommended for your business product , in order to add ransomware protection Endpoint does not have any special HIPS rules included. It was our Dutch partner who prepared a set of rules for administrators to improve protection against ransomware. However, since the rules may also prevent running legitimate scripts and applications, they should be applied only in environments where administrators are aware of possible issues and know how to react to them by editing the appropriate rule. Link to comment Share on other sites More sharing options...
novice 20 Posted February 15, 2017 Author Share Posted February 15, 2017 (edited) On 2/14/2017 at 2:02 PM, Marcos said: This was confirmed by developers as a bug. We plan to look into it tomorrow. Anyways, I was unable to reproduce it with v8 and that option did not appear in the HIPS rule editor no matter what I tried. Hi, I do not understand how you were "unable to reproduce it with v8" as long as "this was confirmed by developers as a bug" If this is a bug in version 8 , so you should be able to reproduce it with version 8 . Moreover, according to itman: "Actually, this was posted a while back and I comment on it as to functionality. No reply every received on that query" Something doesn't sound right in this exchange of answers....I can clearly see the option there and I believe was supposed to be functional at a certain point but the idea was abandoned once version 9-10 was released on the market and now there is a constant push to embrace version 10. Edited February 16, 2017 by novice Link to comment Share on other sites More sharing options...
Administrators Marcos 5,281 Posted February 16, 2017 Administrators Share Posted February 16, 2017 The reason why I was unable to reproduce it with v8 was that I didn't reboot the computer after update. It will be fixed as of the HIPS module 1268. Link to comment Share on other sites More sharing options...
Recommended Posts