Jump to content

Archived

This topic is now archived and is closed to further replies.

persian-boy

HIPS and some problems.

Recommended Posts

Hello,
I just installed the Eset internet security to see how is  HIPS in Eset.
So I set it to learning mode but hips working in the wrong hand!
As you can see the same rules multiple time created for the same application(Ad-guard)
Any idea?can I suggest smth? don't let a file add itself to hips rules multiple times! this is total BS.
 


 

bug hips.JPG

Share this post


Link to post
Share on other sites

I'm pretty sure the rules are not identical. If you edit these two, you should spot a difference.

Share this post


Link to post
Share on other sites

Ok I dig to the rules and I see the rules are bit different, but this is annoying. why just don't force the hips to edit the rules for 1 service or process multiple time instances of spamming the hips rules list.

Share this post


Link to post
Share on other sites

Users may want to create different rules for an application. E.g. one may want to allow rundll32.exe to load legitimate applications and create allow rules for them and ask about everything else the executable would attempt to load.

Share this post


Link to post
Share on other sites

Hello again,
I just played with hips (learning mode)a bit more And I found a small issue.
The story goes like this:
Allowed all operation for one process(even in HIPS rule settings chosen all files all registry entries,...)
But still, hips creating the rules for the same process.HIPS don't understand I already allow everything for that process and should stop spamming my list:D
I  have to delete clones handy:P 

59861dcf22539_rehips1.thumb.JPG.6d1acd09ea2ee2cea778495402d19d3b.JPG

Share this post


Link to post
Share on other sites

Can we have a digitally sign list for hips?and force the hips to work with our trusted list?it's easier to use.
BTW Eset way is more paranoid(i like it )and much better but not everyone can use it.
With digitally sign list everything goes well without clone and  pain also every one can use it 

Share this post


Link to post
Share on other sites
1 hour ago, persian-boy said:

But still, hips creating the rules for the same process.HIPS don't understand I already allow everything for that process and should stop spamming my list:D

In training mode, the HIPS will ignore any existing user rules and create rules for processes as they are executed. There were also past issues with training mode actually duplicating previous rules it had created in that mode. Don't know if this was ever resolved.

Most people do not use training mode.

Share this post


Link to post
Share on other sites

Hello, 
that issue exists if you read my post you will see but after that, i saw the rules are bit different.it doesn't matter if you know what to do you don't face any problem but if a noob touches the settings the system go worse.
Thnx for the answer.
Nice forum, nice admins and no fanboys:D good company hahaha

Share this post


Link to post
Share on other sites

Hey,
If smth wants to make a change to the registry via CMD or write some command in cmd the Eset only alert about the cmd access and won't show me what is that command.
Can we have this option to see what commands wants to run in cmd? because the user needs to know what is happening and decides to allow or block it.
If we want to have a reliable Hips this option is necessary.


 

Share this post


Link to post
Share on other sites

I already cover this weakness with another tool but Eset need to fix this issue!
I say issue because it's very important and I think you know that.

Share this post


Link to post
Share on other sites

Hey,
I found this self-defense module is blocking the legitime process to access other processes!esetttt1.thumb.PNG.ecfaff3ff8a80c630832cecd79bf46d9.PNG
I just told hips to create logs for blocked operations and as you can see Hips blocking access for windows process, it even blocked kerish doctor to access windows processes.kerish doctor working but what is it?I guess it will hurt and I have to disable it! 
Any idea? I guess no one care about this HIPS.

333.PNG

Share this post


Link to post
Share on other sites

From what I read in Eset help self-defense must cover and guard the ESET process, not others.
ESET Internet Security uses built-in Self-Defense technology to prevent malicious software from corrupting or disabling your antivirus and antispyware protection, so you can be sure your system is protected at all times. It is necessary to restart Windows to disable HIPS or Self-Defense(from the help file)

Am I wrong? Why is HIPS trying to block kerish doctor access?

Share this post


Link to post
Share on other sites

Do not allow modification of system processes!
But in the help file, you didn't mention it Pls, update the help file thanks.
If ppl enable this module it will hurt them because some programs need to modification windows processes(like what? like anti malware solutions which sometimes you want to run them alongside with Eset ......)
So I'm waiting for the answer :P

Share this post


Link to post
Share on other sites

I have like Eset GUI HIPS process modification rule on Win 10. The only process I have created an exception for is ekrn.exe. Csrss.exe access is suspect.

I would also be concerned about KerishDoctor attempting any process modification against lsass.exe. Tip - there is a registry hack that can be done to start lsass.exe as a Windows protected process.

Share this post


Link to post
Share on other sites

First of all, you have enabled logging of blocked operations in the advanced HIPS setup. This is intended only for diagnostic purposes when troubleshooting issues with HIPS, otherwise the setting should be kept disabled. Enabling it will not only have adverse effect on performance due to extensive logging but it may also generate unnecessarily huge HIPS logs.

Share this post


Link to post
Share on other sites
Hi,
Pls lets the user sort the HIPS rules list based on the name or path because if the list goes long you can't manage it and if you do one mistake...
its pain full : -(
Can Eset consider a patch for this?:)
I think it should be easy for Eset...

Share this post


Link to post
Share on other sites
On 9/11/2017 at 6:12 AM, Marcos said:

performance due to extensive logging but it may also generate unnecessarily huge HIPS logs.

Hi, i know that but I have little paranoia and I want to monitor everything.
 

Share this post


Link to post
Share on other sites

Every time I disable the HIPS module it remains ON and I cant disable it, Even when the settings show HIPS is off that indicator remains green and on.
just saying it's not about repair or other security software in my machine because I know you will say that lmao.
I removed everything I had and the problem didn't solve also reinstalled Eset but the same issue.

 

Share this post


Link to post
Share on other sites

Hi thanks for the reply but why is that?
if I want to disable it without the restart I have to set it in smart mode and it will work like its disabled but I guess Eset need to fix it.

Share this post


Link to post
Share on other sites

A note about HIPS Smart mode. If you had previously run in training mode with many rules created, running in Smart mode will not negate those rules. They still remain in effect.

Smart mode was designed to be a bit more aggressive in its application of Eset's default HIPS rules.

I did make a suggestion a while back that the "profile" concept used for the firewall also be used for the HIPS. This way one could switch to a different profile when diagnosing stuff.

 

Share this post


Link to post
Share on other sites
On 9/15/2017 at 4:21 PM, itman said:

They still remain in effect.

Hi Itman
I didn't know that thank you for the tips.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...