persian-boy 22 Posted August 5, 2017 Posted August 5, 2017 (edited) Hello, I just installed the Eset internet security to see how is HIPS in Eset. So I set it to learning mode but hips working in the wrong hand! As you can see the same rules multiple time created for the same application(Ad-guard) Any idea?can I suggest smth? don't let a file add itself to hips rules multiple times! this is total BS. Edited August 5, 2017 by persian-boy
Administrators Marcos 5,452 Posted August 5, 2017 Administrators Posted August 5, 2017 I'm pretty sure the rules are not identical. If you edit these two, you should spot a difference.
persian-boy 22 Posted August 5, 2017 Author Posted August 5, 2017 (edited) Ok I dig to the rules and I see the rules are bit different, but this is annoying. why just don't force the hips to edit the rules for 1 service or process multiple time instances of spamming the hips rules list. Edited August 5, 2017 by persian-boy
Administrators Marcos 5,452 Posted August 5, 2017 Administrators Posted August 5, 2017 Users may want to create different rules for an application. E.g. one may want to allow rundll32.exe to load legitimate applications and create allow rules for them and ask about everything else the executable would attempt to load.
persian-boy 22 Posted August 5, 2017 Author Posted August 5, 2017 (edited) Hello again, I just played with hips (learning mode)a bit more And I found a small issue. The story goes like this: Allowed all operation for one process(even in HIPS rule settings chosen all files all registry entries,...) But still, hips creating the rules for the same process.HIPS don't understand I already allow everything for that process and should stop spamming my list:D I have to delete clones handy:P Edited August 5, 2017 by persian-boy
persian-boy 22 Posted August 5, 2017 Author Posted August 5, 2017 (edited) Can we have a digitally sign list for hips?and force the hips to work with our trusted list?it's easier to use. BTW Eset way is more paranoid(i like it )and much better but not everyone can use it. With digitally sign list everything goes well without clone and pain also every one can use it Edited August 5, 2017 by persian-boy
itman 1,801 Posted August 5, 2017 Posted August 5, 2017 1 hour ago, persian-boy said: But still, hips creating the rules for the same process.HIPS don't understand I already allow everything for that process and should stop spamming my list:D In training mode, the HIPS will ignore any existing user rules and create rules for processes as they are executed. There were also past issues with training mode actually duplicating previous rules it had created in that mode. Don't know if this was ever resolved. Most people do not use training mode.
persian-boy 22 Posted August 5, 2017 Author Posted August 5, 2017 (edited) Hello, that issue exists if you read my post you will see but after that, i saw the rules are bit different.it doesn't matter if you know what to do you don't face any problem but if a noob touches the settings the system go worse. Thnx for the answer. Nice forum, nice admins and no fanboys:D good company hahaha Edited August 5, 2017 by persian-boy
persian-boy 22 Posted September 7, 2017 Author Posted September 7, 2017 Hey, If smth wants to make a change to the registry via CMD or write some command in cmd the Eset only alert about the cmd access and won't show me what is that command. Can we have this option to see what commands wants to run in cmd? because the user needs to know what is happening and decides to allow or block it. If we want to have a reliable Hips this option is necessary.
persian-boy 22 Posted September 7, 2017 Author Posted September 7, 2017 (edited) I already cover this weakness with another tool but Eset need to fix this issue! I say issue because it's very important and I think you know that. Edited September 7, 2017 by persian-boy
TomFace 539 Posted September 7, 2017 Posted September 7, 2017 Be sure to post future improvements here: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/?page=26
persian-boy 22 Posted September 10, 2017 Author Posted September 10, 2017 Hey, I found this self-defense module is blocking the legitime process to access other processes! I just told hips to create logs for blocked operations and as you can see Hips blocking access for windows process, it even blocked kerish doctor to access windows processes.kerish doctor working but what is it?I guess it will hurt and I have to disable it! Any idea? I guess no one care about this HIPS.
persian-boy 22 Posted September 10, 2017 Author Posted September 10, 2017 From what I read in Eset help self-defense must cover and guard the ESET process, not others.ESET Internet Security uses built-in Self-Defense technology to prevent malicious software from corrupting or disabling your antivirus and antispyware protection, so you can be sure your system is protected at all times. It is necessary to restart Windows to disable HIPS or Self-Defense(from the help file) Am I wrong? Why is HIPS trying to block kerish doctor access?
persian-boy 22 Posted September 10, 2017 Author Posted September 10, 2017 Do not allow modification of system processes! But in the help file, you didn't mention it Pls, update the help file thanks. If ppl enable this module it will hurt them because some programs need to modification windows processes(like what? like anti malware solutions which sometimes you want to run them alongside with Eset ......) So I'm waiting for the answer
persian-boy 22 Posted September 10, 2017 Author Posted September 10, 2017 WTF I can't log in with open VPN saying you are banned! lol
itman 1,801 Posted September 10, 2017 Posted September 10, 2017 I have like Eset GUI HIPS process modification rule on Win 10. The only process I have created an exception for is ekrn.exe. Csrss.exe access is suspect. I would also be concerned about KerishDoctor attempting any process modification against lsass.exe. Tip - there is a registry hack that can be done to start lsass.exe as a Windows protected process.
Administrators Marcos 5,452 Posted September 11, 2017 Administrators Posted September 11, 2017 First of all, you have enabled logging of blocked operations in the advanced HIPS setup. This is intended only for diagnostic purposes when troubleshooting issues with HIPS, otherwise the setting should be kept disabled. Enabling it will not only have adverse effect on performance due to extensive logging but it may also generate unnecessarily huge HIPS logs.
persian-boy 22 Posted September 15, 2017 Author Posted September 15, 2017 (edited) Hi, Pls lets the user sort the HIPS rules list based on the name or path because if the list goes long you can't manage it and if you do one mistake... its pain full : -( Can Eset consider a patch for this? I think it should be easy for Eset... Edited September 15, 2017 by persian-boy
persian-boy 22 Posted September 15, 2017 Author Posted September 15, 2017 On 9/11/2017 at 6:12 AM, Marcos said: performance due to extensive logging but it may also generate unnecessarily huge HIPS logs. Hi, i know that but I have little paranoia and I want to monitor everything.
persian-boy 22 Posted September 15, 2017 Author Posted September 15, 2017 Every time I disable the HIPS module it remains ON and I cant disable it, Even when the settings show HIPS is off that indicator remains green and on.just saying it's not about repair or other security software in my machine because I know you will say that lmao. I removed everything I had and the problem didn't solve also reinstalled Eset but the same issue.
Administrators Marcos 5,452 Posted September 15, 2017 Administrators Posted September 15, 2017 HIPS remains active until a computer restart on purpose.
persian-boy 22 Posted September 15, 2017 Author Posted September 15, 2017 (edited) Hi thanks for the reply but why is that? if I want to disable it without the restart I have to set it in smart mode and it will work like its disabled but I guess Eset need to fix it. Edited September 15, 2017 by persian-boy
itman 1,801 Posted September 15, 2017 Posted September 15, 2017 A note about HIPS Smart mode. If you had previously run in training mode with many rules created, running in Smart mode will not negate those rules. They still remain in effect. Smart mode was designed to be a bit more aggressive in its application of Eset's default HIPS rules. I did make a suggestion a while back that the "profile" concept used for the firewall also be used for the HIPS. This way one could switch to a different profile when diagnosing stuff.
persian-boy 22 Posted September 16, 2017 Author Posted September 16, 2017 On 9/15/2017 at 4:21 PM, itman said: They still remain in effect. Hi Itman I didn't know that thank you for the tips.
Recommended Posts