HIPS and some problems.

[persian-boy 22]

Hello,
I just installed the Eset internet security to see how is  HIPS in Eset.
So I set it to learning mode but hips working in the wrong hand!
As you can see the same rules multiple time created for the same application(Ad-guard)
Any idea?can I suggest smth? don't let a file add itself to hips rules multiple times! this is total BS.
 

 

Edited August 5, 2017 by persian-boy

[Marcos 5,069]

I'm pretty sure the rules are not identical. If you edit these two, you should spot a difference.

[persian-boy 22]

Ok I dig to the rules and I see the rules are bit different, but this is annoying. why just don't force the hips to edit the rules for 1 service or process multiple time instances of spamming the hips rules list.

Edited August 5, 2017 by persian-boy

[Marcos 5,069]

Users may want to create different rules for an application. E.g. one may want to allow rundll32.exe to load legitimate applications and create allow rules for them and ask about everything else the executable would attempt to load.

[persian-boy 22]

I see thnx for the answer.

[persian-boy 22]

Hello again,
I just played with hips (learning mode)a bit more And I found a small issue.
The story goes like this:
Allowed all operation for one process(even in HIPS rule settings chosen all files all registry entries,...)
But still, hips creating the rules for the same process.HIPS don't understand I already allow everything for that process and should stop spamming my list:D
I  have to delete clones handy:P 

Edited August 5, 2017 by persian-boy

[persian-boy 22]

Can we have a digitally sign list for hips?and force the hips to work with our trusted list?it's easier to use.
BTW Eset way is more paranoid(i like it )and much better but not everyone can use it.
With digitally sign list everything goes well without clone and  pain also every one can use it 

Edited August 5, 2017 by persian-boy

[itman 1,659]

1 hour ago, persian-boy said:

But still, hips creating the rules for the same process.HIPS don't understand I already allow everything for that process and should stop spamming my list:D

In training mode, the HIPS will ignore any existing user rules and create rules for processes as they are executed. There were also past issues with training mode actually duplicating previous rules it had created in that mode. Don't know if this was ever resolved.

Most people do not use training mode.

[persian-boy 22]

Hello, 
that issue exists if you read my post you will see but after that, i saw the rules are bit different.it doesn't matter if you know what to do you don't face any problem but if a noob touches the settings the system go worse.
Thnx for the answer.
Nice forum, nice admins and no fanboys:D good company hahaha

Edited August 5, 2017 by persian-boy

[persian-boy 22]

Hey,
If smth wants to make a change to the registry via CMD or write some command in cmd the Eset only alert about the cmd access and won't show me what is that command.
Can we have this option to see what commands wants to run in cmd? because the user needs to know what is happening and decides to allow or block it.
If we want to have a reliable Hips this option is necessary.

 

[persian-boy 22]

I already cover this weakness with another tool but Eset need to fix this issue!
I say issue because it's very important and I think you know that.

Edited September 7, 2017 by persian-boy

[TomFace 539]

Be sure to post future improvements here: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/?page=26

 

[persian-boy 22]

Hey,
I found this self-defense module is blocking the legitime process to access other processes!
I just told hips to create logs for blocked operations and as you can see Hips blocking access for windows process, it even blocked kerish doctor to access windows processes.kerish doctor working but what is it?I guess it will hurt and I have to disable it! 
Any idea? I guess no one care about this HIPS.

[persian-boy 22]

From what I read in Eset help self-defense must cover and guard the ESET process, not others.
ESET Internet Security uses built-in Self-Defense technology to prevent malicious software from corrupting or disabling your antivirus and antispyware protection, so you can be sure your system is protected at all times. It is necessary to restart Windows to disable HIPS or Self-Defense(from the help file)

Am I wrong? Why is HIPS trying to block kerish doctor access?

[persian-boy 22]

Do not allow modification of system processes!
But in the help file, you didn't mention it Pls, update the help file thanks.
If ppl enable this module it will hurt them because some programs need to modification windows processes(like what? like anti malware solutions which sometimes you want to run them alongside with Eset ......)
So I'm waiting for the answer

[persian-boy 22]

WTF I can't log in with open VPN saying you are banned! lol

[itman 1,659]

I have like Eset GUI HIPS process modification rule on Win 10. The only process I have created an exception for is ekrn.exe. Csrss.exe access is suspect.

I would also be concerned about KerishDoctor attempting any process modification against lsass.exe. Tip - there is a registry hack that can be done to start lsass.exe as a Windows protected process.

[Marcos 5,069]

First of all, you have enabled logging of blocked operations in the advanced HIPS setup. This is intended only for diagnostic purposes when troubleshooting issues with HIPS, otherwise the setting should be kept disabled. Enabling it will not only have adverse effect on performance due to extensive logging but it may also generate unnecessarily huge HIPS logs.

[persian-boy 22]

Hi,

Pls lets the user sort the HIPS rules list based on the name or path because if the list goes long you can't manage it and if you do one mistake...

its pain full : -(

Can Eset consider a patch for this?
I think it should be easy for Eset...

Edited September 15, 2017 by persian-boy

[persian-boy 22]

On 9/11/2017 at 6:12 AM, Marcos said:

performance due to extensive logging but it may also generate unnecessarily huge HIPS logs.

Hi, i know that but I have little paranoia and I want to monitor everything.
 

[persian-boy 22]

Every time I disable the HIPS module it remains ON and I cant disable it, Even when the settings show HIPS is off that indicator remains green and on.
just saying it's not about repair or other security software in my machine because I know you will say that lmao.
I removed everything I had and the problem didn't solve also reinstalled Eset but the same issue.
 

[Marcos 5,069]

HIPS remains active until a computer restart on purpose.

[persian-boy 22]

Hi thanks for the reply but why is that?
if I want to disable it without the restart I have to set it in smart mode and it will work like its disabled but I guess Eset need to fix it.

Edited September 15, 2017 by persian-boy

[itman 1,659]

A note about HIPS Smart mode. If you had previously run in training mode with many rules created, running in Smart mode will not negate those rules. They still remain in effect.

Smart mode was designed to be a bit more aggressive in its application of Eset's default HIPS rules.

I did make a suggestion a while back that the "profile" concept used for the firewall also be used for the HIPS. This way one could switch to a different profile when diagnosing stuff.

 

[persian-boy 22]

On 9/15/2017 at 4:21 PM, itman said:

They still remain in effect.

Hi Itman
I didn't know that thank you for the tips.