Jump to content

Archived

This topic is now archived and is closed to further replies.

persian-boy

HIPS and some problems.

Recommended Posts

Believe me or not...this searching option in HIPS not working. 
I have browser.exe in my rules but when I search for it cant find anything.
pls, fix it because finding name is a pain...
 

Share this post


Link to post
Share on other sites
On ‎10‎/‎5‎/‎2017 at 10:09 PM, persian-boy said:

Believe me or not...this searching option in HIPS not working. 
I have browser.exe in my rules but when I search for it cant find anything.
pls, fix it because finding name is a pain...
 

It searchs the rule names only. So if browser.exe is not part of the rule name, it won't find it.

Share this post


Link to post
Share on other sites
2 hours ago, itman said:

It searchs the rule names only. So if browser.exe is not part of the rule name, it won't find it.

This sounds like a bug. I'll consult it with developers but in my opinion the search function should work for any of the rule parameters.

Share this post


Link to post
Share on other sites
Even in interactive mode, Hips won't alert for everything and I have to set the ask rules for my applications manually.
Example: I want to know what browser doing on my pc so if I use the Hips in interactive mode it will not alert me about registry access or some other places but if I set the ask rules for files, application and registry then Alerts come!and it works like what I saw in SpyShelter! can Eset do smth for that? whats the point with interactive mode when it's not going to alert about everything?
Now I'm using it in interactive plus I set ask rules for media players, browser and some others application manually.

Share this post


Link to post
Share on other sites

There is a bug:
Action:ask
Operation affecting: all of them(Reg/App/Files)

I have the above rules for kerishdoctor.exe so when I start it HIPS ask me about the access for registry by Kerishdoctor and I have 3 choices:
1-Ask everytime
2-let it access till I exit the program
3- Create a permanent rule for this operation(which is access the registry or I  can limit it more)

If I chose the number 1 it will allow the reg access and ask for the next operation which is ((terminate/suspend another application)) but if I chose the number 2 then Hips will allow every operation for kerishdoctor.exe.

I mean it will auto allow other operations as well(like terminate/suspend another application)! when it should only allow the access for registry and don't auto allow other operations...!

Eset what is the meaning of the remember until application quit? shouldn't it only allow for current operation and ask about other operations?

Someone pls explain about it! in my opinion, this is wrong and broken.

Share this post


Link to post
Share on other sites

I'm waiting for the answer *-* and I guess you need to fix it because the way it works is dangerous --_--
P.s: the safe is to press ask every time or create a permanent rule for that operation.otherwise, it will allow everything.

Share this post


Link to post
Share on other sites


Sometimes I have an alert form the Hips for smth but I want to open another file or do smth with windows and for that application or work, I need to answer an alert from the Hips but Eset doesn't show me the next alert till I answer the first alert and this is breaking my work.
Why is that?pls fix it and you can also spam my desktop with alerts who care? 

Also pls look at this photo and tell me what is this?Hips is trolling on my pc because you didn't fix these problems when it was beta.

 

kitty.PNG

Share this post


Link to post
Share on other sites
9 hours ago, persian-boy said:

I need to answer an alert from the Hips but Eset doesn't show me the next alert till I answer the first alert and this is breaking my work.

No HIPS I am aware of has "look ahead capability" in regards to processing rules. It will suspend processing of the task being monitored until you respond or the wait period elapses. You can't execute other processes since you are running in Interactive mode. You might consider Policy mode instead. 

Share this post


Link to post
Share on other sites

Thanks for the answer :-)
Yes maybe because I'm running it in interactive that's why but I cant try policy mode for now maybe later.
Eset I'm still waiting for the answer?what is this alert? XD what does that means?the only one who cares is ITman

Share this post


Link to post
Share on other sites

I'm wondering why Eset don't care about this bug!this is happening for the Yandex browser as well! Itman what do you think? dear Marcos, I know you are reading my comments XD pls explain about it! 

Share this post


Link to post
Share on other sites
2 hours ago, persian-boy said:

I'm wondering why Eset don't care about this bug!this is happening for the Yandex browser as well! Itman what do you think?

What bug are you referring to? Just create an allow rule for AIMP and your problems are solved. If you trust the app, modify the allow rule to allow activity for all operations the HIPS monitors for and you will never see another alert from it.

Share this post


Link to post
Share on other sites

Don't you see that bug?look at the photo!HIPS saying Aimp player want to access() what is ()?Eset plssssssss a bit explain about this alert why no one answer? omfg.
Also, the target is not visible and When you want to set the permanent rule the filed is empty :D what is this?
ITAman I know I don't need to set the ask rules for a media player but I just like to have it.so it should works...
Eset pls tell me 2 things:
1-Why Hips in interactive mode will not alert for everything like the ask rule? can I know how this alert system works?
2- What is that alert?
 

Share this post


Link to post
Share on other sites
On 10/12/2017 at 4:44 PM, persian-boy said:

Eset what is the meaning of the remember until application quit?

 Does it mean the HIPS will allow every access till I exit the process?or it will only allow specific operation and will ask for the next operation(like start a new application or write to disk) Eset answer the questions :-)

Share this post


Link to post
Share on other sites
8 hours ago, persian-boy said:

Don't you see that bug?look at the photo!HIPS saying Aimp player want to access() what is ()?Eset plssssssss a bit explain about this alert why no one answer? omfg.
Also, the target is not visible and When you want to set the permanent rule the filed is empty :D what is this?

AIMP is a media player and they are known to do "weird things." My best guess is any access to the "target" file in question is denied; even to Eset. This is why you are seeing the "file ()" reference and the Target field is blank. Most likely, the file in question is one used internally by AIMP and it has totally locked down all access to it.

Again, using a HIPS in Interactive mode requires detailed knowledge of all processes and their internal process workings.

8 hours ago, persian-boy said:

 Does it mean the HIPS will allow every access till I exit the process?or it will only allow specific operation and will ask for the next operation(like start a new application or write to disk) Eset answer the questions :-)

It will allow access for the specific action noted to the process being alerted for until the process exits.

Share this post


Link to post
Share on other sites

Some advice about using the HIPS after training mode has been enabled long enough to learn all currently used apps and system processes. The best next step is to employ Policy mode. This way anything that has not been previously allowed is auto blocked. Policy mode works best in corp. environments to "lock down" app execution. It is a good choice since users are not allowed to install software or modify it in any other way including updating it; that is only done by system admins. Additionally once an acceptable HIPS configuration has been achieved, it is rolled out to all endpoints maximizing the payback for the original configuration effort.

For normal end users who install software often, perform regular updating of software, and make system configuration changes running the HIPS in Policy or Interactive mode can best be described as "an effort in futility." Worse, there is a high likelihood that they will make their system less secure than if the HIPS was run in the default Auto mode or alternatively, Smart mode.  A good compromise is to use Smart mode and selectively create user rules for known vulnerable processes.

Share this post


Link to post
Share on other sites

That alert isn't only about the music player it's happening for the browser as well and I guess there are some bugs in HIPS  but Eset needs to fix them as soon as possible.

On 10/17/2017 at 6:21 AM, itman said:

specific action

But from what is see sometimes this option allows everything (maybe a bug or smth like that)
Yes using hips in interactive mode need a lot of knowledge about the windows but I'm not idiot and can read alerts:D 
Mate, I'm not using learning more anymore I just removed my rules and start using interactive from the start because the learning mode is broken and it may allow smth that I don't want.
But your suggestion is also good(learning mode and policy mode after like 1 week)

Share this post


Link to post
Share on other sites

I know its hard to believe but sometimes The  Hips get bypass:/ I'm running it in interactive plus these rules:
Actions=ask
Operation affecting: Applications
Application operation: start new application
Aapplcaition=all applications
Example:2 weeks ago I ran Splash player pro and Hips allow it without asking! but after that, I clicked on it again and Hips show me an alert! I noticed sometimes it won't Show the alerts In the right way and allow without asking!this happened more than 10 times in 2 months!there are some hidden problems -.-

Share this post


Link to post
Share on other sites
14 hours ago, persian-boy said:

Actions=ask
Operation affecting: Applications
Application operation: start new application
Aapplcaition=all applications

Do you have coded for Source Applications "All Applications" ?

Share this post


Link to post
Share on other sites

Yes, i did and im sure there is a bug but NVM.
I noticed Eset updated the Hips module version but the question is what are these changes? Eset pls provide a change log or some information about these changes? the user needs to know what is happening.

 

Share this post


Link to post
Share on other sites

Sometimes when I start the ESET SysInspector from the GUI then Hips will alert for it and the access that SysInspector want! it's not that important but pls consider to learn  Hips don't catch your stuff:D 

Share this post


Link to post
Share on other sites

 

If I run smth as the Smart screen and already have allowed rules for the smart screen then my rules(like ask rule for start new application)will ignore and Eset let the file run without any alert!why is that? 
I have 2 rules:
Allow everything For smart screen(i meant all operations) and the ASk rule for all application(start the new app and MODIFY state of another... )

Shouldn't HIPS alert me about the start new application since I have the ask rule for it?

Share this post


Link to post
Share on other sites

Eset the ask rule for start new application is buggy and doesn't work in the right way! 
I have Aimp player in C:\Program Files (x86)\AIMP and when I double click Aimp.exe then Hips tell me explorer.exe want to access Aimp player ok? But if I start a music(MP3) from somewhere(consider Aipm player is default media player)then the Aimp.exe will run AND I can see it in process list but the hips won't alert me about it!
Marcos I'm waiting for the answers and you have to answer me:P 
I'm guessing that's because Hips won't work on audio and video formats??

Share this post


Link to post
Share on other sites

Bug after bug and this issue did not exist in version 10! I'm quite sure about it

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...