Jump to content

Archived

This topic is now archived and is closed to further replies.

persian-boy

HIPS and some problems.

Recommended Posts

5 hours ago, persian-boy said:

But if I start a music(MP3) from somewhere(consider Aipm player is default media player)then the Aimp.exe will run AND I can see it in process list but the hips won't alert me about it!

First, what do you mean by "somewhere;" details please.

Again, I believe you have inadvertently created an allow HIPS rule for a process for all activity which would include AIMP.exe startup activity.

Also you were complaining about like behavior when using ver. 10. So I don't think this is a ver. 11 "bug."

Share this post


Link to post
Share on other sites

It doesn't matter where!tried from every drive.

1 hour ago, itman said:

created an allow HIPS rule for a process for all activity which would include AIMP.exe startup activity.

No no no there is a bug you can try yourself and I have only one rule in Hips!I didn't have this problem in version 10!
Pls Dw Aimp player install it(turnoff hips) then create these rules like me! and start an mp3 from your desktop then you will see the hips won't trigger an alert.but if you start aimp.exe from C( or wherever you installed it) it will alert you!

eset.PNG

Share this post


Link to post
Share on other sites

I rate HIPS 7.5/10  there are some minor bugs that need Attention but Overall, a good product
Keep up the good work Eset xD

Share this post


Link to post
Share on other sites
48 minutes ago, persian-boy said:

No no no there is a bug you can try yourself and I have only one rule in Hips!I didn't have this problem in version 10!
Pls Dw Aimp player install it(turnoff hips) then create these rules like me! and start an mp3 from your desktop then you will see the hips won't trigger an alert.but if you start aimp.exe from C( or wherever you installed it) it will alert you!

Appears by default the HIPS will only check program startup from the drive the OS is installed on.

Create a HIPS rule for each drive you want to monitor startup activity by specifying for Applications -> Specific applications -> D:\*.* etc.. I tested this and it does detect any program startup on the specified drive.

Share this post


Link to post
Share on other sites

Thnx for the rule, you gave me but still doesn't work :)
P.s: it works for other tools or applications but only for media players! maybe smth is wrong with video and audio formats.

Share this post


Link to post
Share on other sites
9 minutes ago, persian-boy said:

P.s: it works for other tools or applications but only for media players! maybe smth is wrong with video and audio formats

Then something you have allowed in the HIPS is allowing the startup of the video player. For example, does the video player install a service? Did you allow svchost.exe or services.exe to start the program associated with the service?

Share this post


Link to post
Share on other sites

I have only one rule(the one I posted) and there are no other rules! no, I didn't.

Share this post


Link to post
Share on other sites

OK, fixed! idk how but the issue has gone :)  sometimes if you change the hips rules in a row then it will not work properly till you restart the pc!
Right now gettings an alert when I start the Mp3 file.

Share this post


Link to post
Share on other sites

Enabled game mode(for first time) then played my game like 4 hours and again disabled it but  Hips won't alert anymore and thinking I'm still in game mode:)
 

Share this post


Link to post
Share on other sites

Eset fix this issue! or remove game mode because it's more dangerous than useful!

Share this post


Link to post
Share on other sites

Do you have automatic activation of gamer mode for applications running in fullscreen mode enabled or disabled?

Share this post


Link to post
Share on other sites

No, I don't have it(its disabled)!I just enabled it manually to see how it goes!when I was in the game Eset didn't alert for anything and this is good but when I disabled the gamer mode then Hips was not working till I restarted the pc! this issue exists for both firewall(interactive mode) and Hips(interactive mode)

Share this post


Link to post
Share on other sites
4 minutes ago, persian-boy said:

No, I didn't!I just enabled it manually to see how it goes!when I was in the game Eset didn't alert for anything and this is good but when I disabled the gamer mode then Hips was not working till I restarted the pc! this issue exists for both firewall(interactive mode) and Hips(interactive mode)

Sounds like one of the bugs mentioned on here 

 

https://forum.eset.com/topic/13480-eset-internet-security-11-interactive-firewall-pop-ups-missing-ssltsl-protocol-filtering-seems-to-not-work/

 

Share this post


Link to post
Share on other sites

I suggest Eset provide costume installation and let the user choose what he wants to install and what he doesn't want to install.
Some ppl don't need Anti-spam, gamer mode, Anti-theft, webcam protection and banking protection:P

Share this post


Link to post
Share on other sites
22 minutes ago, persian-boy said:

I suggest Eset provide costume installation and let the user choose what he wants to install and what he doesn't want to install.
Some ppl don't need Anti-spam, gamer mode, Anti-theft, webcam protection and banking protection:P

Yeah I have suggested this in the past - One of the things I have noticed is a lot of Security Suites have became bloatware because like phones they just try and put everything into it - most security suites do this, and add a lot of unwanted stuff e.g. toolbars. The problem is that lots of people don't want this but some sadly do. I've always wondered if the idea of a truly customisable security program could work - kind of like a modular security suite where the user could choose exactly what they wanted. Probably a lot of work needed however and many would instal everything by default then wonder why it became slow. 

I do find Eset is very lightweight so I'm not bothered about extra stuff as it doesn't effect the computer.

Share this post


Link to post
Share on other sites

I don't use HIPS manually having it set to automatic but occasionally get the error "User rules file contains invalid data" which appears to be HIPS related as its in the HIPS log. What would this mean. It's random and might not happen for ages.

Share this post


Link to post
Share on other sites
59 minutes ago, peteyt said:

I don't use HIPS manually having it set to automatic but occasionally get the error "User rules file contains invalid data" which appears to be HIPS related as its in the HIPS log. What would this mean. It's random and might not happen for ages.

Odd. I have only see that error appear when creating HIPS rules when the HIPS doesn't like the user created rule. It appears in ver. 9, 10,  and 11 after normal exit of HIPS rule editing when the HIPS attempts to save the new/edited rule. This is a major "irritant" to me since a number of rule changes may have been made which will all be lost if only one rule is invalid. In ver. 8, you would received the error message immediately after creating a rule.

Share this post


Link to post
Share on other sites

 

Sometimes It happens if you don't have a right path for your file, application or registry entry. like you want to have C driver on your list but you type C not C:\
 

Share this post


Link to post
Share on other sites

This is the story:
Hips showed me Explorer want to access X application!I didn't allow it and just waited to see what will happen.
After 2 mins  Hips allowed it without my permission!I thought smth is wrong with my rules but I removed all of them!
It can happen for everything not only this rule! pls, try yourself! set some rules that you can see the changes!like set a rule for Explorer.exe and tell Hips if explorer wants to access an application then alert me ok?
Don't answer the question just wait also don't touch the mouse and don't do anything!you will see the operation will allow without your permission.
 

Share this post


Link to post
Share on other sites

ITman pls test what I said! if you got an alert from the hips just don't allow it an wait 2 min!idk if it's only my problem?! tried it in interactive mode an also smart mod but the same story...

Share this post


Link to post
Share on other sites

Tried it again,
Set my rules and ran Sophos clean which is my on-demand scanner! Hips asked me to allow or deny I didn't answer! waited 2 min and Hips auto allow the access?!
Just do the same thing for yourself and watch the results!

HIPS AUTO ALLOW BUG.PNG
Eset if I prove that there is such bug in Hips then you must give me a free lifetime license for Eset IS:D

Share this post


Link to post
Share on other sites
39 minutes ago, persian-boy said:

Hips showed me Explorer want to access X application!I didn't allow it and just waited to see what will happen.
After 2 mins  Hips allowed it without my permission!I

Explorer is a bugger since it can allow shell execution of itself. That shell can also be run in "temporary" mode such that it will startup, run, and terminate itself w/o you ever noticing it ever run. CCleaner is any example of a process that does this; at least it did in earlier vers.. I haven't used it in some time.

What you can do is create a HIPS ask rule for explorer.exe that will alert on any startup of itself. I believe that is what I used to detect this situation.

I believe what is going on here is that the HIPS detects explorer.exe attempted startup of SophosClean. However, explorer.exe has already spawned a shell startup of itself that is actually used to run SophosClean. When you do the deny action, it is applied to the initial explorer.exe instance but not the shell instance of explorer.exe. 

Share this post


Link to post
Share on other sites

This is not only about the Explorer and its true for other alerts as well!if you get an alert and don't answer it then it will auto allow it!
Also, the Hips alert shouldn't disappear!because I didn't allow or deny it! !but as you see the alert will disappear!why? because Eset allowed it!

Share this post


Link to post
Share on other sites
30 minutes ago, persian-boy said:

This is not only about the Explorer and its true for other alerts as well!if you get an alert and don't answer it then it will auto allow it!

OMG - did I not comment on this previously? Eset HIPS does auto allow if a response is not received within a specified interval. As far as I am aware of, there is no way to control how long the alerts remain on the desktop. Nor is there any way to change the behavior to auto deny. This is one reason why I stated that you should be running in Policy mode which will auto block anything for which an allow rule doesn't exist.

Remember my PM comment? Eset HIPS is not an anti-exec and frankly speaking there is no way to make it so. 

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...