Jump to content

Archived

This topic is now archived and is closed to further replies.

persian-boy

HIPS and some problems.

Recommended Posts

Hi, I have the same problem, I recently installed Eset Internet Security 11 and HIPS is blocking me from a game of steam Arma 3 and anticheath battlEye, it also disconnects me from the internet. in the record generated by HIPS 801, the configuration is by default as when one installs the Eset. They could fix the problem.
Also try putting in exception but it does not work, it blocks me and disconnects me from internet for a period of time.

 

w2.thumb.JPG.c1051d17f34b8460e4b21df948c9ddfc.JPG

w1.JPG

 

 

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

does auto allow

This must change :-)
What if a file(let's say its a malware and not detected by Eset)ran and wanted a permission but the user was not on the pc?
Then what?then it will auto allow the operation!from what I know Every Hips is based on the auto deny f the user doesn't provide the answer...

1 hour ago, itman said:

there is no way to control how long the alerts remain on the desktop

This is the problem with Eset Hips!they need to rework it!also not every one like the policy mode!
It's  not only about the Anti Exe!this auto allows exist for registry access, and other operations such as write to file, loading drivers and more... I mean everything.
I'm waiting for the answer from Eset developers and my lifetime license. 
See you later Eset.
 

Share this post


Link to post
Share on other sites
3 hours ago, dere said:

Hi, I have the same problem, I recently installed Eset Internet Security 11 and HIPS is blocking me from a game of steam Arma 3 and anticheath battlEye, it also disconnects me from the internet. in the record generated by HIPS 801, the configuration is by default as when one installs the Eset. They could fix the problem.
Also try putting in exception but it does not work, it blocks me and disconnects me from internet for a period of time.

Does temporarily disabling self-defense make a difference?

Share this post


Link to post
Share on other sites

no, but it's not supposed to be all turned on, it's supposed to be protecting me eset. I am going to deactivate it, able later on there is some update on this and the problem is solved.
 

Share this post


Link to post
Share on other sites
12 minutes ago, dere said:

no, but it's not supposed to be all turned on, it's supposed to be protecting me eset. I am going to deactivate it, able later on there is some update on this and the problem is solved.

All the above HIPS records about blocked operations were generated by Self defense. Try rebooting the computer after disabling SD.

HIPS is a crucial protection feature and should always stay enabled. If disabled, neither Self defense nor Advanced Memory Scanner, Exploit Blocker nor Antiransomware protection will work.

Share this post


Link to post
Share on other sites
13 hours ago, dere said:

HIPS is blocking me from a game of steam Arma 3 and anticheath battlEye, it also disconnects me from the internet.

Looking at the HIPS log you posted, your games are trying to modify critical Win System32 resident processes along with Eset's egui and krnl processes. No app process should be allowed to modify these critical processes.

I would find different games to play and uninstall the ones attempting the modification activities.

 

Share this post


Link to post
Share on other sites

hi,

I'm not agree with you, Itman, It's not old game like Arma 3 (well know game, nothing armfull inside for our computers) to be adapte to security programs, it's on security solutions side that change have to be made!!

There's a real long time problems with eset hips. It's need too much time to be set correctly, someone who don't understand os parameters don't want and surely don't understand how to correctly manage hips rules...

The first years they made this module i have disable it because i don't wanna pass too much times to set it... even after  learning mode there is so much problem with thoses rules.

PLEASE ESET, HIPS MODULE NEED TO BE MORE USERS FREANDLY, yours customers aren't all computers professionnal...

Share this post


Link to post
Share on other sites

It is a matter of fact that no 3rd party application should attempt to touch ESET's processes. Ac cording to the HIPS log, it was attempting to terminate ekrn.exe which is the crucial process responsible for protecting your system from malware.

Please contact your local customer care so that they can try to reproduce it and work with engineers to find out if there's something on ESET's part that could be done or if the maker of Arma 3 will need to be contacted and asked to change the behavior of their software.

I'd also ask you to do the following:
- temporarily disable Self-defense and reboot the computer
- enable logging of blocked operations in the advanced HIPS setup
- clear the HIPS log
- run Arma 3 and reproduce the issue
- disable logging
- re-enable Self-defense
- post here the records from the HIPS logs.
 

Share this post


Link to post
Share on other sites
7 hours ago, el_sauvageon said:

hi,

I'm not agree with you, Itman, It's not old game like Arma 3 (well know game, nothing armfull inside for our computers) to be adapte to security programs, it's on security solutions side that change have to be made!!

There's a real long time problems with eset hips. It's need too much time to be set correctly, someone who don't understand os parameters don't want and surely don't understand how to correctly manage hips rules...

The first years they made this module i have disable it because i don't wanna pass too much times to set it... even after  learning mode there is so much problem with thoses rules.

PLEASE ESET, HIPS MODULE NEED TO BE MORE USERS FREANDLY, yours customers aren't all computers professionnal...

Wondered if battlEye could be part of the issue. Also there is a way to have hips user friendly. I presume it is set to manuall? I was always under the impression it was best to leave it on automatic Unless you really know what your doing

Share this post


Link to post
Share on other sites
7 hours ago, el_sauvageon said:

MORE USERS FREANDLY,

More than this?
Find the files that want access to the Eset processes then create some costumes allow rules(for all operations)for them((if you are 100% sure about their safety ))
Also, disable the safe protection and Eset will not block your game anymore! but why would a game want to block av process? think yourself :-)
I'm thinking maybe your steam processes Hijacked and someone is trying to hack your pc:D take care!

Share this post


Link to post
Share on other sites
5 minutes ago, peteyt said:

Wondered if battlEye could be part of the issue. Also there is a way to have hips user friendly. I presume it is set to manuall? I was always under the impression it was best to leave it on automatic Unless you really know what your doing

Regardless of HIPS mode used, Eset HIPS has internal rules to prevent ekrn.exe from being tampered with or terminated. Disabling the HIPS is the equivalent of "intentional self-inflected injury."

Share this post


Link to post
Share on other sites

There are times that Hips ask about smth when I already allowed It, and I have to restart the pc to stop alerts.This only happens for new files and just in interactive mode pls consider a fix for this issue!
 

Share this post


Link to post
Share on other sites
30 minutes ago, persian-boy said:

There are times that Hips ask about smth when I already allowed It

Maybe this will help.

When you run in interactive mode, the HIPS will only create an allow rule for the specific activity from the process detected. For example, process X starts another process. It will create a rule only for that activity. Later process X wants to modify another process. You will receive an alert for that and a specific rule will be created for that activity. Note that some time might elapse depending on process logic when a new activity will be detected. All the above will give the appearance that your existing allow rules are not working. This can be avoided by allowing all activity for the process when the initial rule is created. However this might not be secure except for a trusted process.

Also note that for a process startup rule, the HIPS is only allowing startup of another specific process. If the source process wants to start another process, you will receive an alert for that. Etc., etc..

Share this post


Link to post
Share on other sites

Hm, I find another interesting problem.
There is Eample.exe in C: program files!and I already allowed everything for this file.so I just tried smth and created an Example.exe then removed that Eample.exe and replace it with this one!
Ran it and  Hips allowed everything for it! why? because Hips only care about the name and not hash!!! Eset why is that? so broken? what if my file got change? or the file modified by malware? then you will allow everything for it?!I'm not sure maybe I did a mistake?what is this lol

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

Maybe this will help.

Thanks for the explanations! maybe help I cant try it now! nvm, it doesn't matter anyway.
There are bigger problems:-(

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

depending on process logic

Hm, that's true!but hips show the same descriptions and cant recognize the different...

Share this post


Link to post
Share on other sites

Hips should work in this way:
Whitelist the files by location and also Hash! otherwise broken!
If the hash changed so the file got change!and an alert must ask the user:
1-Allow? or block?
2-Do you want to replace the hash?or no?
 

Share this post


Link to post
Share on other sites
11 hours ago, persian-boy said:

Ran it and  Hips allowed everything for it! why? because Hips only care about the name and not hash!!!

That is correct. It has always been that way. If it is was not that way, think of the alerts you would receive every time Microsoft does a major revision to Windows via Win Update. Ditto for app updates. Most HIPS's detect by name and not by any hash change. Rep scanners on the other hand factor in file hashes.

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

he alerts you would receive every time Microsoft does a major revision

That's why Eset need to create a dig sing list for me.Eset pls don't do this to me:-(

1 hour ago, itman said:

Most HIPS's detect by name and not by any hash change

My Rehips works by Hash and also location nothing can bypass it:D also it works great alongside with Eset! so I have dig sign list+Hash+Cmd watcher.i just want Eset to improve but seems they don't want to improve IN this way(Hips stuff)

Share this post


Link to post
Share on other sites

If someone read this topic then he will find many ways to bypass this Hips :-) I'm just saying fix the Weakness.

Share this post


Link to post
Share on other sites
50 minutes ago, persian-boy said:

D also it works great alongside with Eset! so I have dig sign list+Hash+Cmd watcher

By "D" I assume you are referring to Comodo's Defense+? If so, then first set Eset HIPS to auto mode. Then set Defense+ to paranoid mode. You will get "tons" of alerts from Defense+ from it that you can respond to and we won't have to discuss the issues you are having with Eset's HIPS.:rolleyes:

Share this post


Link to post
Share on other sites
2 hours ago, persian-boy said:

Nah I said Rehips! not comodo https://rehips.com/en/ 

ReHIPS  is a competitior to AppGuard . Both are approved by U.S. Homeland Security for advanced security mitigation. As such, neither is needed or recommended for the average home user employing a retail based AV solution. Of the two, I would recommend AppGuard since to my knowledge, it has never been bypassed by malware.

These solutions are Windows group and software restriction policy based. Both have some "tweaks" to overcome deficiencies in the aforementioned. ReHIPS for example, employs a full feature sandbox. Their main advantage is they have a user friendly GUI that simplifies the detailed tech knowledge required to properly configure Windows using GP/SRP. Also both have to be "tweaked" to achieve maximum security against advanced persistent threats. Their main disadvantage is they like GP/SRP are not interactive via employing desktop alerts and require detailed review of Windows event logs, etc. for blocked activity. Again, these solutions are targeted at corp. endpoint environments.

As I have often commented upon in the security forums I frequent, you can achieve equivalent functionality using a conventional HIPS solution by first training it. Then switch to "Policy" mode whereby any activity not allowed during the training period is automatically blocked.

Bottom line - why spend $50 - $70 USD(BTW - ReHIPS just raised their annual license to $50) per year for something Eset already includes as part of its annual subscription fee? Worse, why throw away your cash on something you don't need and shouldn't be using in the first place.

Share this post


Link to post
Share on other sites
3 hours ago, itman said:

Both are approved by U.S. Homeland Security

Well, APPGuard is an expensive product and I cant try it(also don't need it)!I will stick with Andy tool which has SRP plus a lot of tweaks( a lot for real):-) worth it for free.
From what I know Rehips didn't 
Approve by homeland?!! consider its still in development but has a great future.

3 hours ago, itman said:

properly configure Windows using GP/SRP

Rehips is not using SRP and GRP policy(using inbuilt methods) !also its good for average users!very easy to learn!

3 hours ago, itman said:

why spend $50

I'm using the free version of Rehips and you don't need to pay it! the free version has all features!!but the sandbox has a limit(10 processes can run at the same time in the sandbox so you cant run chrome sandboxed )which I don't want a sandbox anymore.if you don't need a sandbox then you can use the free version freely.
Also, before you could buy Rehips for a low price ..smth like 15$?

3 hours ago, itman said:

Eset already includes

There is no dig sign list and hash In Eset! -.- also Eset has no sandbox!you can simply use the free version of Rehips+Eset
 

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...