itman 1,659 Posted December 28, 2017 Share Posted December 28, 2017 (edited) Win 10 1709, Eset IS 11.0.159 I just noticed that none of my existing HIPS rules for registry modification are triggering. Tested against a few protected keys that previously triggered an alert and none are now being triggered. HIPS is set to SMART mode. Edited December 28, 2017 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted December 29, 2017 Author Share Posted December 29, 2017 (edited) It appears that the bug is due to when a space is present in the registry key name. For example a HIPS rule for one of the run keys i.e. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\* works fine in regards to modification detection. However, a rule for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\* does not. Note the space in "Session Manager." Edited December 29, 2017 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted December 29, 2017 Administrators Share Posted December 29, 2017 Hi itman, thanks for the heads-up. I've informed the developer of HIPS and will update you as soon as I hear back from him. Link to comment Share on other sites More sharing options...
itman 1,659 Posted December 29, 2017 Author Share Posted December 29, 2017 My suggestion is to use "|" i.e. Shift key + "\" key to indicate a space in a HIPS rule reg. key. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted January 17, 2018 Administrators Share Posted January 17, 2018 Instead of HKEY_CURRENT_USER, use HKEY_USERS\%SID% with the SID of the current user. Does that make a difference? Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 17, 2018 Author Share Posted January 17, 2018 20 minutes ago, Marcos said: Instead of HKEY_CURRENT_USER, use HKEY_USERS\%SID% with the SID of the current user. Does that make a difference? The keys I am trying to protect are stored under HKEY_LOCAL_MACHINE? Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 17, 2018 Author Share Posted January 17, 2018 I should have used the following key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*, as an example of a HIPS rule that works. Bottom line - the issue is as I stated it; any space in a registry key name is terminating the HIPS key name parsing processing. Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 17, 2018 Author Share Posted January 17, 2018 I will also add that this is not just an issue on my part. If the Eset HIPS has default rules for monitoring modification activities for example for any reg. keys subordinate to .......\Windows NT\...., none of those rules are functional. Link to comment Share on other sites More sharing options...
novice 20 Posted January 17, 2018 Share Posted January 17, 2018 1 hour ago, itman said: I will also add that this is not just an issue on my part. If the Eset HIPS has default rules for monitoring modification activities for example for any reg. keys subordinate to .......\Windows NT\...., none of those rules are functional. I am somehow interested in HIPS, and it seems like you are not the only one complaining about a bug in HIPS. Just out of curiosity , any of you ever got an alert from HIPS in Smart mode? In more than 3 years I never got a HIPS alert in Smart mode, so frankly I do not know if is doing anything.... Link to comment Share on other sites More sharing options...
ESET Insiders stackz 112 Posted January 17, 2018 ESET Insiders Share Posted January 17, 2018 1 hour ago, John Alex said: Just out of curiosity , any of you ever got an alert from HIPS in Smart mode? Modifying the hosts file used to trigger an alert, but I just tested this again and the HIPS didn't alert. Link to comment Share on other sites More sharing options...
novice 20 Posted January 18, 2018 Share Posted January 18, 2018 53 minutes ago, stackz said: Modifying the hosts file used to trigger an alert, but I just tested this again and the HIPS didn't alert. For a while I looked for a HIPS for 64 bit (like Malware Defender) but the general idea is that in 64 bit you cannot have a proper HIPS because of "Patchguard aka Kernel Patch Protection " So, how is done in NOD32, 64 bit????? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted January 18, 2018 Administrators Share Posted January 18, 2018 5 hours ago, stackz said: Modifying the hosts file used to trigger an alert, but I just tested this again and the HIPS didn't alert. No problem with this here: Link to comment Share on other sites More sharing options...
ESET Insiders stackz 112 Posted January 18, 2018 ESET Insiders Share Posted January 18, 2018 Win 7x64 HIPS support module: 1309 (20171229) Smart mode isn't triggering any alert for hosts file tampering. I made a temporary rule for the hosts file and this was successfully triggered. How can I go about troubleshooting why smart mode isn't triggering any alert? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted January 18, 2018 Administrators Share Posted January 18, 2018 On 12/29/2017 at 6:43 PM, itman said: However, a rule for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\* does not. Note the space in "Session Manager." You'll need to create a rule for HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\* or HKEY_LOCAL_MACHINE\SYSTEM\*\Control\Session Manager\Environment\*. Link to comment Share on other sites More sharing options...
ESET Insiders stackz 112 Posted January 18, 2018 ESET Insiders Share Posted January 18, 2018 HIPS support module: 1309 Smart mode Direct access to disk rules are not triggered. All access attempts are allowed. Link to comment Share on other sites More sharing options...
persian-boy 22 Posted January 18, 2018 Share Posted January 18, 2018 Smar mode is broken!You have to use it in interactive mode if you want some protection. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted January 18, 2018 Administrators Share Posted January 18, 2018 3 hours ago, stackz said: Direct access to disk rules are not triggered. All access attempts are allowed. What tool did you use to test direct disk access? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted January 18, 2018 Administrators Share Posted January 18, 2018 4 minutes ago, persian-boy said: Smar mode is broken!You have to use it in interactive mode if you want some protection. What issues are you having with Smart mode? It's in fact interactive mode which prompts only if a suspicious operation is being performed. It's a purpose of this mode to not ask the user a lot. Link to comment Share on other sites More sharing options...
ESET Insiders stackz 112 Posted January 18, 2018 ESET Insiders Share Posted January 18, 2018 (edited) 13 minutes ago, Marcos said: What tool did you use to test direct disk access? HDHacker Marcos, what product and HIPS module were you using when you tested writing to the hosts file? Edited January 18, 2018 by stackz Link to comment Share on other sites More sharing options...
persian-boy 22 Posted January 18, 2018 Share Posted January 18, 2018 Honestly, i only worked with the smart mode for 1 day! it didn't give me even one alert.interactive mode alert for everything! even if you open the control panel or group policy you have an alert for that! like it! Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 18, 2018 Author Share Posted January 18, 2018 6 hours ago, Marcos said: You'll need to create a rule for HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\* or HKEY_LOCAL_MACHINE\SYSTEM\*\Control\Session Manager\Environment\*. It works! And a big thanks! I used this option: HKEY_LOCAL_MACHINE\SYSTEM\*\Control\Session Manager\Environment\* since I believe ControlSet001 entries are still only copied to CurrentControlSet at boot time. Whereas I can see the HIPS author's reasoning for only allowing ControlSet001 in a HIPS rule, Win 10 allows for select reg. key values to be dynamically changed and applied w/o a required reboot. One such example is the setting of PowerShell Language Mode; details I don't want to get into for obvious reasons. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted January 18, 2018 Administrators Share Posted January 18, 2018 1 hour ago, stackz said: Marcos, what product and HIPS module were you using when you tested writing to the hosts file? EIS v11.0.159 x64, Windows 10 RS3, HIPS module 1309. Couldn't it be that you have a custom rule for hosts created that would override asking you about an action? Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 18, 2018 Author Share Posted January 18, 2018 (edited) On 1/18/2018 at 5:10 AM, stackz said: HIPS support module: 1309 Smart mode Direct access to disk rules are not triggered. All access attempts are allowed. What about Shadow Volume Copy service activity? That one was always triggering when I monitored direct disk access. -EDIT- also when monitoring for direct disk activity the HIPS rule target needs to be the entire drive i.e. C\*.* Edited January 19, 2018 by itman Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted January 18, 2018 Most Valued Members Share Posted January 18, 2018 4 hours ago, Marcos said: What issues are you having with Smart mode? It's in fact interactive mode which prompts only if a suspicious operation is being performed. It's a purpose of this mode to not ask the user a lot. I have hips set into interactive mode and no plan at the moment to change that. Just curious what smart mode does then as if interactive prompts about suspicious activity and automatic does everything for you, what is the purpose of smart mode? Link to comment Share on other sites More sharing options...
cvvorous 4 Posted January 18, 2018 Share Posted January 18, 2018 13 hours ago, Marcos said: No problem with this here: it worked fine for me as well, using an app that reads hosts and inserts an entry on startup. it didn't notify when i inserted a value to hosts via cli using echo, though, but i'd imagine that's not a common manipulation method Link to comment Share on other sites More sharing options...
Recommended Posts