Jump to content

Major HIPS Issue


Recommended Posts

Win 10 1709, Eset IS 11.0.159

I just noticed that none of my existing HIPS rules for registry modification are triggering. Tested against a few protected keys that previously triggered an alert and none are now being triggered. HIPS is set to SMART mode.

Edited by itman
Link to comment
Share on other sites

It appears that the bug is due to when a space is present in the registry key name.

For example a HIPS rule for one of the run keys i.e. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\* works fine in regards to modification detection. However, a rule for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\* does not. Note the space in "Session Manager."

Edited by itman
Link to comment
Share on other sites

  • 3 weeks later...
20 minutes ago, Marcos said:

Instead of HKEY_CURRENT_USER, use HKEY_USERS\%SID% with the SID of the current user. Does that make a difference?

The keys I am trying to protect are stored under HKEY_LOCAL_MACHINE?

Link to comment
Share on other sites

I should have used the following key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*, as an example of a HIPS rule that works.

Bottom line - the issue is as I stated it; any space in a registry key name is terminating the HIPS key name parsing processing. 

Link to comment
Share on other sites

I will also add that this is not just an issue on my part. If the Eset HIPS has default rules for monitoring modification activities for example for any reg. keys subordinate to .......\Windows NT\...., none of those rules are functional.

Link to comment
Share on other sites

1 hour ago, itman said:

I will also add that this is not just an issue on my part. If the Eset HIPS has default rules for monitoring modification activities for example for any reg. keys subordinate to .......\Windows NT\...., none of those rules are functional.

I am somehow interested in HIPS, and it seems like you are not the only one complaining about a bug in HIPS.

Just out of curiosity , any of you ever got an alert from HIPS in Smart mode?

In more than 3 years I never got a HIPS alert in Smart mode, so frankly I do not know if is doing anything....

Link to comment
Share on other sites

  • ESET Insiders
1 hour ago, John Alex said:

Just out of curiosity , any of you ever got an alert from HIPS in Smart mode?

Modifying the hosts file used to trigger an alert, but I just tested this again and the HIPS didn't alert.

Link to comment
Share on other sites

53 minutes ago, stackz said:

Modifying the hosts file used to trigger an alert, but I just tested this again and the HIPS didn't alert.

For a while I looked for a HIPS for 64 bit (like Malware Defender) but the general idea is that in 64 bit you cannot have a proper HIPS  because of "Patchguard aka Kernel Patch Protection "

So, how is done in NOD32, 64 bit?????

Link to comment
Share on other sites

  • Administrators
5 hours ago, stackz said:

Modifying the hosts file used to trigger an alert, but I just tested this again and the HIPS didn't alert.

No problem with this here:

image.png

Link to comment
Share on other sites

  • ESET Insiders

Win 7x64

HIPS support module: 1309 (20171229)

Smart mode isn't triggering any alert for hosts file tampering. I made a temporary rule for the hosts file and this was successfully triggered.

How can I go about troubleshooting why smart mode isn't triggering any alert?

Link to comment
Share on other sites

  • Administrators
On 12/29/2017 at 6:43 PM, itman said:

However, a rule for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\* does not. Note the space in "Session Manager."

You'll need to create a rule for HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\*  or HKEY_LOCAL_MACHINE\SYSTEM\*\Control\Session Manager\Environment\*.

Link to comment
Share on other sites

  • ESET Insiders

HIPS support module: 1309
Smart mode

Direct access to disk rules are not triggered. All access attempts are allowed.

Link to comment
Share on other sites

  • Administrators
3 hours ago, stackz said:

Direct access to disk rules are not triggered. All access attempts are allowed.

What tool did you use to test direct disk access?

Link to comment
Share on other sites

  • Administrators
4 minutes ago, persian-boy said:

Smar mode is broken!You have to use it in interactive mode if you want some protection.

What issues are you having with Smart mode? It's in fact interactive mode which prompts only if a suspicious operation is being performed. It's a purpose of this mode to not ask the user a lot.

Link to comment
Share on other sites

  • ESET Insiders
13 minutes ago, Marcos said:

What tool did you use to test direct disk access?

HDHacker

Marcos, what product and HIPS module were you using when you tested writing to the hosts file?

Edited by stackz
Link to comment
Share on other sites

Honestly, i only worked with the smart mode for 1 day! it didn't give me even one alert.interactive mode alert for everything! even if you open the control panel or group policy you have an alert for that! like it!

Link to comment
Share on other sites

6 hours ago, Marcos said:

You'll need to create a rule for HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\*  or HKEY_LOCAL_MACHINE\SYSTEM\*\Control\Session Manager\Environment\*.

It works! And a big thanks!

I used this option:  HKEY_LOCAL_MACHINE\SYSTEM\*\Control\Session Manager\Environment\* since I believe ControlSet001 entries are still only copied to CurrentControlSet at boot time. Whereas I can see the HIPS author's reasoning for only allowing ControlSet001 in a HIPS rule, Win 10 allows for select reg. key values to be dynamically changed and applied w/o a required reboot. One such example is the setting of PowerShell Language Mode; details I don't want to get into for obvious reasons. 

Link to comment
Share on other sites

  • Administrators
1 hour ago, stackz said:

Marcos, what product and HIPS module were you using when you tested writing to the hosts file?

EIS v11.0.159 x64, Windows 10 RS3, HIPS module 1309. Couldn't it be that you have a custom rule for hosts created that would override asking you about an action?

Link to comment
Share on other sites

On ‎1‎/‎18‎/‎2018 at 5:10 AM, stackz said:

HIPS support module: 1309
Smart mode

Direct access to disk rules are not triggered. All access attempts are allowed.

What about Shadow Volume Copy service activity? That one was always triggering when I monitored direct disk access.

-EDIT- also when monitoring for direct disk activity the HIPS rule target needs to be the entire drive i.e. C\*.*

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members
4 hours ago, Marcos said:

What issues are you having with Smart mode? It's in fact interactive mode which prompts only if a suspicious operation is being performed. It's a purpose of this mode to not ask the user a lot.

I have hips set into interactive mode and no plan at the moment to change that. Just curious what smart mode does then as if interactive prompts about suspicious activity and automatic does everything for you, what is the purpose of smart mode?

Link to comment
Share on other sites

13 hours ago, Marcos said:

No problem with this here:

image.png

it worked fine for me as well, using an app that reads hosts and inserts an entry on startup. it didn't notify when i inserted a value to hosts via cli using echo, though, but i'd imagine that's not a common manipulation method

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...