thor3 0 Posted November 26, 2013 Posted November 26, 2013 I'm having some issues with the HIPS component of NOD32 (both v6 & v7): when enabled, it keeps a disk cloning application I use for backup from completing successfully and causes MS Office 2013 applications (in particular Outlook, OneNote, Word) to repeatedly crash, numerous times a day. I know these problems are caused by HIPS, as when it is disabled the cloning application completes successfully and the MS Office apps don't crash.I did create a HIPS rule to allow the cloning app to conduct all operations, and it does complete successfully with this rule, but the HIPS logs show "some access allowed" for many of the operations when I expected all access to be allowed. I also see in the HIPS logs that many operations for other programs and OS components are blocked or partially blocked, which concerns me as there isn't malware on my machine and I'm assuming these operations should be allowed (as they would be if it weren't for HIPS). My ultimate concern is that HIPS is interfering with applications silently, i.e. they're failing and I'm not aware of it.A few questions:- Is it really that unwise to use NOD32 with HIPS disabled?- I've read mixed thoughts on using Learning Mode: could doing so allay my fears? As it is now, I'm unsure it would, as even with an explicit rule for my cloning app, not all access is allowed.Any thoughts or advice would be greatly appreciated!
Arakasi 549 Posted November 27, 2013 Posted November 27, 2013 Good day thor . . . - Is it really that unwise to use NOD32 with HIPS disabled? HIPS is an integral part of protecting the antivirus engine as well as preventing absolute take over and root access given to the malicious software.- I've read mixed thoughts on using Learning Mode: could doing so allay my fears? As it is now, I'm unsure it would, as even with an explicit rule for my cloning app, not all access is allowed. Learning mode is not secure, and should only be used until all rules for required communications have been created. After that, Automatic mode should be used. This is the best way for creating your rules and getting the firewall established with your normal internet activities, including program usage. Creating explicit defined rules for an app , works just was well, if not better.Any thoughts or advice would be greatly appreciated! I would have to guess that if you have your rules defines and you are still unable to run your program, there is a different module or HIPS was not properly setup against the app or apps. We would need to discuss the actuall HIPS setting to apply as well as what part of HIPS may be causing this. What is your disk clone app ?
thor3 0 Posted November 27, 2013 Author Posted November 27, 2013 Thanks for the reply. I'll give Learning Mode a try and see what happens. At the very least it could keep me from having to manually create rules for multiple programs, and might address my concerns of HIPS interfering with applications without my knowledge.The disk cloning app I use is called Casper, by Future Systems Solutions (works great, BTW). With the HIPS allow rule I created Casper reports it completes a clone successfully, but it concerns me that the HIPS logs show that for some operations only some access was allowed when I expected all access to be allowed.
Arakasi 549 Posted November 27, 2013 Posted November 27, 2013 You can really dig down into the hips and find out what is flagging it. Just hsve to know what your looking for. ESET has stated before its normal on some of those logs. This is a good kb in it. : hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN2908
Administrators Marcos 5,450 Posted November 27, 2013 Administrators Posted November 27, 2013 I'd suggest enabling logging of blocked operations in the advanced HIPS setup, reproducing the problem and then checking the HIPS log for detailed information about the rules that caused some blocking. This should show which rules need to be adjusted to allow the blocked operations. We'd appreciate if you could tell us what rule is causing the issue.
Recommended Posts