novice 20 Posted June 28, 2018 Share Posted June 28, 2018 It is possible to see somehow the HIPS default rules? Thanks! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,271 Posted June 28, 2018 Administrators Share Posted June 28, 2018 There are no default rules. Self-defense uses its own internal rules. Link to comment Share on other sites More sharing options...
itman 1,747 Posted June 28, 2018 Share Posted June 28, 2018 (edited) The question of being able to list the internal rules has come up previously. Lack of response from Eset in this regard indicates they have chosen to keep the rules private for security and proprietary reasons I assume. Eset is pretty "tight lipped" in regards to publicly posting details on their internal security mechanisms. Additionally, save yourself the effort of trying to read the associated .bin file. It is undecipherable to other than the Eset software developers. Edited June 28, 2018 by itman Link to comment Share on other sites More sharing options...
galaxy 11 Posted June 28, 2018 Share Posted June 28, 2018 It's a pity that Eset makes a secret of it. How can it then please protect the policy is very difficult to understand at ESET Link to comment Share on other sites More sharing options...
novice 20 Posted June 28, 2018 Author Share Posted June 28, 2018 10 hours ago, Marcos said: There are no default rules So, are you saying that HIPS is just an empty box, waiting to be filled with customized rules????? I have been using ESET for almost 5 years now on 3 pc , with HIPS set on "Smart mode", yet I never got an alert HIPS related , unless I created a custom rule. The consensus here on this forum is that HIPS is another layer of defense, and if a malware is not detected by this and that, for sure is going to be blocked by HIPS. Really disappointed to hear that in fact HIPS doesn't do too much in fighting malwares. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,271 Posted June 28, 2018 Administrators Share Posted June 28, 2018 HIPS is a fundamental component that provides information about system operations to other HIPS-based protection modules, such as Self-defense, Advanced Memory Scanner, Exploit Blocker and Ransomware shield. Therefore disabling HIPS would subsequently reduce detection and protection capabilities of the product. Simple HIPS rules cannot work without producing false positives. Link to comment Share on other sites More sharing options...
novice 20 Posted June 28, 2018 Author Share Posted June 28, 2018 (edited) 28 minutes ago, Marcos said: Simple HIPS rules cannot work without producing false positives. So , if HIPS is strictly used internally, why make visible and accessible to users??? Why offer the option to disable it???? This creates a false sense of security (ESET has HIPS but XXXX antivirus doesn't) Edited June 28, 2018 by claudiu Link to comment Share on other sites More sharing options...
itman 1,747 Posted June 28, 2018 Share Posted June 28, 2018 (edited) Eset never designed its HIPS for extensive user configuration. That becomes rather obvious when noting features missing in it compared to stand-alone HIPS software like Outpost, Online Armor, etc.; all of which are no longer supported. I believe the only user configurable HIPS in use is Comodo's Defense+. And its expanded features have been abandoned by most of its users in favor of sandboxing, etc.. There has been a few new "upstarts" to the HIPS arena like reHIPS but those are geared to the commercial market. Bottom line is that no one these days wants to go through the effort to properly configure and maintain an extensive custom HIPS rule set and that includes most IT system pros. Mainstream AV vendors abandoned the user HIPS market because it became unprofitable for them due to lack of user knowledge in again, how to configure and maintain them. Case in point are user postings on the Eset forum about the HIPS not performing properly when in effect it was a lack of knowledge in how to properly configure its rules. It's not the vendors responsibility to instruct one on how to do so. Edited June 28, 2018 by itman Link to comment Share on other sites More sharing options...
itman 1,747 Posted June 28, 2018 Share Posted June 28, 2018 I will state this in regards to the Eset HIPS. I have a number of HIPS rules since I tend to be a bit paranoid when it comes to security. Other than those rules being triggered by legit user and software activity, they have never been activated by any malware activity. Eset's primary protection function is to prevent malware from executing in the first place. In that regard, it has done an excellent job in the years I have used it. Sadly, I can't say the same from other security solutions I have used in the past. Link to comment Share on other sites More sharing options...
novice 20 Posted June 28, 2018 Author Share Posted June 28, 2018 1 hour ago, itman said: user postings on the Eset forum about the HIPS not performing properly when I am not posting about HIPS not performing properly, I am posting about HIPS not performing AT ALL. As I said , in almost 5 years and 3 pc I never had a HIPS related alert, so what's the point in advertising HIPS as long as the only purpose is assure ESET functionality ,not to add another layer of protection. 13 minutes ago, itman said: In that regard, it has done an excellent job in the years I have used it This was supposed to be posted in "ESET and AV Comparatives" here the discussion is pure technical... Link to comment Share on other sites More sharing options...
Administrators Marcos 5,271 Posted June 29, 2018 Administrators Share Posted June 29, 2018 ESET's approach is not to bother users with prompts and pop-ups; instead all actions are performed automatically. The fact that you haven't ever seen any notification from HIPS/Advanced Memory Scanner/Exploit Blocker and Ransomware shield is good; otherwise it'd mean you were hit by malware which ESET detected and blocked. Link to comment Share on other sites More sharing options...
itman 1,747 Posted June 29, 2018 Share Posted June 29, 2018 6 hours ago, Marcos said: ESET's approach is not to bother users with prompts and pop-ups; instead all actions are performed automatically. The fact that you haven't ever seen any notification from HIPS/Advanced Memory Scanner/Exploit Blocker and Ransomware shield is good; otherwise it'd mean you were hit by malware which ESET detected and blocked. Case in point is when "log all blocked activity" is enabled in Eset HIPS Advanced settings. Below is a screen shot showing attempted system process modification activity being silently blocked. Note: the bug showing invalid Operation in the log file is still not fixed. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,271 Posted June 29, 2018 Administrators Share Posted June 29, 2018 No problem here with the HIPS module 1322: Link to comment Share on other sites More sharing options...
itman 1,747 Posted June 29, 2018 Share Posted June 29, 2018 1 hour ago, Marcos said: No problem here with the HIPS module 1322: Is that a pre-release update? I am still stuck at 1320 on ver. 11.1.54. Link to comment Share on other sites More sharing options...
novice 20 Posted June 29, 2018 Author Share Posted June 29, 2018 On 6/28/2018 at 4:54 PM, Marcos said: HIPS is a fundamental component Yet I do not understand why HIPS ,a "fundamental component" can be disabled by any regular user in ESET settings. Link to comment Share on other sites More sharing options...
itman 1,747 Posted June 29, 2018 Share Posted June 29, 2018 (edited) 1 hour ago, claudiu said: Yet I do not understand why HIPS ,a "fundamental component" can be disabled by any regular user in ESET settings. Oh my, we are really now "stretching" to find fault, aren't we? If that issue concerns you, simply password protect your Eset GUI settings. -EDIT- Also as far as I am aware of, SUA's cannot modify Eset settings. And in the case they can, the following screen shot setting will prevent it since they can't elevate to full admin status: Quote Require full administrator rights for limited administrator accounts – Select this to prompt the current user (if he or she does not have administrator rights) to enter an administrator username and password when modifying certain system parameters (similar to the User Account Control (UAC) in Windows Vista and Windows 7). Such modifications include disabling protection modules or turning off the firewall. On Windows XP systems where UAC is not running, users will have the Require administrator rights (system without UAC support) option available. https://help.eset.com/eis/11.1/en-US/idh_config_environment.html?idh_config_password.html Edited June 29, 2018 by itman Link to comment Share on other sites More sharing options...
itman 1,747 Posted June 29, 2018 Share Posted June 29, 2018 (edited) I will also say this about Eset's HIPS. If one is willing to put forth the effort and has the system knowledge to do so, you can make your system pretty much "bullet proof" with. For example, I have done extensive testing with the HIPS in regards to process .dll injection; direct, reflective, APC, and process hollowing. In ever case, the HIPS detected the activity. The ease on which it did so is unapparelled in any previous like HIPS solution I have used. One rule, ask/block process modification did so. This contrasts sharply with other security solutions that are still struggling with blocking process hollowing activities. Edited June 29, 2018 by itman Link to comment Share on other sites More sharing options...
novice 20 Posted June 29, 2018 Author Share Posted June 29, 2018 57 minutes ago, itman said: In ever case, the HIPS detected the activity. I have no doubt that , with proper rules HIPS works. What I am saying is , in default mode HIPS is an empty box , with the only purpose to make some other modules functional. In default mode HIPS doesn't add another layer of protection . I asked ESET, in the past, to provide the rules (rather than KB how to create certain rules) all disabled and give the user possibility to enable them as necessary. Link to comment Share on other sites More sharing options...
itman 1,747 Posted June 30, 2018 Share Posted June 30, 2018 13 hours ago, claudiu said: I asked ESET, in the past, to provide the rules (rather than KB how to create certain rules) I also believe you have a problem fully comprehending the English language. This was explained in prior postings in this thread. Eset when they feel the situation warrants, it will post a KB article in regards to recommended HIPS rules. This is almost always in regards to the Endpoint product which is installed in corp. environments and maintained by IT system professionals. Eset will never provide HIPS rules for the retail versions because most end users are not properly trained to create and maintain such rules. Nor are they trained to respond properly to the possible negative effects those rules could create on system and app process execution. If you want to "play around" with creating HIPS rules, there are a number of third party security solutions that allow you to do so. I already mentioned one, reHIPS. There are others. Most of these solutions have sections on security forums like wilderssecurity.com and malwaretips.com where there are a number of members that will assist in configuration and operational issues. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,271 Posted June 30, 2018 Administrators Share Posted June 30, 2018 Since everything has been said, we'll draw this topic to a close. To sum it up: HIPS is a fundamental protection module whose outcome of processing is leveraged by Self-defense, Exploit Blocker, Advanced Memory Scanner and Ransomware Shield. Those who want to set up additional HIPS rules and accept certain level of false positives that custom rules may produce can create their own rules. Link to comment Share on other sites More sharing options...
Recommended Posts