Jump to content

HIPS default rules


novice
 Share

Recommended Posts

The question of being able to list the internal rules has come up previously. Lack of response from Eset in this regard indicates they have chosen to keep the rules private for security and proprietary reasons I assume. Eset is pretty "tight lipped" in regards to publicly posting details on their internal security mechanisms. 

Additionally, save yourself the effort of trying to read the associated .bin file. It is undecipherable to other than the Eset software developers. 

Edited by itman
Link to comment
Share on other sites

It's a pity that Eset makes a secret of it. How can it then please protect the policy is very difficult to understand at ESET

Link to comment
Share on other sites

10 hours ago, Marcos said:

There are no default rules

So, are you saying that HIPS is just an empty box, waiting to be filled with customized rules?????

I have been using ESET for almost 5 years now on 3 pc , with HIPS set on "Smart mode", yet I never got an alert HIPS related , unless I created a custom rule.

The consensus here on this forum is that HIPS is another layer of defense, and if a malware is not detected by this and that, for sure is going to be blocked by HIPS.

Really disappointed to hear that in fact HIPS doesn't do too much in fighting malwares. 

Link to comment
Share on other sites

  • Administrators

HIPS is a fundamental component that provides information about system operations to other HIPS-based protection modules, such as Self-defense, Advanced Memory Scanner, Exploit Blocker and Ransomware shield. Therefore disabling HIPS would subsequently reduce detection and protection capabilities of the product. Simple HIPS rules cannot work without producing false positives.

Link to comment
Share on other sites

28 minutes ago, Marcos said:

Simple HIPS rules cannot work without producing false positives.

So  , if HIPS is strictly used internally, why make visible and accessible to users???

Why offer the option to disable it???? 

This creates a false sense of security (ESET has HIPS but XXXX antivirus doesn't)

Edited by claudiu
Link to comment
Share on other sites

Eset never designed its HIPS for extensive user configuration. That becomes rather obvious when noting features missing in it compared to stand-alone HIPS software like Outpost, Online Armor, etc.; all of which are no longer supported. I believe the only user configurable HIPS in use is Comodo's Defense+. And its expanded features have been abandoned by most of its users in favor of sandboxing, etc.. There has been a few new "upstarts" to the HIPS arena like reHIPS but those are geared to the commercial market.

Bottom line is that no one these days wants to go through the effort to properly configure and maintain an extensive custom HIPS rule set and that includes most IT system pros. Mainstream AV vendors abandoned the user HIPS market because it became unprofitable for them due to lack of user knowledge in again, how to configure and maintain them. Case in point are user postings on the Eset forum about the HIPS not performing properly when in effect it was a lack of knowledge in how to properly configure its rules. It's not the vendors responsibility to instruct one on how to do so.

Edited by itman
Link to comment
Share on other sites

I will state this in regards to the Eset HIPS.

I have a number of HIPS rules since I tend to be a bit paranoid when it comes to security. Other than those rules being triggered by legit user and software activity, they have never been activated by any malware activity. Eset's primary protection function is to prevent malware from executing in the first place. In that regard, it has done an excellent job in the years I have used it. Sadly, I can't say the same from other security solutions I have used in the past.

Link to comment
Share on other sites

1 hour ago, itman said:

user postings on the Eset forum about the HIPS not performing properly when

I am not posting about HIPS not performing properly, I am posting about HIPS not performing AT ALL. As I said , in almost 5 years and 3 pc I never had a HIPS related alert, so what's the point in advertising HIPS as long as the only purpose is assure ESET functionality ,not to add another layer of protection.

 

13 minutes ago, itman said:

In that regard, it has done an excellent job in the years I have used it

This was supposed to be posted in "ESET and AV Comparatives"   here the discussion is pure technical...

Link to comment
Share on other sites

  • Administrators

ESET's approach is not to bother users with prompts and pop-ups; instead all actions are performed automatically. The fact that you haven't ever seen any notification from HIPS/Advanced Memory Scanner/Exploit Blocker and Ransomware shield is good; otherwise it'd mean you were hit by malware which ESET detected and blocked.

Link to comment
Share on other sites

6 hours ago, Marcos said:

ESET's approach is not to bother users with prompts and pop-ups; instead all actions are performed automatically. The fact that you haven't ever seen any notification from HIPS/Advanced Memory Scanner/Exploit Blocker and Ransomware shield is good; otherwise it'd mean you were hit by malware which ESET detected and blocked.

Case in point is when "log all blocked activity" is enabled in Eset HIPS Advanced settings. Below is a screen shot showing attempted system process modification activity being silently blocked. Note: the bug showing invalid Operation in the log file is still not fixed. 

Eset_HIPS.thumb.png.af49c6f7c9033ab5bf612691bc3ebdbd.png

Link to comment
Share on other sites

1 hour ago, Marcos said:

No problem here with the HIPS module 1322:

Is that a pre-release update? I am still stuck at 1320 on ver. 11.1.54.

Link to comment
Share on other sites

On ‎6‎/‎28‎/‎2018 at 4:54 PM, Marcos said:

HIPS is a fundamental component

Yet I do not understand why HIPS ,a "fundamental component" can be disabled by any regular user in ESET settings.

Link to comment
Share on other sites

1 hour ago, claudiu said:

Yet I do not understand why HIPS ,a "fundamental component" can be disabled by any regular user in ESET settings.

Oh my, we are really now "stretching" to find fault, aren't we?

If that issue concerns you, simply password protect your Eset GUI settings.

-EDIT- Also as far as I am aware of, SUA's cannot modify Eset settings. And in the case they can, the following screen shot setting will prevent it since they can't elevate to full admin status:

Eset_Admin.thumb.png.8480d6f8c9a4df93a87cf86cdd3c8b95.png

Quote

Require full administrator rights for limited administrator accounts – Select this to prompt the current user (if he or she does not have administrator rights) to enter an administrator username and password when modifying certain system parameters (similar to the User Account Control (UAC) in Windows Vista and Windows 7). Such modifications include disabling protection modules or turning off the firewall.  On Windows XP systems where UAC is not running, users will have the Require administrator rights (system without UAC support) option available.

https://help.eset.com/eis/11.1/en-US/idh_config_environment.html?idh_config_password.html

Edited by itman
Link to comment
Share on other sites

I will also say this about Eset's HIPS. If one is willing to put forth the effort and has the system knowledge to do so, you can make your system pretty much "bullet proof" with.

For example, I have done extensive testing with the HIPS in regards to process .dll injection; direct, reflective, APC, and process hollowing. In ever case, the HIPS detected the activity. The ease on which it did so is unapparelled in any previous like HIPS solution I have used. One rule, ask/block process modification did so. This contrasts sharply with other security solutions that are still struggling with blocking process hollowing activities. 

Edited by itman
Link to comment
Share on other sites

57 minutes ago, itman said:

In ever case, the HIPS detected the activity.

I have no doubt that , with proper rules HIPS works. What I am saying is , in default mode   HIPS is an empty box , with the only purpose to make some other modules functional.

In default mode HIPS doesn't add another layer of protection .

I  asked ESET, in the past,  to provide the rules (rather than KB how to create certain rules) all disabled   and give the user possibility to enable them as necessary.

Link to comment
Share on other sites

13 hours ago, claudiu said:

I  asked ESET, in the past,  to provide the rules (rather than KB how to create certain rules)

I also believe you have a problem fully comprehending the English language.

This was explained in prior postings in this thread. Eset when they feel the situation warrants, it will post a KB article in regards to recommended HIPS rules. This is almost always in regards to the Endpoint product which is installed in corp. environments and maintained by IT system professionals. Eset will never provide HIPS rules for the retail versions because most end users are not properly trained to create and maintain such rules. Nor are they trained to respond properly to the possible negative effects those rules could create on system and app process execution.

If you want to "play around" with creating HIPS rules, there are a number of third party security solutions that allow you to do so. I already mentioned one, reHIPS. There are others. Most of these solutions have sections on security forums like wilderssecurity.com and malwaretips.com where there are a number of members that will assist in configuration and operational issues.

Link to comment
Share on other sites

  • Administrators

Since everything has been said, we'll draw this topic to a close. To sum it up: HIPS is a fundamental protection module whose outcome of processing is leveraged by Self-defense, Exploit Blocker, Advanced Memory Scanner and Ransomware Shield. Those who want to set up additional HIPS rules and accept certain level of false positives that custom rules may produce can create their own rules.

Link to comment
Share on other sites

  • Marcos locked this topic
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...