Robert Andrews 0 Posted August 20, 2018 Share Posted August 20, 2018 Hi, I'm looking for some assistance please. Earlier this year one of our customers had a security breach and when we spoke to ESET support they recommended we take a look at the following article and follow its steps to configure HIPS rules to protect against ransomeware: https://support.eset.com/kb6119/?locale=en_US&viewlocale=en_US My issue is that now within ESET Remote Administrator, we sometimes get 20-100 alerts on lots of devices, usually: ' HIPS - Start new application - 'Computer Name' - Deny child processes for powershell.exe - blocked - C:\WINDOWS\System32\Conhost.exe' Is there a way to stop these alerts being generated? It can take quite a while to clear them all every day. Thanks, Rob Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted August 20, 2018 Administrators Share Posted August 20, 2018 Normally HIPS should be used without custom rules. If one applies the extra rules for improved protection against ransomware, he or she should know how to remedy possible issues stemming from the rules. Please disable the HIPS rule(s) that are causing issues with PowerShell. Link to comment Share on other sites More sharing options...
Robert Andrews 0 Posted August 20, 2018 Author Share Posted August 20, 2018 5 minutes ago, Marcos said: Normally HIPS should be used without custom rules. If one applies the extra rules for improved protection against ransomware, he or she should know how to remedy possible issues stemming from the rules. Please disable the HIPS rule(s) that are causing issues with PowerShell. Hi Marcos, If I disable the HIPS rule (Deny child processes for powershell.exe), won't that leave the computers more vulnerable to ransomware attack? Thanks, Rob Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted August 20, 2018 Administrators Share Posted August 20, 2018 33 minutes ago, Robert Andrews said: If I disable the HIPS rule (Deny child processes for powershell.exe), won't that leave the computers more vulnerable to ransomware attack? You could try creating another rule like "Deny child processes for powershell.exe" but change the action to Allow and enter "C:\WINDOWS\System32\Conhost.exe" as the target application. If there is a specific application that runs powershell, a better and probably also safer solution would be to create a permissive rule for that application and "powershell.exe" as the target application. Also create a blocking rule for powershell.exe with no application listed in the target application list. That way only the desired application will be able to run powershell. Link to comment Share on other sites More sharing options...
Recommended Posts