Jump to content

Updated HIPS rules causing lots of alerts in ERA


Robert Andrews
 Share

Recommended Posts

Hi,

 

I'm looking for some assistance please. Earlier this year one of our customers had a security breach and when we spoke to ESET support they recommended we take a look at the following article and follow its steps to configure HIPS rules to protect against ransomeware:

 

https://support.eset.com/kb6119/?locale=en_US&viewlocale=en_US

 

My issue is that now within ESET Remote Administrator, we sometimes get 20-100 alerts on lots of devices, usually:

' HIPS - Start new application - 'Computer Name' - Deny child processes for powershell.exe - blocked - C:\WINDOWS\System32\Conhost.exe'

 

Is there a way to stop these alerts being generated? It can take quite a while to clear them all every day.

 

Thanks,
Rob

Link to comment
Share on other sites

  • Administrators

Normally HIPS should be used without custom rules. If one applies the extra rules for improved protection against ransomware, he or she should know how to remedy possible issues stemming from the rules. Please disable the HIPS rule(s) that are causing issues with PowerShell.

Link to comment
Share on other sites

5 minutes ago, Marcos said:

Normally HIPS should be used without custom rules. If one applies the extra rules for improved protection against ransomware, he or she should know how to remedy possible issues stemming from the rules. Please disable the HIPS rule(s) that are causing issues with PowerShell.

Hi Marcos,

 

If I disable the HIPS rule (Deny child processes for powershell.exe), won't that leave the computers more vulnerable to ransomware attack? 

 

Thanks,

Rob

Link to comment
Share on other sites

  • Administrators
33 minutes ago, Robert Andrews said:

If I disable the HIPS rule (Deny child processes for powershell.exe), won't that leave the computers more vulnerable to ransomware attack?

You could try creating another rule like "Deny child processes for powershell.exe" but change the action to Allow and enter "C:\WINDOWS\System32\Conhost.exe" as the target application.

If there is a specific application that runs powershell, a better and probably also safer solution would be to create a permissive rule for that application and "powershell.exe" as the target application. Also create a blocking rule for powershell.exe with no application listed in the target application list. That way only the desired application will be able to run powershell.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...