Jump to content

Recommended Posts

Posted

Hi,

 

I'm looking for some assistance please. Earlier this year one of our customers had a security breach and when we spoke to ESET support they recommended we take a look at the following article and follow its steps to configure HIPS rules to protect against ransomeware:

 

https://support.eset.com/kb6119/?locale=en_US&viewlocale=en_US

 

My issue is that now within ESET Remote Administrator, we sometimes get 20-100 alerts on lots of devices, usually:

' HIPS - Start new application - 'Computer Name' - Deny child processes for powershell.exe - blocked - C:\WINDOWS\System32\Conhost.exe'

 

Is there a way to stop these alerts being generated? It can take quite a while to clear them all every day.

 

Thanks,
Rob

  • Administrators
Posted

Normally HIPS should be used without custom rules. If one applies the extra rules for improved protection against ransomware, he or she should know how to remedy possible issues stemming from the rules. Please disable the HIPS rule(s) that are causing issues with PowerShell.

Posted
5 minutes ago, Marcos said:

Normally HIPS should be used without custom rules. If one applies the extra rules for improved protection against ransomware, he or she should know how to remedy possible issues stemming from the rules. Please disable the HIPS rule(s) that are causing issues with PowerShell.

Hi Marcos,

 

If I disable the HIPS rule (Deny child processes for powershell.exe), won't that leave the computers more vulnerable to ransomware attack? 

 

Thanks,

Rob

  • Administrators
Posted
33 minutes ago, Robert Andrews said:

If I disable the HIPS rule (Deny child processes for powershell.exe), won't that leave the computers more vulnerable to ransomware attack?

You could try creating another rule like "Deny child processes for powershell.exe" but change the action to Allow and enter "C:\WINDOWS\System32\Conhost.exe" as the target application.

If there is a specific application that runs powershell, a better and probably also safer solution would be to create a permissive rule for that application and "powershell.exe" as the target application. Also create a blocking rule for powershell.exe with no application listed in the target application list. That way only the desired application will be able to run powershell.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...