Robert Andrews 0 Posted August 20, 2018 Posted August 20, 2018 Hi, I'm looking for some assistance please. Earlier this year one of our customers had a security breach and when we spoke to ESET support they recommended we take a look at the following article and follow its steps to configure HIPS rules to protect against ransomeware: https://support.eset.com/kb6119/?locale=en_US&viewlocale=en_US My issue is that now within ESET Remote Administrator, we sometimes get 20-100 alerts on lots of devices, usually: ' HIPS - Start new application - 'Computer Name' - Deny child processes for powershell.exe - blocked - C:\WINDOWS\System32\Conhost.exe' Is there a way to stop these alerts being generated? It can take quite a while to clear them all every day. Thanks, Rob
Administrators Marcos 5,468 Posted August 20, 2018 Administrators Posted August 20, 2018 Normally HIPS should be used without custom rules. If one applies the extra rules for improved protection against ransomware, he or she should know how to remedy possible issues stemming from the rules. Please disable the HIPS rule(s) that are causing issues with PowerShell.
Robert Andrews 0 Posted August 20, 2018 Author Posted August 20, 2018 5 minutes ago, Marcos said: Normally HIPS should be used without custom rules. If one applies the extra rules for improved protection against ransomware, he or she should know how to remedy possible issues stemming from the rules. Please disable the HIPS rule(s) that are causing issues with PowerShell. Hi Marcos, If I disable the HIPS rule (Deny child processes for powershell.exe), won't that leave the computers more vulnerable to ransomware attack? Thanks, Rob
Administrators Marcos 5,468 Posted August 20, 2018 Administrators Posted August 20, 2018 33 minutes ago, Robert Andrews said: If I disable the HIPS rule (Deny child processes for powershell.exe), won't that leave the computers more vulnerable to ransomware attack? You could try creating another rule like "Deny child processes for powershell.exe" but change the action to Allow and enter "C:\WINDOWS\System32\Conhost.exe" as the target application. If there is a specific application that runs powershell, a better and probably also safer solution would be to create a permissive rule for that application and "powershell.exe" as the target application. Also create a blocking rule for powershell.exe with no application listed in the target application list. That way only the desired application will be able to run powershell.
Recommended Posts