Jump to content

urgent: Last update seems to have messed with HIPS


Recommended Posts

Hello.

Background:

I updated eset internet security to the latest version yesterday and all went fine till early today.

My HIPS has predefined rules from the "learning mode", after which i set it to  "interactive mode". I did this months ago.

 

Problem:

Today, all of a sudden HIPS started prompting me for every application I would run and that are already in the predefined rules. HIPS seems to have ignored the predefined rules,

as every app I run, be it chrome, firefox, vlc, it prompts for action.

Coincidence or not, I realized this 6 minutes after eset updated it detection engine to 18268.

 

What has gone wrong??

 

Edited by mateusb
Link to comment
Share on other sites

  • Administrators

If the problem persists after a computer restart, generate a complete application dump via the advanced setup -> tools -> diagnostics -> generate (dump) when the issue occurs.

Then gather logs and dump with ELC, create a support ticket with your local customer care and provide them with the generated archive and with the file "C:\ProgramData\ESET\ESET Security\HipsRules.bin".

Link to comment
Share on other sites





 

@mateusb:

12 hours ago, mateusb said:

Coincidence or not, I realized this 6 minutes after eset updated it detection engine to 18268.

no, the culprit is a HIPS module update, read on for the full details!...

@Marcos:

12 hours ago, Marcos said:

If the problem persists after a computer restart (...)

This new HIPS bug definitely persists every computer restart and it was for sure introduced with the newest HIPS module update, HIPS V1332-20181008, subdirectory '..\1541\', installed on my PC on 20181024! It's a horrible pain to have to live with this HIPS module version!!! (I'm using EIS V11.2.63.) And it's ridiculously easy to reproduce the bug with this program (XYplorer, an Explorer alternative), .https://www.xyplorer.com/.

The reproduction procedure:

0. look very closely at picture  #1 (since HIPS V1332-20181008 such HIPS popups (ie. "get access to another application") are popping up endlessly and you can save them forever, with no apparent success: they are ignored completely!!! As you can see in picture #2).

1. install a trial version of XYplorer, https://www.xyplorer.com/. With this program the bug can be shown in its full extent ridiculously easy. (That's the way I fully tested this. Optionally, to spare some time, you could try it possibly with Opera V12.x, Firefox V62(+), Vivaldi V1.x(+) - all of these generate generate now a HIPS popup with "get access to another application", since HIPS V1332-20181008 only, though all of these programs have existing HIPS rules for years. Or try it with Opera V50+ / Vivaldi V2.x (totally untested).)

2. switch HIPS into interactive mode

3. start XYplorer, a HIPS popup similar to the one in picture #1 appears, save the rule as ALLOW (look closely at #1, radio button and check boxes)

4. there might appear other HIPS popups, answer them with "remember until application quits" plus ALLOW, concentrate on the XYplorer ones only!

5. the next HIPS popup from XYplorer appears, over and over again, with the 100% identical rule that you have stored already! Store at least three of them. XYplorer never opens until you answer this specific HIPS popup with "remember until application quits" plus ALLOW button! After that XYplorer works until you close the program and restart it.

6. restart XYplorer and the very same HIPS popup madness starts over again! Store another one of these rules. Answer the next HIPS popup with "remember until application quits" plus ALLOW button, close XYplorer.

7. edit your HIPS rules and check that every of your just saved rules were saved indeed!... (See picture #2!)

ESET: no offence, but I really don't know how this blatantly obvious bug could slip through your quality control unseen. Of course, nobody will notice this bug ever if not using HIPS in interactive mode (hint, hint!)...





 

How much more proof does ESET need this time until it acknowledges this bug?!?

(edit: ouch, wrong HIPS version in the enclosed picture file names, it should be HIPS V1332-20181008, subdirectory '..\1541\', not HIPS V1541.)




 

#1-EIS-V11-2-63-(totally-bugged-HIPS-V1541-20181008,a-whole-bunch-of-the-SAME-HIPS-popups-forever!!!).jpg

#2-EIS-V11-2-63-(totally-bugged-HIPS-V1541-20181008,'get-access-to-another-application',saved-rule-is-EMPTY,there-is-no-'get-access-to-another-application'!).jpg

Edited by mma64
corrected a bunch of typos... Later: extended reproduction procedure with a bunch of browsers showing the very same bug.
Link to comment
Share on other sites

I had a similar issue with the module updates today - Windows logon was horribly slow.

To resolve this, I worked with Technical Support to perform the following:

1. Changed CLIENT update policy to use "Pre-Release Update"

2. Updated all client modules

3. Changed HIPS to "Automatic mode" (we were set to an expired "Learning Mode")

4. Reverted the CLIENT update policy to "Regular Update"

I hope this helps!

Take care,

Mat

Link to comment
Share on other sites

  • ESET Moderators

Hello guys,

we identified an issue with the released HIPS support module 1332, we are right now preparing a module revert to the previous HIPS version, which will resolve the issue.

We apologize for the inconvenience caused.

Regards, P.R.

Link to comment
Share on other sites

  • Most Valued Members
21 minutes ago, Peter Randziak said:

Hello guys,

we identified an issue with the released HIPS support module 1332, we are right now preparing a module revert to the previous HIPS version, which will resolve the issue.

We apologize for the inconvenience caused.

Regards, P.R.

It seems that it has been reverted to 1331 over here , using ESET Internet Security 12.0.27.0

Link to comment
Share on other sites

@MathewCXT:

6 hours ago, MathewCXT said:

Windows logon was horribly slow

If you were in learning mode then check your HIPS rules please: it might be choke full with (empty, see picture #2) learning mode rules regarding "get access to another application" ones... (As explained above: you will never get out of the "get access to another application" HIPS popups loop if you "dare" to save the seemingly new HIPS rule(s)! And the corresponding program will never proceed with opening (XYplorer, Firefox) - unless you answer the popup with "remember until application quits" plus ALLOW button. Closing the program and restarting it leads to the same HIPS popup madness again...)

6 hours ago, MathewCXT said:

Changed HIPS to "Automatic mode"

The only HIPS mode you will notice this bug is the interactive one.

@Rami:

35 minutes ago, Rami said:

It seems that it has been reverted to 1331 over here , using ESET Internet Security 12.0.27.0

Not the case with EIS V11.2.63 to this very moment, ie. 10:53 CET. Hopefully the mentioned HIPS module reversion is far more speedy than the usual HIPS module rollout (HIPS V1332-20181008 was installed on my PC on 20181024 (!)...)
 

Link to comment
Share on other sites

37 minutes ago, mma64 said:

Hopefully the mentioned HIPS module reversion is far more speedy than the usual HIPS module rollout

"wow", this time a fast HIPS module update, automatic AV update has just fetched HIPS V1331.1-20181025, subdirectory '..\1543\'  - and guess what: no more the totally same "get access to another application" HIPS popups appearing over and over again, if in HIPS interactive mode and "daring" to save them! (And subdirectory '..\1541\', HIPS V1332-20181008, was deleted automatically.)
 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...