Jump to content

HIPS filtering modes


Recommended Posts

I want a really good protection against sophisticated hackers who might want to target me and infect me with some keyloggers and other spywares they created in order to steal information from my PC like bank/credit card details and sensitive passwords I have for cryptocurrency exchanges. I realized that there are keyloggers that can evade detection by many kinds of anti-viruses so I want the best chance to notice something suspicious happening on my PC in a case where I am being targeted by a sophisticated hacker and I don't care if its unlikely so I switched on the "interactive mode" in the hips setting and i get so much of notification windows telling me to allow or disable actions of applications and I have some questions about those different filtering modes.

Is the "regular protection" still on?, like if the anti-virus will detect a key-logger or other malware it will detect and block it automatically without being dependent on my decision?.

How do I know what exactly a specific potential threat is doing like if its recording keystrokes or clipboard? it will appear in the notification or all the information I can get is if the potential threat is starting a new application or modify another?.

The "learning mode" is basically allowing any application I have on my PC in a short period of time and then ask me about anything new in the PC after that time period is passed?

 

Link to comment
Share on other sites

5 hours ago, red pill said:

I want a really good protection against sophisticated hackers who might want to target me and infect me with some keyloggers and other spywares they created in order to steal information from my PC like bank/credit card details and sensitive passwords I have for cryptocurrency exchanges.

Your best protection against financial malware is to perform all like activity in Eset Banking and Payment Protection feature. As far as keyloggers go, you're covered since BP&P scrambles all your keystrokes. The HIPS per se has no dedicated keylogger protection. The HIPS option of global hook detection, i.e. global keylogging,  only works in XP as discussed in a past forum posting. Don't know if that has been changed in regards to latter OS versions but doubt it.

As far as the HIPS learning mode, you leave it enabled as long as it takes to create rules for your normal system activities. Then you switch the HIPS to interactive or policy mode. In policy mode, the HIPS blocks anything that does have an allow rule associated with it.

You will also have to manually switch back to learning mode whenever you install anything or perform Win updates. Also Win 10 store apps could be problematic since they are constantly being updated with new program names being generated for most of them.

Link to comment
Share on other sites

56 minutes ago, itman said:

Your best protection against financial malware is to perform all like activity in Eset Banking and Payment Protection feature. As far as keyloggers go, you're covered since BP&P scrambles all your keystrokes. The HIPS per se has no dedicated keylogger protection. The HIPS option of global hook detection, i.e. global keylogging,  only works in XP as discussed in a past forum posting. Don't know if that has been changed in regards to latter OS versions but doubt it.

As far as the HIPS learning mode, you leave it enabled as long as it takes to create rules for your normal system activities. Then you switch the HIPS to interactive or policy mode. In policy mode, the HIPS blocks anything that does have an allow rule associated with it.

You will also have to manually switch back to learning mode whenever you install anything or perform Win updates. Also Win 10 store apps could be problematic since they are constantly being updated with new program names being generated for most of them.

I can't rely solely on BPP cause I need serious protection for my email password as well and it will cost me a lot of money if somebody will get my email password or even other kind of information I type or past with the clip board.

Is switching the firewall feature on ESET to "learning mode" and then to "interactive mode" can help me at least stop potential spyware from sending information to the hacker?.

 

Edited by red pill
Link to comment
Share on other sites

12 hours ago, red pill said:

Is switching the firewall feature on ESET to "learning mode" and then to "interactive mode" can help me at least stop potential spyware from sending information to the hacker?.

Questionable. The attacker could inject the browser with a keylogger for example. @TomFace suggestion of using a password manager is a good one and should definitely be considered.

You could also explore using a standalone e-mail client since these are less targeted by keyloggers.

The main issue is if an attacker can install a global keylogger on your device. With this he can capture keystrokes from any app. Eset has improved its detection against these. It recently detected a .Net based one I created some time ago for testing purposes. It appears it is monitor for select API usage common to global keylogging and if detected, the process is uploaded via LiveGrid for inspection and eventual signature creation.

So yes, interactive firewall monitoring of outbound traffic could  detect a data upload. However, this is easier said than done. Also, the same issue with Win 10 store apps manifests in firewall rules since again, their process names are constantly changing. An "eye opener" is a review of the Win firewall log. What Win 10 does is dynamically delete old store app Win firewall rules and create new ones every time a Win 10 app is updated to a new name(version). Adobe Reader updater is also another app that performs like activity.

Link to comment
Share on other sites

24 minutes ago, itman said:

Questionable. The attacker could inject the browser with a keylogger for example. @TomFace suggestion of using a password manager is a good one and should definitely be considered.

You could also explore using a standalone e-mail client since these are less targeted by keyloggers.

The main issue is if an attacker can install a global keylogger on your device. With this he can capture keystrokes from any app. Eset has improved its detection against these. It recently detected a .Net based one I created some time ago for testing purposes. It appears it is monitor for select API usage common to global keylogging and if detected, the process is uploaded via LiveGrid for inspection and eventual signature creation.

So yes, interactive firewall monitoring of outbound traffic could  detect a data upload. However, this is easier said than done. Also, the same issue with Win 10 store apps manifests in firewall rules since again, their process names are constantly changing. An "eye opener" is a review of the Win firewall log. What Win 10 does is dynamically delete old store app Win firewall rules and create new ones every time a Win 10 app is updated to a new name(version). Adobe Reader updater is also another app that performs like activity.

It will help if I simply disable windows 10 app store and adobe reader updater?, I have no use for those things. ESET can protect me from attacker that try to inject keylogger in my browsers? there is something I can do in the ESET configurations to increase my protection against it?.

9 hours ago, Marcos said:

You can also consider applying extra anti-ransomware HIPS rules as per https://support.eset.com/kb6119/, however, these might produce false positives at times if you use scripts.

It will work on my ESET smart security premium?, it seems like the article is about different version of ESET anti virus. It will give me better protection against global keylogger and keylogger injection?.

i don't have much problem with some false positives once in a while.

Link to comment
Share on other sites

50 minutes ago, red pill said:

It will help if I simply disable windows 10 app store and adobe reader updater?

It will help in regards to outbound firewall rules but won't cover all instances. Win 10 has system level apps that are like updated on a frequent basis.

50 minutes ago, red pill said:

ESET can protect me from attacker that try to inject keylogger in my browsers? there is something I can do in the ESET configurations to increase my protection against it?.

Eset has advanced memory scanning protection which is effective as long as the code signature is known. You can create HIPS rules for browser processes to prevent any process modification activities. Of course, you will need to create corresponding allow rules for legit processes that do like activities; e.g. explorer.exe, runtimebroker.exe, etc.. -EDIT- Also the previous method is not "bullet proof." Malware could inject the parent process and hook a thread into the child process. So now we need to protect the parent process, and its parent process, ad infinitum …… So view process protection as best guess effort.

50 minutes ago, red pill said:

It will work on my ESET smart security premium?

Yes. 

Edited by itman
Link to comment
Share on other sites

I got a bit "carried away" in my previous posting. Windows is such a "piece of garbage" security-wise, I can't control myself when thinking about the issue.

The odds of a stand-alone keylogger being dropped on a device these days is about nill. Keyloggers these days are packaged in financial based malware along with a whole bunch of other nasty such credential stealing stuff and the like. Eset has always performed exceptionally well in AV lab tests against financial malware; in almost all tests over time scoring 100% detection.

Emotet is a nasty bugger that Eset has one of the best detection rates against:

Quote

WebBrowserPassView is a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module.

Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module.

https://www.us-cert.gov/ncas/alerts/TA18-201A

Note above how passwords are stolen by Emotet. Not by a keylogger, but by misuse of legit password recovery tools.

Also Emotet's primary deployment method is via phishing e-mail. Likewise, much less sophisticated phishing e-mails attacks are also very successful. Like the one from supposedly your e-mail provider that looks for all intent and purpose as legit. It usually states your password has been compromised and you need to change it with a link provided to supposedly your e-mail provider logon-on page. You click on it and arrive at a web page that appears to be your e-mail provider logon page. Well, it isn't and  you enter your old password and new password. Attacker subsequently logs on to your e-mail account and does change the password to the value you previously entered. You've just been pwned and are completely clueless to how it happened. Oh, about that confirmation e-mail you should receive about the password change. Attacker will make sure its deleted upon arrival.

Tip - almost all browsers have a setting that allows for storing of user names and passwords. Make sure that setting is disabled. Likewise, make sure your e-mail client is not configured to save your e-mail server connection password.

Edited by itman
Link to comment
Share on other sites

Here's another clever phishing e-mail password attack currently circulating:

Quote

EdgeWave has confirmed BleepingComputer's suspicion that this is being done to double-verify the password and that it is not currently a common practice. Phishing expert NullCookies also told BleepingComputer that only a "subset of kits do that". 

NullCookies also stated that continuously "showing an incorrect password alert can also be used to avoid redirecting to the impersonated company’s website." This gives the phishing scam additional concealment.

https://www.bleepingcomputer.com/news/security/voicemail-phishing-campaign-tricks-you-into-verifying-password/

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...