Jump to content

NOD v7 HIPS and Process Explorer


Carbonyl
 Share

Recommended Posts

Hello.

 

I recently switched to NOD v7, and overall have been very happy since the transition. The only thing that has me somewhat worried is that I tend to have Process Explorer running at all times on my computer. Checking the verbose logs on NOD show that the HIPS is constantly blocking Process Explorer:

 

2/7/2014 8:51:01 PM C:\Users\[REDACTED]\AppData\Local\Temp\procexp64.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe some access blocked Self-Defense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application

2/7/2014 8:51:01 PM C:\Users\[REDACTED]\AppData\Local\Temp\procexp64.exe Get access to another application C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe some access blocked Self-Defense: Protect ekrn and egui processes Terminate/suspend another application,Modify state of another application,Get access to another application

2/7/2014 8:51:01 PM C:\Users\[REDACTED]\AppData\Local\Temp\procexp64.exe Get access to another application C:\Windows\System32\lsass.exe some access blocked Self-Defense: Do not allow modification of system processes Terminate/suspend another application,Modify state of another application

 

etc, etc. It keeps doing this.

 

I've turned off logging (because that would be absurd, at 10-20 messages a second), but I'm concerned that this is still happening in the background while I run process explorer. HIPS is a new thing to me, though, so I'm unsure of how to add Process Explorer to any exceptions, or what exceptions to add. As it is, I fear that my computer is constantly having this conflict happening in the background. If anyone could advise me as to what I ought to do, I'd be most appreciative.

Link to comment
Share on other sites

Hello Carbonyl,

 

HIPS is intrusion detection, therefore it is very delicate when it comes to intrusive applications similar to process explorer that really requests and interacts with crucial windows system processes.

My main concern would be if you were having issues with process explorer running correctly, or giving back misinformation, or any memory errors or application errors received from procexp.

 

If you are not, i would not worry to much about it ; however, if you wish to allow procexp access to the other system files you need only switch the HIPS mode temporarily enough to create a rule.

Or you can create a rule manually.

 

- Open ESET

- Hit F5 or select Setup, then Advanced Setup

- Drill down to HIPS

- Select Configure Rules under Rules Editor

- Click New

- Give the rule a name, and choose Action Allow, you can even have user notification should the rule initiate or get used.

- At the bottom you have to set what kind of access you would like to give it. Be diligent at this point, as the feature and design is very thorough in terms of what you want.

Applications (ie. procexp) Files, & Registry - use the logging to determine what you want to give it full access to etc.

 

Thanks for posting, and report back on your success, including change logs, or additional questions. :)

Link to comment
Share on other sites

Thanks much for the advice, Arakasi! I went ahead and tried to add a rule as you directed, allowing Process Explorer (and it's 64 bit version) to access programs and files. Sadly the logs persist in piling up.

 

If it's safe to let this keep going as it does, I'm fine with that. I just have an unsettling feeling that the constant barrage of activity, blocking, activity, blocking, activity, blocking, on and on and on, is causing unnecessary wear on my SSD and CPU. SSDs only have so many write cycles in a lifetime, so if it's persistently writing over and over and over again because of this I risk shortening it's lifetime.

Link to comment
Share on other sites

  • Administrators

I'd strongly recommend keeping logging of all blocked operations disabled or you may end up with huge HIPS logs soon, not to mention the impact on performance when debug logging is enabled.

Link to comment
Share on other sites

Follow Marcos advise, the logging option is there to be used/enabled when troubleshooting an issue you may have with ESET i.e if you believe the HIPS is blocking operations of another software so it doesn't work correctly. Not to be enabled all the time. As the log can grow rapidly to hundreds of MB or even GB size wich I am sure you don't want or need.

Edited by SweX
Link to comment
Share on other sites

Duly noted, and thank you. It's now disabled. But in the meantime, what should I do to prevent this issue in the future, regarding the fact that ESET and Process Explorer are in a near-constant state of conflict? And even an exception rule doesn't seem to change that?

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...