Pierrot 0 Posted April 15, 2019 Share Posted April 15, 2019 Hi, I’m new to Eset and I’ve got a few question regarding the configuration of HIPS. I searched in the help, in this forum and on the web, but I couldn't find the answer. I’m actually running HIPS in learning mode and the first thing I’m wondering about is how I shall choose to allow or not the behaviors listed is the rules created by Eset. Would if be safe to allow any behavior listed, as long that it comes from a program that I know or from a program that is part from Windows ? I’m also wondering what kind of filtering mode I should use afterwards, i.e. when the learning will be completed. If I understood well, the safest mode, would be the policy-based mode because It would block everything else than described by the rules. Correct ? But what if something is blocked ? Is there any risk of damage in my computer ? Will I get a notification ? Will I have a chance to create a new rule to allow the behavior or not ? If I choose the smart or the interactive mode, will these modes refer to the custom rules created by the learning mode or not ? When I get a notifcation, will I have a chance to create a new rule to allow the behavior or not ? Thanks in advance for your answer and kind regards. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted April 15, 2019 Administrators Share Posted April 15, 2019 Choose smart mode which is a kind of interactive mode with minimum interactions. Azure Phoenix 1 Link to comment Share on other sites More sharing options...
Pierrot 0 Posted April 15, 2019 Author Share Posted April 15, 2019 Fine, but you mean choosing the smart mode after the learning mode has completed or is it useless to run the learning mode before activating the smart mode ? Link to comment Share on other sites More sharing options...
itman 1,630 Posted April 15, 2019 Share Posted April 15, 2019 (edited) 1 hour ago, Pierrot said: If I understood well, the safest mode, would be the policy-based mode because It would block everything else than described by the rules. Correct ? But what if something is blocked ? Is there any risk of damage in my computer ? Will I get a notification ? Will I have a chance to create a new rule to allow the behavior or not ? In Policy mode, process activity will be blocked for which no existing allow rule exists. You will not receive a notification of the blocked activity. This mode is only suitable for installations where no type of system or app update activity occurs. 1 hour ago, Pierrot said: If I choose the smart or the interactive mode, will these modes refer to the custom rules created by the learning mode or not ? When I get a notifcation, will I have a chance to create a new rule to allow the behavior or not ? In Interactive mode, process activity will alert for which no existing allow rule exists. You will receive a notification of the attempted activity at which time you will be able to create a permanent HIPS rule for the activity. As explained, Smart mode is just an enhancement of the default HIPS Auto mode. In either of these two modes, all existing and prior created HIPS rules are in effect. Note: Eset's HIPS is not a "user friendly" HIPS. By that, I mean it doesn't have features like some older HIPS software had such as an "Installer mode" one could switch to when installing new app software for example. Such a mode would auto create all the new rules for the app and prevent existing HIPS rules from interfering with the installation. The only alternative with Eset's HIPS is to either switch to Learning mode again prior to installation, or manually respond to each alert generated by the installation when Interactive mode is in effect. Edited April 15, 2019 by itman Link to comment Share on other sites More sharing options...
Pierrot 0 Posted April 16, 2019 Author Share Posted April 16, 2019 Hi itman, Thank you for these explanations; now I understand. Link to comment Share on other sites More sharing options...
itman 1,630 Posted April 16, 2019 Share Posted April 16, 2019 20 hours ago, itman said: Such a mode would auto create all the new rules for the app and prevent existing HIPS rules from interfering with the installation. The only alternative with Eset's HIPS is to either switch to Learning mode again prior to installation, or manually respond to each alert generated by the installation when Interactive mode is in effect. Also I was in a rush yesterday and didn't state the above correctly. What was the case in HIPS's "of old" was that Installer mode temporarily disabled the HIPS. And it was used under the category of "Trusted Installers." In other words, those that were properly signed by trusted publishes. BTW - I believe Comodo's HIPS, Defense+, has this feature. Obviously, disabling Eset's HIPS is strongly not recommended since "a bunch" of other Eset protections are dependant upon it including self-protection of Eset. Additionally, a system restart is required to disable Eset's HIPS. Finally, you really don't want to run Eset's HIPS in Learning mode when performing installs since it will just allow any malware present to be auto allowed. This leaves Interactive mode as the only viable alternative. And one must have detailed security and system operation knowledge to be able to indentify any malicious actions being performed by the installer. Link to comment Share on other sites More sharing options...
Pierrot 0 Posted April 17, 2019 Author Share Posted April 17, 2019 Thanks again for your explanations itman; it makes perfectly sense. In between, as I haven't got the required knowledge, I'm using HIPS in smart mode. So far, everything is fine. I didn't got any notification. Link to comment Share on other sites More sharing options...
Recommended Posts