Jump to content

HIPS : how to choose rules and filtering mode ?


Recommended Posts

Hi,

I’m new to Eset and I’ve got a few question regarding the configuration of HIPS. I searched in the help, in this forum and on the web, but I couldn't find the answer.

I’m actually running HIPS in learning mode and the first thing I’m wondering about is how I shall choose to allow or not the behaviors listed is the rules created by Eset. Would if be safe to allow any behavior listed, as long that it comes from a program that I know or from a program that is part from Windows ?

I’m also wondering what kind of filtering mode I should use afterwards, i.e. when the learning will be completed.

If I understood well, the safest mode, would be the policy-based mode because It would block everything else than described by the rules. Correct ?  But what if something is blocked ?  Is there any risk of damage in my computer ?  Will I get a notification ?  Will I have a chance to create a new rule to allow the behavior or not ?

If I choose the smart or the interactive mode, will these modes refer to the custom rules created by the learning mode or not ?  When I get a notifcation, will I have a chance to create a new rule to allow the behavior or not ?

Thanks in advance for your answer and kind regards.

Link to comment
Share on other sites

Fine, but you mean choosing the smart mode after the learning mode has completed or is it useless to run the learning mode before activating the smart mode ?

Link to comment
Share on other sites

1 hour ago, Pierrot said:

If I understood well, the safest mode, would be the policy-based mode because It would block everything else than described by the rules. Correct ?  But what if something is blocked ?  Is there any risk of damage in my computer ?  Will I get a notification ?  Will I have a chance to create a new rule to allow the behavior or not ?

In Policy mode, process activity will be blocked for which no existing allow rule exists. You will not receive a notification of the blocked activity. This mode is only suitable for installations where no type of system or app update activity occurs.

1 hour ago, Pierrot said:

If I choose the smart or the interactive mode, will these modes refer to the custom rules created by the learning mode or not ?  When I get a notifcation, will I have a chance to create a new rule to allow the behavior or not ?

In Interactive mode, process activity will  alert for which no existing allow rule exists. You will receive a notification of the attempted activity at which time you will be able to create a permanent HIPS rule for the activity.

As explained, Smart mode is just an enhancement of the default HIPS Auto mode. In either of these two modes, all existing and prior created HIPS rules are in effect.

Note: Eset's HIPS is not a "user friendly" HIPS. By that, I mean it doesn't have features like some older HIPS software had such as an "Installer mode" one could switch to when installing new app software for example. Such a mode would auto create all the new rules for the app and prevent existing HIPS rules from interfering with the installation. The only alternative with Eset's HIPS is to either switch to Learning mode again prior to installation, or manually respond to each alert generated by the installation when Interactive mode is in effect. 

Edited by itman
Link to comment
Share on other sites

20 hours ago, itman said:

Such a mode would auto create all the new rules for the app and prevent existing HIPS rules from interfering with the installation. The only alternative with Eset's HIPS is to either switch to Learning mode again prior to installation, or manually respond to each alert generated by the installation when Interactive mode is in effect. 

Also I was in a rush yesterday and didn't state the above correctly.

What was the case in HIPS's "of old" was that Installer mode temporarily disabled the HIPS. And it was used under the category of "Trusted Installers." In other words, those that were properly signed by trusted publishes. BTW - I believe Comodo's HIPS, Defense+, has this feature.

Obviously, disabling Eset's HIPS is strongly not recommended since "a bunch" of other Eset protections are dependant upon it including self-protection of Eset. Additionally, a system restart is required to disable Eset's HIPS.

Finally, you really don't want to run Eset's HIPS in Learning mode when performing installs since it will just allow any malware present to be auto allowed. This leaves Interactive mode as the only viable alternative. And one must have detailed security and system operation knowledge to be able to indentify any malicious actions being performed by the installer. 

Link to comment
Share on other sites

Thanks again for your explanations itman; it makes perfectly sense.

In between, as I haven't got the required knowledge, I'm using HIPS in smart mode. So far, everything is fine. I didn't got any notification.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...