Jump to content
Pierrot

HIPS : how to choose rules and filtering mode ?

Recommended Posts

Hi,

I’m new to Eset and I’ve got a few question regarding the configuration of HIPS. I searched in the help, in this forum and on the web, but I couldn't find the answer.

I’m actually running HIPS in learning mode and the first thing I’m wondering about is how I shall choose to allow or not the behaviors listed is the rules created by Eset. Would if be safe to allow any behavior listed, as long that it comes from a program that I know or from a program that is part from Windows ?

I’m also wondering what kind of filtering mode I should use afterwards, i.e. when the learning will be completed.

If I understood well, the safest mode, would be the policy-based mode because It would block everything else than described by the rules. Correct ?  But what if something is blocked ?  Is there any risk of damage in my computer ?  Will I get a notification ?  Will I have a chance to create a new rule to allow the behavior or not ?

If I choose the smart or the interactive mode, will these modes refer to the custom rules created by the learning mode or not ?  When I get a notifcation, will I have a chance to create a new rule to allow the behavior or not ?

Thanks in advance for your answer and kind regards.

Share this post


Link to post
Share on other sites

Fine, but you mean choosing the smart mode after the learning mode has completed or is it useless to run the learning mode before activating the smart mode ?

Share this post


Link to post
Share on other sites
1 hour ago, Pierrot said:

If I understood well, the safest mode, would be the policy-based mode because It would block everything else than described by the rules. Correct ?  But what if something is blocked ?  Is there any risk of damage in my computer ?  Will I get a notification ?  Will I have a chance to create a new rule to allow the behavior or not ?

In Policy mode, process activity will be blocked for which no existing allow rule exists. You will not receive a notification of the blocked activity. This mode is only suitable for installations where no type of system or app update activity occurs.

1 hour ago, Pierrot said:

If I choose the smart or the interactive mode, will these modes refer to the custom rules created by the learning mode or not ?  When I get a notifcation, will I have a chance to create a new rule to allow the behavior or not ?

In Interactive mode, process activity will  alert for which no existing allow rule exists. You will receive a notification of the attempted activity at which time you will be able to create a permanent HIPS rule for the activity.

As explained, Smart mode is just an enhancement of the default HIPS Auto mode. In either of these two modes, all existing and prior created HIPS rules are in effect.

Note: Eset's HIPS is not a "user friendly" HIPS. By that, I mean it doesn't have features like some older HIPS software had such as an "Installer mode" one could switch to when installing new app software for example. Such a mode would auto create all the new rules for the app and prevent existing HIPS rules from interfering with the installation. The only alternative with Eset's HIPS is to either switch to Learning mode again prior to installation, or manually respond to each alert generated by the installation when Interactive mode is in effect. 

Edited by itman

Share this post


Link to post
Share on other sites
20 hours ago, itman said:

Such a mode would auto create all the new rules for the app and prevent existing HIPS rules from interfering with the installation. The only alternative with Eset's HIPS is to either switch to Learning mode again prior to installation, or manually respond to each alert generated by the installation when Interactive mode is in effect. 

Also I was in a rush yesterday and didn't state the above correctly.

What was the case in HIPS's "of old" was that Installer mode temporarily disabled the HIPS. And it was used under the category of "Trusted Installers." In other words, those that were properly signed by trusted publishes. BTW - I believe Comodo's HIPS, Defense+, has this feature.

Obviously, disabling Eset's HIPS is strongly not recommended since "a bunch" of other Eset protections are dependant upon it including self-protection of Eset. Additionally, a system restart is required to disable Eset's HIPS.

Finally, you really don't want to run Eset's HIPS in Learning mode when performing installs since it will just allow any malware present to be auto allowed. This leaves Interactive mode as the only viable alternative. And one must have detailed security and system operation knowledge to be able to indentify any malicious actions being performed by the installer. 

Share this post


Link to post
Share on other sites

Thanks again for your explanations itman; it makes perfectly sense.

In between, as I haven't got the required knowledge, I'm using HIPS in smart mode. So far, everything is fine. I didn't got any notification.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...