EFS HIPS Question

[Nightowl 202]

Hello ,

I have a question regarding the settings of HIPS , I can't decide whether the HIPS should be set as Automatic Mode or Smart Mode (And no Learning Mode didn't run before)

I am just trying to know the best practices for the settings.

[itman 1,659]

Smart mode is a more aggressive setting. To be honest, I have always run the HIPS in that mode and have never received an Eset HIPS alert with that setting enabled.

[Nightowl 202]

2 hours ago, itman said:

Smart mode is a more aggressive setting. To be honest, I have always run the HIPS in that mode and have never received an Eset HIPS alert with that setting enabled.

Thank you itman :), I will give a try and see if there is any difference.

[Nightowl 202]

I could see by testing installing of CCleaner , that HIPS does prompt for action to allow or block.

[itman 1,659]

29 minutes ago, Rami said:

I could see by testing installing of CCleaner , that HIPS does prompt for action to allow or block.

You sure those were from the HIPS and not PUA detections from Realtime scanning? See if there are any HIPS log entries. Believe only blocked activity would be logged. If there are HIPS log entries, post a couple of them. Would like to see what Eset HIPS detected.

[Nightowl 202]

On 5/17/2019 at 12:19 AM, itman said:

You sure those were from the HIPS and not PUA detections from Realtime scanning? See if there are any HIPS log entries. Believe only blocked activity would be logged. If there are HIPS log entries, post a couple of them. Would like to see what Eset HIPS detected.

It blocked the install because CCleaner installer was doing some 'suspicious' activity to the Registry

[itman 1,659]

32 minutes ago, Rami said:

It blocked the install because CCleaner installer was doing some 'suspicious' activity to the Registry

It probably detected this:

Quote

Considering that CCleaner is configured to run as a startup application by default, this means CCleaner could be communicating with CCleaner servers without you even realizing it.

https://helpdeskgeek.com/free-tools-review/why-you-shouldnt-download-ccleaner-for-windows-anymore/

As this article and others like it state, you shouldn't be using it in the first place.

[Nightowl 202]

42 minutes ago, itman said:

It probably detected this:

https://helpdeskgeek.com/free-tools-review/why-you-shouldnt-download-ccleaner-for-windows-anymore/

As this article and others like it state, you shouldn't be using it in the first place.

I've stopped using it since the accident that happened to them when they moved to Avast.

[Nightowl 202]

I notice when I set the HIPS to log everything blocked , I see that HIPS is blocking lot of processes related to Windows , is that fine? like these two

svchost
WmiPrvSE

I did run the Learning Mode for few hours and switched back Smart Mode , and it did create few rules as Allowed , and both of these blocked are among the allowed rules

They get blocked as "Self Defense - Do not allow modifications to system processes"

While svchost and WmiPrvSE are system processes , I do wonder why they are getting blocked and does that do anything bad to the servers?

Even though that Wmiprvse tries to get access to ekrn , ESET blocks it and drops it as it is trying to protect itself.

 

Edited May 27, 2019 by Rami

[Marcos 5,070]

If you are having an issue with Self-defense, please elaborate more on it. Otherwise disable logging of blocked operations in the advanced HIPS setup which should only be enabled while troubleshooting HIPS-related issues.

[itman 1,659]

23 minutes ago, Rami said:

They get blocked as "Self Defense - Do not allow modifications to system processes" 

These relate to Eset's own processes. And it is normal to see like entries in the HIPS log when you enabled the "Log all blocked processes" option. This is the reason that HIPS log option is disabled by default.

[Nightowl 202]

Yes I know it's normal because I have set it to log all blocked attempts

But shouldn't ESET allow these processes because they are related to Windows?

[Marcos 5,070]

No, it shouldn't. We protect our services and no other process should be allowed to tamper with them in any way.

Please disable logging of all blocked operations since besides bigger logs debug logging has also adverse effect on performance.

[Nightowl 202]

12 minutes ago, Marcos said:

No, it shouldn't. We protect our services and no other process should be allowed to tamper with them in any way.

Please disable logging of all blocked operations since besides bigger logs debug logging has also adverse effect on performance.

Ok thank you for the explanation Marcos ,

But if I may I have another question to shoot , EFS is blocking svchost from accessing winlogon.exe/lsass.exe/wininit.exe

wmiprvse from accessing winlogon.exe/lsass.exe/wininit.exe

That is normal behavior from HIPS?

 

Edited May 28, 2019 by Rami

[Marcos 5,070]

It is. If it is causing an issue to your system, we'd like you to elaborate more on it so that we can further investigate it.

[Nightowl 202]

3 minutes ago, Marcos said:

It is. If it is causing an issue to your system, we'd like you to elaborate more on it so that we can further investigate it.

Honestly no I don't notice any kind of problem but these blocked attempts make me wonder if it's stopping the Server from doing it's normal job or not, but I found it a little bit weird that the Learning Mode did set rules for these processes to be allowed and yet HIPS is still blocking it , no matter which mode Learning,Smart,Automatic , they get blocked.

Edited May 28, 2019 by Rami

[itman 1,659]

3 hours ago, Rami said:

Honestly no I don't notice any kind of problem but these blocked attempts make me wonder if it's stopping the Server from doing it's normal job or not, but I found it a little bit weird that the Learning Mode did set rules for these processes to be allowed and yet HIPS is still blocking it , no matter which mode Learning,Smart,Automatic , they get blocked.

Look closely at the HIPS log entries. I beleive the wording given is along the lines of "partially blocked" or "partially allowed." This wording is applicable to default internal HIPS rules. When you enable the "Log all blocked activity" option is when these entries show in the HIPS log.

When HIPS user rules are created, Eset's HIPS won't treat them as "absolute." That is, Eset won't allow the user to block system activity that it has predetermined to be legit and necessary activity.

Edited May 28, 2019 by itman

[Nightowl 202]

22 minutes ago, itman said:

Look closely at the HIPS log entries. I beleive the wording given is along the lines of "partially blocked" or "partially allowed." This wording is applicable to default internal HIPS rules. When you enable the "Log all blocked activity" option is when these entries show in the HIPS log.

When HIPS user rules are created, Eset's HIPS won't treat them as "absolute." That is, Eset won't allow the user to block system activity that it has predetermined to be legit and necessary activity.

C:\Windows\System32\svchost.exe;Get access to another application;C:\Windows\System32\lsass.exe;blocked;Self-Defense: Do not allow modification of system processes;Terminate/suspend another application

They are all look like this one but different executable , and just few from wmi trying to access ekrn but gets denied because of self defense.

[itman 1,659]

19 minutes ago, Rami said:

C:\Windows\System32\svchost.exe;Get access to another application;C:\Windows\System32\lsass.exe;blocked;Self-Defense: Do not allow modification of system processes;Terminate/suspend another application

Appears you are not running latest vers. of Win 10 since lsass.exe runs a PPL process on those.

Assuming your not running Win Server 2016 or later that also runs lsass.exe as a PPL process, the Eset detections might be related to unsigned add-ons:

Quote

Recommended practices

Use the following list to thoroughly test that LSA protection is enabled before you broadly deploy the feature:

• Identify all of the LSA plug-ins and drivers that are in use within your organization. This includes non-Microsoft drivers or plug-ins such as smart card drivers and cryptographic plug-ins, and any internally developed software that is used to enforce password filters or password change notifications.

• Ensure that all of the LSA plug-ins are digitally signed with a Microsoft certificate so that the plug-in will not fail to load.

• Ensure that all of the correctly signed plug-ins can successfully load into LSA and that they perform as expected.

• Use the audit logs to identify LSA plug-ins and drivers that fail to run as a protected process.

 

https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection

Edited May 28, 2019 by itman

[Nightowl 202]

It's Server 2012 R2 and ESET File Security

[itman 1,659]

As far as I am aware of, svchost.exe should not be modifying lsass.exe. I have my own like Eset HIPS rules for lsass.exe and those have never been triggered by attempted svchost.exe modification attempt. However, I am running Win 10 on an endpoint. Things might be different for Win Server OSes predating 2016 ver..

[Nightowl 202]

43 minutes ago, itman said:

As far as I am aware of, svchost.exe should not be modifying lsass.exe. I have my own like Eset HIPS rules for lsass.exe and those have never been triggered by attempted svchost.exe modification attempt. However, I am running Win 10 on an endpoint. Things might be different for Win Server OSes predating 2016 ver..

I guess we need to wait for some ESET staff to have his opinion on that about the 2012 R2

[itman 1,659]

Out of curiousity, I enabled HIPS Log all blocked event activity option. I then rebooted. All "Self-Defense" blocked entries relate to Eset processes.

It is possible Eset would use the "Self-Defense" notation for other than its own processes in EFS, but I still believe that is unlikely.

-EDIT- Here's an interesting log entry. What I would like to know is what is "unknown operation" detection?

Time;Application;Operation;Target;Action;Rule;Additional information
5/28/2019 11:22:09 AM;C:\Windows\System32\SecurityHealthService.exe;Unknown operation;C:\Program Files\ESET\ESET Security\SecurityProductInformation.ini;blocked;Self-Defense: Protect ESET files;

Edited May 28, 2019 by itman

[itman 1,659]

Ok. This clarifies that "Self-Defense" applies to more than just Eset's own processes:

Quote

Enable Self-Defense—The built-in Self-defense technology part of HIPS prevents malicious software from corrupting or disabling your antivirus and antispyware protection. Self-defense protects crucial system processes and ESET processes, registry keys and files from being tampered with.

https://support.eset.com/kb3755/?locale=en_US&viewlocale=en_US

So at this point, you will need to determine what in your Win Server OS installation is attempting to modify lsass.exe and like critical OS processes Eset is recording Self-defense HIPS log activity for.

[Marcos 5,070]

It's nothing unusual, I have several similar records as well:

Time;Application;Operation;Target;Action;Rule;Additional information
5/28/2019 4:38:13 PM;C:\Windows\System32\svchost.exe;Get access to another application;C:\Windows\System32\winlogon.exe;blocked;Self-Defense: Do not allow modification of system processes;Modify state of another application

So unless you are experiencing issues caused by SD, consider it normal.