Most Valued Members Nightowl 206 Posted May 14, 2019 Most Valued Members Share Posted May 14, 2019 Hello , I have a question regarding the settings of HIPS , I can't decide whether the HIPS should be set as Automatic Mode or Smart Mode (And no Learning Mode didn't run before) I am just trying to know the best practices for the settings. Link to comment Share on other sites More sharing options...
itman 1,743 Posted May 14, 2019 Share Posted May 14, 2019 Smart mode is a more aggressive setting. To be honest, I have always run the HIPS in that mode and have never received an Eset HIPS alert with that setting enabled. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted May 14, 2019 Author Most Valued Members Share Posted May 14, 2019 2 hours ago, itman said: Smart mode is a more aggressive setting. To be honest, I have always run the HIPS in that mode and have never received an Eset HIPS alert with that setting enabled. Thank you itman :), I will give a try and see if there is any difference. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted May 16, 2019 Author Most Valued Members Share Posted May 16, 2019 I could see by testing installing of CCleaner , that HIPS does prompt for action to allow or block. Link to comment Share on other sites More sharing options...
itman 1,743 Posted May 16, 2019 Share Posted May 16, 2019 29 minutes ago, Rami said: I could see by testing installing of CCleaner , that HIPS does prompt for action to allow or block. You sure those were from the HIPS and not PUA detections from Realtime scanning? See if there are any HIPS log entries. Believe only blocked activity would be logged. If there are HIPS log entries, post a couple of them. Would like to see what Eset HIPS detected. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted May 18, 2019 Author Most Valued Members Share Posted May 18, 2019 On 5/17/2019 at 12:19 AM, itman said: You sure those were from the HIPS and not PUA detections from Realtime scanning? See if there are any HIPS log entries. Believe only blocked activity would be logged. If there are HIPS log entries, post a couple of them. Would like to see what Eset HIPS detected. It blocked the install because CCleaner installer was doing some 'suspicious' activity to the Registry Link to comment Share on other sites More sharing options...
itman 1,743 Posted May 18, 2019 Share Posted May 18, 2019 32 minutes ago, Rami said: It blocked the install because CCleaner installer was doing some 'suspicious' activity to the Registry It probably detected this: Quote Considering that CCleaner is configured to run as a startup application by default, this means CCleaner could be communicating with CCleaner servers without you even realizing it. https://helpdeskgeek.com/free-tools-review/why-you-shouldnt-download-ccleaner-for-windows-anymore/ As this article and others like it state, you shouldn't be using it in the first place. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted May 18, 2019 Author Most Valued Members Share Posted May 18, 2019 42 minutes ago, itman said: It probably detected this: https://helpdeskgeek.com/free-tools-review/why-you-shouldnt-download-ccleaner-for-windows-anymore/ As this article and others like it state, you shouldn't be using it in the first place. I've stopped using it since the accident that happened to them when they moved to Avast. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted May 27, 2019 Author Most Valued Members Share Posted May 27, 2019 (edited) I notice when I set the HIPS to log everything blocked , I see that HIPS is blocking lot of processes related to Windows , is that fine? like these two svchost WmiPrvSE I did run the Learning Mode for few hours and switched back Smart Mode , and it did create few rules as Allowed , and both of these blocked are among the allowed rules They get blocked as "Self Defense - Do not allow modifications to system processes" While svchost and WmiPrvSE are system processes , I do wonder why they are getting blocked and does that do anything bad to the servers? Even though that Wmiprvse tries to get access to ekrn , ESET blocks it and drops it as it is trying to protect itself. Edited May 27, 2019 by Rami Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted May 27, 2019 Administrators Share Posted May 27, 2019 If you are having an issue with Self-defense, please elaborate more on it. Otherwise disable logging of blocked operations in the advanced HIPS setup which should only be enabled while troubleshooting HIPS-related issues. Link to comment Share on other sites More sharing options...
itman 1,743 Posted May 27, 2019 Share Posted May 27, 2019 23 minutes ago, Rami said: They get blocked as "Self Defense - Do not allow modifications to system processes" These relate to Eset's own processes. And it is normal to see like entries in the HIPS log when you enabled the "Log all blocked processes" option. This is the reason that HIPS log option is disabled by default. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted May 28, 2019 Author Most Valued Members Share Posted May 28, 2019 Yes I know it's normal because I have set it to log all blocked attempts But shouldn't ESET allow these processes because they are related to Windows? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted May 28, 2019 Administrators Share Posted May 28, 2019 No, it shouldn't. We protect our services and no other process should be allowed to tamper with them in any way. Please disable logging of all blocked operations since besides bigger logs debug logging has also adverse effect on performance. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted May 28, 2019 Author Most Valued Members Share Posted May 28, 2019 (edited) 12 minutes ago, Marcos said: No, it shouldn't. We protect our services and no other process should be allowed to tamper with them in any way. Please disable logging of all blocked operations since besides bigger logs debug logging has also adverse effect on performance. Ok thank you for the explanation Marcos , But if I may I have another question to shoot , EFS is blocking svchost from accessing winlogon.exe/lsass.exe/wininit.exe wmiprvse from accessing winlogon.exe/lsass.exe/wininit.exe That is normal behavior from HIPS? Edited May 28, 2019 by Rami Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted May 28, 2019 Administrators Share Posted May 28, 2019 It is. If it is causing an issue to your system, we'd like you to elaborate more on it so that we can further investigate it. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted May 28, 2019 Author Most Valued Members Share Posted May 28, 2019 (edited) 3 minutes ago, Marcos said: It is. If it is causing an issue to your system, we'd like you to elaborate more on it so that we can further investigate it. Honestly no I don't notice any kind of problem but these blocked attempts make me wonder if it's stopping the Server from doing it's normal job or not, but I found it a little bit weird that the Learning Mode did set rules for these processes to be allowed and yet HIPS is still blocking it , no matter which mode Learning,Smart,Automatic , they get blocked. Edited May 28, 2019 by Rami Link to comment Share on other sites More sharing options...
itman 1,743 Posted May 28, 2019 Share Posted May 28, 2019 (edited) 3 hours ago, Rami said: Honestly no I don't notice any kind of problem but these blocked attempts make me wonder if it's stopping the Server from doing it's normal job or not, but I found it a little bit weird that the Learning Mode did set rules for these processes to be allowed and yet HIPS is still blocking it , no matter which mode Learning,Smart,Automatic , they get blocked. Look closely at the HIPS log entries. I beleive the wording given is along the lines of "partially blocked" or "partially allowed." This wording is applicable to default internal HIPS rules. When you enable the "Log all blocked activity" option is when these entries show in the HIPS log. When HIPS user rules are created, Eset's HIPS won't treat them as "absolute." That is, Eset won't allow the user to block system activity that it has predetermined to be legit and necessary activity. Edited May 28, 2019 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted May 28, 2019 Author Most Valued Members Share Posted May 28, 2019 22 minutes ago, itman said: Look closely at the HIPS log entries. I beleive the wording given is along the lines of "partially blocked" or "partially allowed." This wording is applicable to default internal HIPS rules. When you enable the "Log all blocked activity" option is when these entries show in the HIPS log. When HIPS user rules are created, Eset's HIPS won't treat them as "absolute." That is, Eset won't allow the user to block system activity that it has predetermined to be legit and necessary activity. C:\Windows\System32\svchost.exe;Get access to another application;C:\Windows\System32\lsass.exe;blocked;Self-Defense: Do not allow modification of system processes;Terminate/suspend another application They are all look like this one but different executable , and just few from wmi trying to access ekrn but gets denied because of self defense. Link to comment Share on other sites More sharing options...
itman 1,743 Posted May 28, 2019 Share Posted May 28, 2019 (edited) 19 minutes ago, Rami said: C:\Windows\System32\svchost.exe;Get access to another application;C:\Windows\System32\lsass.exe;blocked;Self-Defense: Do not allow modification of system processes;Terminate/suspend another application Appears you are not running latest vers. of Win 10 since lsass.exe runs a PPL process on those. Assuming your not running Win Server 2016 or later that also runs lsass.exe as a PPL process, the Eset detections might be related to unsigned add-ons: Quote Recommended practices Use the following list to thoroughly test that LSA protection is enabled before you broadly deploy the feature: Identify all of the LSA plug-ins and drivers that are in use within your organization. This includes non-Microsoft drivers or plug-ins such as smart card drivers and cryptographic plug-ins, and any internally developed software that is used to enforce password filters or password change notifications. Ensure that all of the LSA plug-ins are digitally signed with a Microsoft certificate so that the plug-in will not fail to load. Ensure that all of the correctly signed plug-ins can successfully load into LSA and that they perform as expected. Use the audit logs to identify LSA plug-ins and drivers that fail to run as a protected process. https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection Edited May 28, 2019 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted May 28, 2019 Author Most Valued Members Share Posted May 28, 2019 It's Server 2012 R2 and ESET File Security Link to comment Share on other sites More sharing options...
itman 1,743 Posted May 28, 2019 Share Posted May 28, 2019 As far as I am aware of, svchost.exe should not be modifying lsass.exe. I have my own like Eset HIPS rules for lsass.exe and those have never been triggered by attempted svchost.exe modification attempt. However, I am running Win 10 on an endpoint. Things might be different for Win Server OSes predating 2016 ver.. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted May 28, 2019 Author Most Valued Members Share Posted May 28, 2019 43 minutes ago, itman said: As far as I am aware of, svchost.exe should not be modifying lsass.exe. I have my own like Eset HIPS rules for lsass.exe and those have never been triggered by attempted svchost.exe modification attempt. However, I am running Win 10 on an endpoint. Things might be different for Win Server OSes predating 2016 ver.. I guess we need to wait for some ESET staff to have his opinion on that about the 2012 R2 Link to comment Share on other sites More sharing options...
itman 1,743 Posted May 28, 2019 Share Posted May 28, 2019 (edited) Out of curiousity, I enabled HIPS Log all blocked event activity option. I then rebooted. All "Self-Defense" blocked entries relate to Eset processes. It is possible Eset would use the "Self-Defense" notation for other than its own processes in EFS, but I still believe that is unlikely. -EDIT- Here's an interesting log entry. What I would like to know is what is "unknown operation" detection? Time;Application;Operation;Target;Action;Rule;Additional information 5/28/2019 11:22:09 AM;C:\Windows\System32\SecurityHealthService.exe;Unknown operation;C:\Program Files\ESET\ESET Security\SecurityProductInformation.ini;blocked;Self-Defense: Protect ESET files; Edited May 28, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,743 Posted May 28, 2019 Share Posted May 28, 2019 Ok. This clarifies that "Self-Defense" applies to more than just Eset's own processes: Quote Enable Self-Defense—The built-in Self-defense technology part of HIPS prevents malicious software from corrupting or disabling your antivirus and antispyware protection. Self-defense protects crucial system processes and ESET processes, registry keys and files from being tampered with. https://support.eset.com/kb3755/?locale=en_US&viewlocale=en_US So at this point, you will need to determine what in your Win Server OS installation is attempting to modify lsass.exe and like critical OS processes Eset is recording Self-defense HIPS log activity for. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted May 28, 2019 Administrators Share Posted May 28, 2019 It's nothing unusual, I have several similar records as well: Time;Application;Operation;Target;Action;Rule;Additional information 5/28/2019 4:38:13 PM;C:\Windows\System32\svchost.exe;Get access to another application;C:\Windows\System32\winlogon.exe;blocked;Self-Defense: Do not allow modification of system processes;Modify state of another application So unless you are experiencing issues caused by SD, consider it normal. Link to comment Share on other sites More sharing options...
Recommended Posts