SRT 1 Posted September 17, 2019 Share Posted September 17, 2019 Search, no definitive answer. What is most secure? •Automatic mode – Operations are enabled with the exception of those blocked by pre-defined rules that protect your system. •Smart mode – The user will only be notified about very suspicious events. Second, are rules I create, saved and used in both these modes? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted September 17, 2019 Administrators Share Posted September 17, 2019 Use smart mode. And yes, you can create custom rules in any mode; in learning mode rules will be created automatically. If you want to improve protection against ransomware, you can also create HIPS rules as per https://support.eset.com/kb6119/. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted September 17, 2019 Most Valued Members Share Posted September 17, 2019 4 hours ago, Marcos said: Use smart mode. And yes, you can create custom rules in any mode; in learning mode rules will be created automatically. If you want to improve protection against ransomware, you can also create HIPS rules as per https://support.eset.com/kb6119/. Is smart mode okay for an average user? Same for the hips rules in the link? Link to comment Share on other sites More sharing options...
itman 1,659 Posted September 17, 2019 Share Posted September 17, 2019 12 minutes ago, peteyt said: Is smart mode okay for an average user? Same for the hips rules in the link? Personally, I believe Smart mode is nothing more than a HIPS "placebo" setting. I and many others have never seen a HIPS alert in either Auto or Safe mode assuming no user rules have been created. Link to comment Share on other sites More sharing options...
SRT 1 Posted September 17, 2019 Author Share Posted September 17, 2019 (edited) I got one alert in smart-mode: User rule: allow PrivateVpn.exe, the only one. So what's the verdict are they the same, useless, or what? No definitive answer. This question was not answered, "Second, are rules I create, saved and used in all of the modes??? Thanks Edited September 17, 2019 by SRT Link to comment Share on other sites More sharing options...
itman 1,659 Posted September 17, 2019 Share Posted September 17, 2019 1 hour ago, SRT said: This question was not answered, "Second, are rules I create, saved and used in all of the modes??? @Marcos already answered this. The answer is yes! Link to comment Share on other sites More sharing options...
SRT 1 Posted September 18, 2019 Author Share Posted September 18, 2019 Thanks, missed that. If I have rules written by me and changed to learning mode would they be over written? Still confused about difference between auto and smart modes. I take from Marcos, that smart might be a little bit more secure? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted September 18, 2019 Administrators Share Posted September 18, 2019 In learning mode permissive rules are created for operations for which no rule exists yet. Rules are not overwritten. The difference between various HIPS modes is that: - in automatic mode the user is never prompted for an action and basically all but self-defense internal rules are applied - in smart mode, HIPS works like in automatic mode but may ask you if very suspicious operations are attempted - in interactive mode, the user is prompted for an action whenever an operation is attempted for which no rule exists - in learning mode permissive rules are created automatically for every operation. Link to comment Share on other sites More sharing options...
itman 1,659 Posted September 18, 2019 Share Posted September 18, 2019 (edited) 13 hours ago, SRT said: If I have rules written by me and changed to learning mode would they be over written? They won't be overridden but could conflict with or negate the user rules you created manually. The most important thing to remember is allow rules always take precedence over ask or block rules. For example, you created a rule manually to block some process activity. However a rule was created in learning mode to allow the same activity. The learning mode rule will always take precedence over your manually created block rule and your block rule will never be executed. My own opinion is if the HIPS was set to learning mode initially, it should be switched to interactive mode thereafter with all new rules created from that mode. If you need to run a program installer thereafter, you have two choices: 1. Switch to learning mode again and run the program installer. This is really not secure since the installer may do whatever it wants in regards to system modification activities. 2. Stay in interactive mode and answer HIPS alerts as they appear. Again, you would need advanced system knowledge to be able to determine what is or is not acceptable system modification activity. My own opinion is the best HIPS option is when Eset is installed is to switch to Smart mode. Then manually create your HIPS rules from that point on. The most important point to remember is the Eset HIPS is not a "full featured" HIPS along the lines of Comodo's Defense+, the now defunct Outpost HIPS, etc.. These HIPS's provided features such as "Installer" mode one could easily switch to when performing program installations. This installer mode could be conditioned for example by specifying "Trusted Publishers" to prevent installations from untrusted sources. Edited September 18, 2019 by itman Link to comment Share on other sites More sharing options...
Recommended Posts