HIPS problem

[itman 1,508]

I also advise you to thoroughly read Eset online help in regards to how HIPS rules are coded and what is and is not allowed.

[BALTAGY 32]

Just now, itman said:

Join the club. I and many others have been asking for file wildcard capability for years.

Also why ESET not use a rule like this with a trusted exe files list to be used a protection like WD ?

[itman 1,508]

2 minutes ago, BALTAGY said:

Also why ESET not use a rule like this with a trusted exe files list to be used a protection like WD ?

I believe you are refering to WD ASR rules. Eset has noting equal to that. HIPS rules are it.

For background reference, Eset created the HIPS for its own self-protection use. It really is not designed for end user use.

[BALTAGY 32]

Just now, itman said:

I believe you are refering to WD ASR rules. Eset has noting equal to that. HIPS rules are it.

For background reference, Eset created the HIPS for its own self-protection use. It really is not designed for end user use.

I think HIPS can be used for more protection vs ransomware, also giving users a choice to create a rules they want like what i want to do is better

[Marcos 4,601]

You can create extra HIPS rules to improve protection against ransomware and other malware as per the KB https://support.eset.com/kb6119/. However, in case you encounter issues with blocking legitimate operations, you should edit or disable the appropriate rule, or create a new permissive one to allow a particular script to run.

[BALTAGY 32]

1 minute ago, Marcos said:

You can create extra HIPS rules to improve protection against ransomware and other malware as per the KB https://support.eset.com/kb6119/. However, in case you encounter issues with blocking legitimate operations, you should edit or disable the appropriate rule, or create a new permissive one to allow a particular script to run.

I know this KB, but for example "STOP (DJVU)" ransomware run from user appdata or user temp folder with file name like xxx.tmp.exe

So if i can create a HIPS rule to protect all files from being edited from any exe in temp folder, that will help to protect the files

I know i can get a few warnings from legitimate files in user appdata but i can keep the files safe

[itman 1,508]

6 hours ago, BALTAGY said:

I know this KB, but for example "STOP (DJVU)" ransomware run from user appdata or user temp folder with file name like xxx.tmp.exe

So if i can create a HIPS rule to protect all files from being edited from any exe in temp folder, that will help to protect the files

You can create the equivalent to WD's Controlled Folders protection by creating a HIPS ask rule to prevent any application from file modification activities in C:\Users\xxxxx\filename\*.* where filename equals each of the following directory names:

3D Objects
Desktop
Documents
Music
Pictures
Videos
Contacts
Favorites
Links
OneDrive
Saved Games
Searches

This way when anything tries to modify files in the above directories, you will receive an alert and can allow the activity. Obviously if you get an alert from notepad.exe and you haven't manually started it, you would deny that activity. But only after you fired up Process Explorer and determined what had started notepad.exe which would point you to the malware .exe.

I also would not create any HIPS rules to allow any process access to those files except for trusted system processes like defrag or the like. And again, I would verify those have been legitimately started by the appropriate Win parent process.