Jump to content

HIPS Bug - Serious


Recommended Posts

Win 10 x(64) 1909, EIS 13.1.16

Both real-time and advanced machine learning set to aggressive mode.

Believe this issue is related to ver. 13.1.16 which installed yesterday.

I have HIPS rules that monitor PowerShell and other script .exe startup. When I start PowerShell from desktop in non-admin mode, HIPS alert displays as expected.

However if I start PowerShell in admin mode:

Eset_PowerShell.png.88e4fa05f64a421317730d00624c2a41.png

UAC prompt appears as expected. Selecting "Allow" on the UAC prompt does not display a HIPS alert. Rather, a second UAC alert is displayed. No HIPS alert ever displays. Repeated same procedure multiple times with same behavior occurring.

Edited by itman
Link to comment
Share on other sites

Found the problem. It's with the aggressive setting for malware and/or suspicious processes. When I set those back to normal setting, PowerShell run in admin mode displays Eset HIPS alert as expected.

So no aggressive mode settings for me until this release is tested more thoroughly

Edited by itman
Link to comment
Share on other sites

Found the Eset "culprit." The HIPS needs to be set to "Auto" mode versus "Smart" mode if suspicious application detection mode is set to aggressive.

After an initial "hiccup" test where Eset displayed the HIPS alert after PowerShell had already startedšŸ˜•, HIPS alert displayed properly in multiple subsequent tests. I guess Augur needs time to learn its own HIPS behavior?šŸ¤Ŗ

I guess my initial hunch that HIPS Smart mode could be an issue when Augur is applied aggressively was correct.

Edited by itman
Link to comment
Share on other sites

I have restricted PS via registry changes, HIPS, OSArmor custom rules >> common PS commandlines, so couldn't test that.

I tried the same procedure on cmd.exe a few times, without admin rights and then with admin rights.

HIPS: Smart mode

Detection Engine (malware): AggressiveĀ 

Detection Engine (suspicious apps): AggressiveĀ 

and I couldĀ not simulate. The HIPS alerts followed the UAC prompt and only after allowing the sequence, did the cmd window open.

Cannot say if the behavior is random or has a less likely scenario.

Link to comment
Share on other sites

1 hour ago, Parsh said:

I couldĀ not simulate. The HIPS alerts followed the UAC prompt and only after allowing the sequence, did the cmd window open.

Yes, I appears the issue has been fixed. I tested a couple of days ago in Smart mode and HIPS alerts were being properly displayed.

Link to comment
Share on other sites

6 hours ago, itman said:

Yes, I appears the issue has been fixed. I tested a couple of days ago in Smart mode and HIPS alerts were being properly displayed.

Must be that. I'd updated to the new version just yesterday.

However, theĀ build date of HIPS support module is from February (no recent changes). Some other related module, that got fixed, might have been the culprit.

Link to comment
Share on other sites

1 minute ago, Parsh said:

However, theĀ build date of HIPS support module is from February (no recent changes). Some other related module, that got fixed, might have been the culprit.

Suspect the issue was in Augur; i.e. advanced machine learning.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...