Jump to content

Archived

This topic is now archived and is closed to further replies.

Recommended Posts

Win 10 x(64) 1909, EIS 13.1.16

Both real-time and advanced machine learning set to aggressive mode.

Believe this issue is related to ver. 13.1.16 which installed yesterday.

I have HIPS rules that monitor PowerShell and other script .exe startup. When I start PowerShell from desktop in non-admin mode, HIPS alert displays as expected.

However if I start PowerShell in admin mode:

Eset_PowerShell.png.88e4fa05f64a421317730d00624c2a41.png

UAC prompt appears as expected. Selecting "Allow" on the UAC prompt does not display a HIPS alert. Rather, a second UAC alert is displayed. No HIPS alert ever displays. Repeated same procedure multiple times with same behavior occurring.

Share this post


Link to post
Share on other sites

Found the problem. It's with the aggressive setting for malware and/or suspicious processes. When I set those back to normal setting, PowerShell run in admin mode displays Eset HIPS alert as expected.

So no aggressive mode settings for me until this release is tested more thoroughly

Share this post


Link to post
Share on other sites

Confirmed the issue is with the aggressive setting for suspicious applications.

Share this post


Link to post
Share on other sites

Found the Eset "culprit." The HIPS needs to be set to "Auto" mode versus "Smart" mode if suspicious application detection mode is set to aggressive.

After an initial "hiccup" test where Eset displayed the HIPS alert after PowerShell had already startedšŸ˜•, HIPS alert displayed properly in multiple subsequent tests. I guess Augur needs time to learn its own HIPS behavior?šŸ¤Ŗ

I guess my initial hunch that HIPS Smart mode could be an issue when Augur is applied aggressively was correct.

Share this post


Link to post
Share on other sites

I have restricted PS via registry changes, HIPS, OSArmor custom rules >> common PS commandlines, so couldn't test that.

I tried the same procedure on cmd.exe a few times, without admin rights and then with admin rights.

HIPS: Smart mode

Detection Engine (malware): AggressiveĀ 

Detection Engine (suspicious apps): AggressiveĀ 

and I couldĀ not simulate. The HIPS alerts followed the UAC prompt and only after allowing the sequence, did the cmd window open.

Cannot say if the behavior is random or has a less likely scenario.

Share this post


Link to post
Share on other sites
1 hour ago, Parsh said:

I couldĀ not simulate. The HIPS alerts followed the UAC prompt and only after allowing the sequence, did the cmd window open.

Yes, I appears the issue has been fixed. I tested a couple of days ago in Smart mode and HIPS alerts were being properly displayed.

Share this post


Link to post
Share on other sites
6 hours ago, itman said:

Yes, I appears the issue has been fixed. I tested a couple of days ago in Smart mode and HIPS alerts were being properly displayed.

Must be that. I'd updated to the new version just yesterday.

However, theĀ build date of HIPS support module is from February (no recent changes). Some other related module, that got fixed, might have been the culprit.

Share this post


Link to post
Share on other sites
1 minute ago, Parsh said:

However, theĀ build date of HIPS support module is from February (no recent changes). Some other related module, that got fixed, might have been the culprit.

Suspect the issue was in Augur; i.e. advanced machine learning.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...