itman 1,748 Posted March 12, 2020 Share Posted March 12, 2020 (edited) Win 10 x(64) 1909, EIS 13.1.16 Both real-time and advanced machine learning set to aggressive mode. Believe this issue is related to ver. 13.1.16 which installed yesterday. I have HIPS rules that monitor PowerShell and other script .exe startup. When I start PowerShell from desktop in non-admin mode, HIPS alert displays as expected. However if I start PowerShell in admin mode: UAC prompt appears as expected. Selecting "Allow" on the UAC prompt does not display a HIPS alert. Rather, a second UAC alert is displayed. No HIPS alert ever displays. Repeated same procedure multiple times with same behavior occurring. Edited March 12, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,748 Posted March 12, 2020 Author Share Posted March 12, 2020 (edited) Found the problem. It's with the aggressive setting for malware and/or suspicious processes. When I set those back to normal setting, PowerShell run in admin mode displays Eset HIPS alert as expected. So no aggressive mode settings for me until this release is tested more thoroughly Edited March 12, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,748 Posted March 12, 2020 Author Share Posted March 12, 2020 Confirmed the issue is with the aggressive setting for suspicious applications. Link to comment Share on other sites More sharing options...
itman 1,748 Posted March 12, 2020 Author Share Posted March 12, 2020 (edited) Found the Eset "culprit." The HIPS needs to be set to "Auto" mode versus "Smart" mode if suspicious application detection mode is set to aggressive. After an initial "hiccup" test where Eset displayed the HIPS alert after PowerShell had already started😕, HIPS alert displayed properly in multiple subsequent tests. I guess Augur needs time to learn its own HIPS behavior?🤪 I guess my initial hunch that HIPS Smart mode could be an issue when Augur is applied aggressively was correct. Edited March 12, 2020 by itman Link to comment Share on other sites More sharing options...
Parsh 0 Posted March 18, 2020 Share Posted March 18, 2020 I have restricted PS via registry changes, HIPS, OSArmor custom rules >> common PS commandlines, so couldn't test that. I tried the same procedure on cmd.exe a few times, without admin rights and then with admin rights. HIPS: Smart mode Detection Engine (malware): Aggressive Detection Engine (suspicious apps): Aggressive and I could not simulate. The HIPS alerts followed the UAC prompt and only after allowing the sequence, did the cmd window open. Cannot say if the behavior is random or has a less likely scenario. Link to comment Share on other sites More sharing options...
itman 1,748 Posted March 18, 2020 Author Share Posted March 18, 2020 1 hour ago, Parsh said: I could not simulate. The HIPS alerts followed the UAC prompt and only after allowing the sequence, did the cmd window open. Yes, I appears the issue has been fixed. I tested a couple of days ago in Smart mode and HIPS alerts were being properly displayed. Link to comment Share on other sites More sharing options...
Parsh 0 Posted March 18, 2020 Share Posted March 18, 2020 6 hours ago, itman said: Yes, I appears the issue has been fixed. I tested a couple of days ago in Smart mode and HIPS alerts were being properly displayed. Must be that. I'd updated to the new version just yesterday. However, the build date of HIPS support module is from February (no recent changes). Some other related module, that got fixed, might have been the culprit. Link to comment Share on other sites More sharing options...
itman 1,748 Posted March 18, 2020 Author Share Posted March 18, 2020 1 minute ago, Parsh said: However, the build date of HIPS support module is from February (no recent changes). Some other related module, that got fixed, might have been the culprit. Suspect the issue was in Augur; i.e. advanced machine learning. Link to comment Share on other sites More sharing options...
Recommended Posts