hqsec 12 Posted May 5, 2014 Share Posted May 5, 2014 Few month ago when I was last using HIPS in interactive mode I usually got a prompt when application was run for first time. If I used Learning mode appropriate rule was created automatically. Now things got changed. If Explorer.exe runs an application I get no prompt. No rule is created in Learning mode also. If I run new application from let's say Total Commander I get prompt and also rule is created if in Learning mode. So my question is this: is this normal way how HIPS works now? Why is explorer.exe exempt from being monitored when executing other applications? If non-detected virus executable was run by Explorer.exe HIPS wouldn't ask for my permission and would let the virus run. Might be something wrong with my rules that would enable explorer.exe launching new apps without prompt? My specs: Windows Pro 8.1.u.1 x64 ESET Smart Security 7.0.302.26 HIPS module: 1124 (20140331) Link to comment Share on other sites More sharing options...
Arakasi 549 Posted May 5, 2014 Share Posted May 5, 2014 Hello, I would delete all the rules you have applied for explorer or any other apps in question, then switch to learning and let the software re-create your rules again. I have seen this occur with application modification detection of the firewall rules, unsure whether HIPS has the same, if so, it would be a good idea to set exclusions for application modification detection on the apps in question where the rules may get corrupt or not working appropriately. Link to comment Share on other sites More sharing options...
hqsec 12 Posted May 5, 2014 Author Share Posted May 5, 2014 I already deleted all rules but it's still the same. I also checked HipsRules.xml and there is no explorer.exe entry in it. So I guess this is built-in rule that can't be changed. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted May 5, 2014 Share Posted May 5, 2014 If you are still having issues with the dialogue prompts or feel the rules are messed up, i would suggest a reinstall, it will clear it all out and allow you to jump back on track correctly. Im not at home so i cant attest to the HIPS for home in regards to application modification and rules etc. I only have Endpoint at the office right now. Will check at home and play around with it to see if i can reproduce. Link to comment Share on other sites More sharing options...
hqsec 12 Posted May 5, 2014 Author Share Posted May 5, 2014 I don't think that my rules are messed. The "problem" started right after fresh install, when I enabled HIPS learning mode. I think that there is integrated (hidden) rule that allows explorer.exe launching other applications without a prompt. But that is just a guess and somebody from ESET has to confirm or deny it. Link to comment Share on other sites More sharing options...
Recommended Posts