Understanding HIPS settings

[Outcast 4]

I'm running product version 14.1.19.0, trying to understand the real difference between "Automatic mode" and "Smart mode".

The documentation page says:

Quote

Automatic mode: Operations are enabled with the exception of those blocked by pre-defined rules that protect your system.

Smart mode: The user will only be notified about very suspicious events.

Are the "pre-defined rules" hard-coded, internal rules? I hope so, because my rule list in the UI is empty. If they're internal (i.e. hidden from the UI), what are these rules, exactly? It would be nice to know what they are, since knowing might help me decide if this mode is adequate for my purposes.

When "Smart mode" is used, do the pre-defined rules used in "Automatic mode" still apply? The documentation makes it sound like "Smart mode" is very relaxed and not very protective.

[itman 1,659]

8 minutes ago, Outcast said:

When "Smart mode" is used, do the pre-defined rules used in "Automatic mode" still apply? The documentation makes it sound like "Smart mode" is very relaxed and not very protective.

Technically speaking, "SMART" mode employs more restrictive rules than "Automatic" mode.

The demonstrated fact is it would be a rare occurrence that one would see a HIPS detection in "SMART" mode that would not have triggered in "Automatic" mode. In reality, the HIPS default rules are conditioned by other Eset protection settings such as ransomware protection. 

[itman 1,659]

59 minutes ago, Outcast said:

If they're internal (i.e. hidden from the UI), what are these rules, exactly? It would be nice to know what they are, since knowing might help me decide if this mode is adequate for my purposes.

I and others have asked this previously to no avail.

[Outcast 4]

OK, so I guess I'll never really know the full difference between "Automatic mode" and "Smart mode".

I've been using "Smart mode", and just got the first alert that I've been around to witness. I'd never seen the alert before and was scrutinizing it, making sure to configure the new rule as needed.

But after a short period of time, the alert simply disappeared. There was nothing in the log, no new rule created--nothing.

Is it possible to configure how long these alerts remain on screen? It's really frustrating for them to disappear while actively reviewing them.

[Outcast 4]

...Or could the alert have disappeared for some other reason? Maybe while the alert was on-screen, NOD32 checked the source application's reputation online, and decided that it was trusted, so the alert no longer applied?

Moreover, how is it possible for a HIPS alert to appear, but for NOTHING to appear in the HIPS event log afterward?

[itman 1,659]

1 hour ago, Outcast said:

But after a short period of time, the alert simply disappeared.

If alert is not responded to prior to it timing out, the action will be allowed. This is the only HIPS I have used that has a default allow action.

1 hour ago, Outcast said:

Moreover, how is it possible for a HIPS alert to appear, but for NOTHING to appear in the HIPS event log afterward?

By default allow HIPS activity is not logged. If you create user HIPS allow rules, you need to set the Logging severity to "Warning." I personally use this level for all my user created rules.

1 hour ago, Outcast said:

Is it possible to configure how long these alerts remain on screen? It's really frustrating for them to disappear while actively reviewing them.

You have no control over how long an Eset alert appears. However, you can control how long Eset message boxes appear. See below screen shot.

I have my message box set to never automatic delete the message; i.e. manual deletion required. This was done if one of my HIPS ask rules triggered and was allowed via no response prior to HIPS timeout period, I can review the displayed messages boxes for HIPS activity.

Note: Use of Eset HIPS requires "trial and error" testing to fully understand how it operates.

Edited May 4, 2021 by itman

[itman 1,659]

One other point about Eset HIPS you should be aware of.

There are default HIPS rules that can override user created HIPS rules. Appears Eset did so to prevent a user from borking critical Windows system operations.

Edited May 4, 2021 by itman

[Outcast 4]

Under "Advanced setup" > "Log files", my "Minimum verbosity" setting was and is set to "Informative".

I had and still have "Close message boxes automatically" disabled. I have no clue how I can review the message that was displayed.

My goodness, I was present when the alert appeared, and I simply did not have time to review the alert and formulate a response to it.

This is a completely unacceptable design. I am saying this as a person who works with monitoring and alerting for a living. My users would be continually aggravated if I alerted them and then deleted the alerts before they could respond.

I understand the need to balance convenience with alerting functionality, but this alert only appeared because I configured the product to alert me. I didn't configure the product to alert me but give me only 60 seconds to evaluate the alert, understand its configuration, and respond to it.

Thank you very much for the replies.

[itman 1,659]

8 minutes ago, Outcast said:

My goodness, I was present when the alert appeared, and I simply did not have time to review the alert and formulate a response to it.

Correction - you can control (limited) on how long Eset desktop alerts appear per below setting:

Edited May 4, 2021 by itman

[Outcast 4]

This wasn't a desktop notification though, so I don't see why those settings would apply.

[itman 1,659]

1 minute ago, Outcast said:

This wasn't a desktop notification though, so I don't see why those settings would apply.

Eset HIPS user rule alerts are always desktop notifications. Also any default rule alert that would require user action.

Default rules that are auto blocked in Smart mode I believe show as message alerts.

[Outcast 4]

Alerts are not notifications. Alert means "action may be required", and notification means "just letting you know". I have no clue why they would be lumped together. But whatever.

The maximum value allowed for the "Duration" of desktop notifications is 30 seconds. That's how much time a user has to review and configure HIPS alerts? Ridiculous.

[itman 1,659]

As time goes by, you're going to find a lot more about the HIPS you don't like.

Bottom line - Eset created its HIPS for self-protection purposes. This is fairly obvious from the lack of features and ease of use associated with third party HIPS software in the past. As far as Eset changing anything in the HIPS on this regard, forget it. I have been using Eset for 7 years and the HIPS feature-wise is essentially the same. BTW - the HIPS doesn't even support wildcards in file name paths. To sum things up, you take the HIPS as is.

[Outcast 4]

I found a way to reproduce the HIPS alert. The alert remains for 60 seconds. I have the aforementioned notification duration for desktop notifications set to 30 seconds. It seems that that setting doesn't directly impact how long the alert remains on screen.

[Outcast 4]

I ran out of time to edit that post. ESET loves its timeouts! Act fast!

As far as support for the HIPS feature in general, I imagine that ESET knows most users don't want to continually babysit such a thing. Many years ago I wasted hours and hours of my time configuring HIPS software, and it's a losing battle and IMO largely a waste of time.

Thanks again.

Edited May 4, 2021 by Outcast

[itman 1,659]

18 minutes ago, Outcast said:

The alert remains for 60 seconds. I have the aforementioned notification duration for desktop notifications set to 30 seconds. It seems that that setting doesn't directly impact how long the alert remains on screen.

That sounds about right. As I recall, the alert shows for more the 30 secs.. I also believe this is to initially respond to the alert. Once responded to, you will have as much time as required to configure a HIPS rule from available rule options shown.

Edited May 4, 2021 by itman