Jump to content

Archived

This topic is now archived and is closed to further replies.

orangenbaumblatt

Hips Smart Mode Suspicious Actions

Recommended Posts

Hello,

 

I am very exited to see that the HIPS got a new mode called "Smart Mode". I also heard that it's placed between automatic and inactive mode, and that it asks on suspicious actions. But what are these suspicious actions exactly ESET will notify about?

 

Thank you very much for your help!

Share this post


Link to post
Share on other sites

Trying out smart mode now. Did not notice that addition. Wow im slow. :P

Share this post


Link to post
Share on other sites

Smart mode should be interactive mode with user's interactions reduced to the bare minimum. Currently it works more-less the same way as automatic mode but this will be continually improved by module updates.

Share this post


Link to post
Share on other sites

Thank you, Arakasi and Marcos, for your answers!

It's nice to hear, that it will be continually updated. But is there a kind of "list" on what actions are considered as suspicious (eg. loading driver from AppData,...)

Share this post


Link to post
Share on other sites

OK, good to know this.

 

But another question: Will this Smart Mode the default mode in ESET v8 products or not?

 

And what about something like this "rule"?
"If a program is registered to autorun (in registry, autorun folder or the autorun.inf of removable devices etc.) and it is completely unknown (= 0 users used it) in ESET LiveGrid (so that it can't be confirmed that this file is secure) then ask the user whether he wants to allow this action."

 

Maybe you should also add an ESET LiveGrid option (used by X users in ESET LiveGrid or risk is low/medium/ok in ESET LiveGrid) as an factor for HIPS rules, so that a user can create rules with adherence to ESET LiveGrid.

Share this post


Link to post
Share on other sites

 

And what about something like this "rule"?

"If a program is registered to autorun (in registry, autorun folder or the autorun.inf of removable devices etc.) and it is completely unknown (= 0 users used it) in ESET LiveGrid (so that it can't be confirmed that this file is secure) then ask the user whether he wants to allow this action."

 

Maybe you should also add an ESET LiveGrid option (used by X users in ESET LiveGrid or risk is low/medium/ok in ESET LiveGrid) as an factor for HIPS rules, so that a user can create rules with adherence to ESET LiveGrid.

FYI I gave a similar suggestion here but only for on-execution: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/?p=17761

 

Though my idea is NOT meant as a reputation function / x amount of users, as they can "flag" perfectly safe files based on how many that has that particular file. Wich causes unnecessary notifications for the user. Even if only 1 user has a file it can be perfectly safe so there would be no need to flag it only because of that.

 

ESET have said several times in the past that they do not want to go down the file reputation route because of the FP's it can cause.

Share this post


Link to post
Share on other sites

@SweX

Yes your suggestion is similar. But my idea is "connected" to a suspicious activity (autorun). And this is why I said it should be using LIveGrid to find out if the file is known.

 

And I agree that you shouldn't flag a file only because it has too less users. I want to know if a file is known and this it is if 1 user uses it...

So I want the same, but in this suggestion it's not only executing an unknown file that is potentially dangerous, I "connect" it to a suspicious activity to even more reduce the number of messages/questions the user will see.

 

But the second part is more generally:

 

Maybe you should also add an ESET LiveGrid option (used by X users in ESET LiveGrid or risk is low/medium/ok in ESET LiveGrid) as an factor for HIPS rules, so that a user can create rules with adherence to ESET LiveGrid.

I would like if the user has also the ability to "work" with the data from ESET LiveGrid in self-defined rules. So if a user would like to be asked for an action of every process with less than 50 users then he would be able to add this rule. But if he is such an advanced user who can add this rule (and if he knows what he does) then he surly can also deal with these FP.

 

But maybe I have to change this suggestion a bit and much more generalize it, because there are of course more parts with rules than just HIPS:

Maybe you should also add an ESET LiveGrid option (

  • used by X users in ESET LiveGrid or
  • risk is low/medium/ok in ESET LiveGrid
  • or file is known (1 or more user(s) is/are using it) / file is unknown (0 users are using it)

) as an factor for HIPS/firewall/... rules, so that a user can create rules with adherence to ESET LiveGrid.

 

If this could be implemented, ESET LiveGrid would get much more powerful for advanced users that want to create rules with ESET LiveGrid statistics.

Share this post


Link to post
Share on other sites

Hello,

thanks for your answers!

I also think that rugk's idea could be very useful for advanced users. I really hope it'll be implemented.

Share this post


Link to post
Share on other sites

I also think that rugk's idea could be very useful for advanced users. I really hope it'll be implemented.

Thanks. I hope the same. :)

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...