HIPS learning mode question

[cutting_edgetech 25]

If I run my computer for a while in learning mode for the HIPS then which mode should I switch to after I'm done using learning mode? I think it should have learned my computer pretty well during the time I used learning mode. I made sure to run all my software, and perform all the task I normally do on my computer. I tried interactive mode, but it prompted me so much I could not even use my computer. Should I switch to policy based mode instead? What I want to do is allow all the actions that were learned during the period I used learning mode, and prompt me for the rest.

Edited March 8, 2015 by cutting_edgetech

[cutting_edgetech 25]

Is there a mode that will prompt me for an action for anything not learned during learning mode without automatically blocking it?

Edited March 9, 2015 by Marcos
Apologize for deleting a part of your post accidentally, it was not intentional

[Marcos 5,259]

Interactive mode. However, as you mentioned you will get many prompts for an action. I, for one, use Smart mode and create just one rule for applications that asks me before a new application is run. When I get prompted for an action, I see cloud data that helps me decide whether to permit the action and create a rule for it so that I'm not asked again or simply block it if it is unknown to me or seems to be dodgy.

[cutting_edgetech 25]

I'm not sure I know how to create a rule for Smart Mode. I will have to take a look at it. Yes, policy mode needs cloud white listing used with it like some other HIPS do to make it usable. Eset should really considering giving the option to use whitelisting with interactive mode. They could also give the option to allow by signed certificate to further cut down on prompts. I tried policy based mode, but for some reason ESS kept blocking my other security applications during boot time. I ran ESS in learning mode when booting, but it continued to block AppGuard, and Malwarebytes-AntiExploit from loading at boot. I checked the logs, and the HIPS was blocking all kinds of different processes at boot. Also some applications like Tor Browser bundle would be blocked no matter how many times I ran them while in learning mode. I was really hoping I could use policy mode, but it did not work for me for two reasons. First it automatically blocked everything without giving me an option to allow anything; second learning mode was unable to learn some applications so they would fail no matter how many times I ran them while in learning mode. Learning mode was just unable to whitelist what was needed to allow the applications to run.

 

I ran ESS HIPS against Comodo leak test, and it did pretty good. I tested in interactive mode, and policy based mode. I got the same results each time. It scored 300 out of 340 points. It failed the following test:ChangeDrvPath, SetWinEventHook, SetWindowsHookEx, and KnownDlls. Maybe Eset will want to further developer their HIPS. I think the most important thing is to make it more usable first though by incorporating cloud whitelisting with the HIPS. 
 

[surfer1000 6]

I've just tried the comodo leak test and scored 200/340!..why the difference ? Everything is switched on in my ESS

[itman 1,746]

I've just tried the comodo leak test and scored 200/340!..why the difference ? Everything is switched on in my ESS

Perhaps because you have Eset's firewall setting set to default; allow all outbound traffic? Switch it to interactive mode and rerun Comodo's leak tests.

 

Also, Comodo's leak tests are test for the firewall primarily with a few HIPS thrown in for good measure.

[surfer1000 6]

Hi, well I changed those settings and It only improved my score to 230!.....At one setting it froze my usb ports out so had to uninstall in safe mode. The firewall or Hips was asking permission to run services at the time!

[Marcos 5,259]

Let's test it with actual malware, not with some artificial test tool for testing behavior blocking as such. ESET doesn't use approach that might trigger false positives, however, ESET is indeed excellent when it comes to detection of actual malware.