Jump to content

HIPS Feature Needs A Diagnostic Checker


Recommended Posts

For sometime I felt that the HIPS module was not working properly.

 

Examples were I would only once in a blue moon see eplghooks.dll injected into explorer.exe, iexplorer.exe, etc. Also never was any injection occurring after a cold boot. A while back, I enabled startup checking in the advanced HIPS setting and never received any alerts or log event entries from it. No indication from Eset that any issues existing with the HIPS.

 

Yesterday, I reset the HIPS setting to "Smart" mode and rebooted. I had done this previously without issue. However this time, it caused my PC to go into WIN 7 startup recovery mode. Turns out something had corrupted the WIN 7 spldr.sys driver file; the security loader driver. Fair to assume it was Eset. Also mysteriously Eset HIPS was reset to "Automatic" mode. Additionally, I started finally seeing alerts and log entries from startup entries initiating. Finally the best part was I did see that eplghooks.dll was being injected after today's cold boot. 

 

Bottom line - the system crash appears to have reset Eset HIPS and everything appears to be working properly. Presently very leery of resetting the HIPS to "Smart" mode again. 

 

What is sorely needed is some diagnostics to ensure the HIPS is working properly and also a way to reset it to initial install default mode. The current reset to default settings option does not do this.

 

-EDIT- Also as far as I am concerned and through testing, Eset's behavior blocker is not protecting the standalone(non plug-in) versions of Adobe Reader, all MS Office 2010 apps(Word, Excel, etc.), or Thunderbird e-mail. None of these were injected by eplghooks.dll upon start-up. So Eset's claims of protection must only support the browser plug-in versions of same. Interestingly, it did inject notepad.exe on start-up.  

Edited by itman
Link to comment
Share on other sites

Would be helpful if Eset posted that the exploit blocker and advanced memory protection are not effective until the first cold boot the day after installation i.e. when the registry is fully available and updated.

 

Also there is a major conflict running EMET with Eset exploit blocker together. The problem is not readily apparent in that both run fine. However, my testing shows that EMET will override all activity by Eset's exploit blocker. My testing shows that Eset's exploit blocker is fair superior in coverage to that of EMET's in the apps that Eset's behavior blocker covers. Eset's BB passes all the SurfRight HPMA exploit tests on WIN 7 x64 SP1. :) It would be helpful however if at least a HIPS log entry was generated when an exploit is blocked.

 

Finally, would also be nice to know what loads eplghooks.dll since it appears this has nothing to do with the exploit blocking protection. Is it the advanced heuristics feature of real-time scanning? I currently have that turned off and see that eplghooks.dll is not injected into any processes.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...