Ver. 9 HIPS Bugs

[itman 1,659]

Under ver. 8 .319, I set HIPS to Smart mode and created my own rules.

 

Since I installed ver. 9, I am getting HIPS alerts for actions that already have existing rules. I suspect it may be related to when multiple program source application entries exist for a single target program.  Or Smart mode no longer works like it did under ver. 8 with user rules added?

[Gonzalo Alvarez 66]

Hi @itman,

 

Perhaps the HIPS is a new system and (guessing here) if you install v9 over v8

the rules taken works different...

So, I suggest you make a clean uninstall and install again the version 9.

 

I'm not in favor of making HIPS rules, but is your call there.

[itman 1,659]

No way I am doing a clean install and have to recreate all my firewall and HIPS rules from scratch. I would go back to ver. 8 first.

So far, no more HIPS alerts so I am hoping these initial ones were a fluke.

[Gonzalo Alvarez 66]

Ok.

 

But the "Export" configuration isn't saving all the rules?

[itman 1,659]

Ok.

 

But the "Export" configuration isn't saving all the rules?

I don't think a reinstall would help. Later yesterday, the HIPS was creating duplicate/multiple rules for the same process and activity. If it doesn't settle down today, I am going back to ver. 8. I really hate the ver. 9 interface anyway. Like others have said, modification of rules and the like in this version appear to have been made intentionally hidden and difficult. I really don't need that kind of grief and aggravation in a security product. Edited October 24, 2015 by itman

[itman 1,659]

I found the problem and it's pretty ugly. Also proves to me Eset hasn't thoroughly tested this version.

 

Under ver. 8, allow rules executed before blocked rules. I don't know if that was because the rules were arranged in alphabetical order and executed top to bottom, etc.. In version 9, blocked rules appear interspersed with allow rules in what appears to be some random order?  

 

This issue coupled with SSL protocol scanning not working properly is the last straw for me. I will be restoring the image I took prior to ver. 9 install and plan on staying on that ver. until Eset gets their act together with the ver. 9 release. I also don't appreciate wasting my time on an untested product!

 

Edited October 24, 2015 by itman

[itman 1,659]

Update - I have decided to "play" with ver. 9 since I had already installed it. Exported my old settings for reference. Uninstalled the ver. 9 over ver.8 install and reinstalled ver. 9 fresh.

 

Presently running HIPS in learning mode and will switch to interactive mode in a few days. Then I will see if I can try to incorporate some of my old custom rules. Doubt that will be possible since it appears that all rules are added at the bottom of existing rules ignoring their allow or block status. A real bummer for me since I had some real tight rules in ver. 9.

 

Also this "fresh" install did nothing to correct the SSL protocol scanning issues I mentioned in another post.

Edited October 25, 2015 by itman

[itman 1,659]

I have been running ver. 9 HIPS in learning mode for two days. Thought I would do that and then switch to interactive mode after a while since I can no longer create meaningful custom rules with this version.

 

Guess what? In learning mode, the HIPS has started creating duplicate rules! And yes, I did verify that they were indeed duplicates. So eventually switching to interactive mode after the learning period is worthless since I will be getting constant alerts for processes that were already defined.

 

So it is obvious no one at Eset has every tested all the features of the HIPS prior to this release.

Edited October 26, 2015 by itman

[Gonzalo Alvarez 66]

Hi @itman,

 

Do the data you are posting is better to wait for @Marcos or @TomasP from ESET staff to look into your problem.

This is clearly out of my league

[Marcos 5,074]

If you edit 2 rules that appear identical and click Next -> Next, are the settings actually same on all screens?

[itman 1,659]

If you edit 2 rules that appear identical and click Next -> Next, are the settings actually same on all screens?

Yes, I stated that previously. Can't give you screen shots since I no longer have ver. 9 installed.

 

Someone on Wilder's stated the same behavior also exists on ver. 8 where dup. rules were created in learning mode. I never ran learning mode on ver. 8 so can't vouch for that.

 

Of much greater concern to me is the rules behavior change where all allow rules no longer precede all block rules.  

[itman 1,659]

Actually there is a simple solution to the rule ordering issue in ver. 9.

 

Modify the HIPS GUI to allow rules to be positioned manually by the user. Most HIPS's past and present have this feature. Also add the same feature to the firewall.