Jump to content

HIPS - should I be worried?


Mark Snell
 Share

Recommended Posts

We have deployed EEA 5.0.2214 across our estate of about 500 XP SP3 clients - default settings for HIPS (enabled, automatic mode with rules) but no rules defined.

I have just switched on "Log all blocked operations" in client policy and I am seeing quite a lot of activity in the HIPS logs - 4000 so far today, mainly Self Defense blocking registry deletes by Services.exe...

Is this normal?

We use SCCM to deploy software and updates to clients, could HIPS / Self defense be interfering with the normal registry cleanup process?

Any advice appreciated, thanks

Mark

Link to comment
Share on other sites

  • Administrators

Without knowing details about the block it's impossible to tell if it was malicious or legit operations that were blocked. Posting a couple of records from the HIPS log might shed more light. Also note that logging of blocked operations should only be enabled for the time of debugging certain issue, otherwise the HIPS log may continue to grow up quickly until the disk space is exhausted.

Link to comment
Share on other sites

  • ESET Moderators

Hello Mark,

 

"Log all blocked operations" should be enabled only during troubleshooting issues.

I highly recommend to disable it in order to prevent HIPS from rapid growth.

 

Self-defense is used to protect crucial parts of the AV so I don't think that any process should be trying to delete anything protected by it.

 

Could you please paste here appropriate lines from the log?

Link to comment
Share on other sites

Guest Mark Snell

Thanks for responses guys. Here's a sample from the HIPS logs - we're getting loads of these:

 

Column Name Value
HIPS Id HIPS 4499
Client Name Pc9999

Computer Name Pc9999

MAC Address xxxxxxxxxxxx

Primary Server Eddc-eset
Date Received 2013-08-16 13:20:30
Date Occurred 2013-08-16 13:18:33
Level Normal
Application C:\WINDOWS\system32\services.exe
Operation Delete from registry
Target HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_EPFWTDIR\0000\LogConf\OverrideConfig
Action blocked
Rule SelfDefense: Registry with full protection
 

Link to comment
Share on other sites

  • Administrators

It's probably a legit action of the operating system, however, to date we have not heard of any issues caused by the block.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...