Mark Snell 0 Posted August 16, 2013 Share Posted August 16, 2013 We have deployed EEA 5.0.2214 across our estate of about 500 XP SP3 clients - default settings for HIPS (enabled, automatic mode with rules) but no rules defined. I have just switched on "Log all blocked operations" in client policy and I am seeing quite a lot of activity in the HIPS logs - 4000 so far today, mainly Self Defense blocking registry deletes by Services.exe... Is this normal? We use SCCM to deploy software and updates to clients, could HIPS / Self defense be interfering with the normal registry cleanup process? Any advice appreciated, thanks Mark Link to comment Share on other sites More sharing options...
Administrators Marcos 4,714 Posted August 16, 2013 Administrators Share Posted August 16, 2013 Without knowing details about the block it's impossible to tell if it was malicious or legit operations that were blocked. Posting a couple of records from the HIPS log might shed more light. Also note that logging of blocked operations should only be enabled for the time of debugging certain issue, otherwise the HIPS log may continue to grow up quickly until the disk space is exhausted. Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 948 Posted August 16, 2013 ESET Moderators Share Posted August 16, 2013 Hello Mark, "Log all blocked operations" should be enabled only during troubleshooting issues. I highly recommend to disable it in order to prevent HIPS from rapid growth. Self-defense is used to protect crucial parts of the AV so I don't think that any process should be trying to delete anything protected by it. Could you please paste here appropriate lines from the log? Link to comment Share on other sites More sharing options...
Guest Mark Snell Posted August 16, 2013 Share Posted August 16, 2013 Thanks for responses guys. Here's a sample from the HIPS logs - we're getting loads of these: Column Name ValueHIPS Id HIPS 4499Client Name Pc9999 Computer Name Pc9999 MAC Address xxxxxxxxxxxx Primary Server Eddc-esetDate Received 2013-08-16 13:20:30Date Occurred 2013-08-16 13:18:33Level NormalApplication C:\WINDOWS\system32\services.exeOperation Delete from registryTarget HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_EPFWTDIR\0000\LogConf\OverrideConfigAction blockedRule SelfDefense: Registry with full protection Link to comment Share on other sites More sharing options...
Administrators Marcos 4,714 Posted August 16, 2013 Administrators Share Posted August 16, 2013 It's probably a legit action of the operating system, however, to date we have not heard of any issues caused by the block. Link to comment Share on other sites More sharing options...
Recommended Posts