Jump to content

can eset 10 block Ransomware and Recent Variants mbr with the hips


Recommended Posts

hi

can eset 10 block Ransomware and Recent Variants mbr with the hips ?

in short there is a better hips in v10 that can avoid mbr inflected ?

 

and is there another program to use with eset to block Ransomware and Recent Variants

Link to comment
Share on other sites

  • Most Valued Members

There is no AV product from any vendor that an detect 100% of any type of virus/malware/ransomware.

Using ESET and common sense is a good combination :)

Link to comment
Share on other sites

hi

can eset 10 block Ransomware and Recent Variants mbr with the hips ?

in short there is a better hips in v10 that can avoid mbr inflected ?

 

and is there another program to use with eset to block Ransomware and Recent Variants

I would say that ESET's HIPS can protect you but for sure not on default settings. You can set a rule to protect MBR, and after all, the best way is to enable learning mode for 1-2 weeks and then switch to interactive mode or even policy-based mode. This will provide high level protection.

Link to comment
Share on other sites

There is no AV product from any vendor that an detect 100% of any type of virus/malware/ransomware.

Using ESET and common sense is a good combination :)

So , the short answer is NO.

Link to comment
Share on other sites

 

hi

can eset 10 block Ransomware and Recent Variants mbr with the hips ?

in short there is a better hips in v10 that can avoid mbr inflected ?

 

and is there another program to use with eset to block Ransomware and Recent Variants

I would say that ESET's HIPS can protect you but for sure not on default settings. You can set a rule to protect MBR, and after all, the best way is to enable learning mode for 1-2 weeks and then switch to interactive mode or even policy-based mode. This will provide high level protection.

 

hi

can not find how protect the MBR , where is the option ?

thanks

Link to comment
Share on other sites

can not find how protect the MBR , where is the option ?

 

You can create an "ask" HIPS rule to monitor low level disk access on the drive where your OS is installed.

 

Warning: This will cause issues with some OS processes such as shadow volume copy, defrag, etc. and the rule will have to be monitored closely. One possible work around is to also create an identical "allow" HIPS rule to allow low level disk access for all exe's in C:\Windows\System32\*.*. I would also disabled the "ask" rule when doing any Win 10 release upgrades.

Link to comment
Share on other sites

 

can not find how protect the MBR , where is the option ?

 

You can create an "ask" HIPS rule to monitor low level disk access on the drive where your OS is installed.

 

Warning: This will cause issues with some OS processes such as shadow volume copy, defrag, etc. and the rule will have to be monitored closely. One possible work around is to also create an identical "allow" HIPS rule to allow low level disk access for all exe's in C:\Windows\System32\*.*. I would also disabled the "ask" rule when doing any Win 10 release upgrades.

 

hi

do you mean direct acess to disk ?

thanks

Link to comment
Share on other sites

I reckon there's no such option as monitoring write attempts would cause unacceptable resource overhead.

 

 

 

can not find how protect the MBR , where is the option ?

 

You can create an "ask" HIPS rule to monitor low level disk access on the drive where your OS is installed.

 

Warning: This will cause issues with some OS processes such as shadow volume copy, defrag, etc. and the rule will have to be monitored closely. One possible work around is to also create an identical "allow" HIPS rule to allow low level disk access for all exe's in C:\Windows\System32\*.*. I would also disabled the "ask" rule when doing any Win 10 release upgrades.

I've found HIPS settings posted by an user, it includes MBR protection (that's what his post says) https://malwaretips.com/threads/petrovic-config.20748/#post-150572

Are these settings good?

Link to comment
Share on other sites

I've found HIPS settings posted by an user, it includes MBR protection (that's what his post says) https://malwaretips....48/#post-150572

Are these settings good?

Yes. Those settings were copied from a security configuration guide for an earlier ver. of Eset, ver. 6 I believe, that is posted also on the malwaretips.com web site. Many of the rules in the guide now exist as default HIPS rules such as the monitoring of the registry "run" keys.

 

As I warned previously, any monitoring of drive direct access by the HIPS will cause issues with some existing Windows processes. The one most affected is shadow volume copying since it runs in the background. As such, you may not be present to respond to any alert with the result being a borked system backup occurring. So use of this type of HIPS monitoring is at the user's risk. 

 

I also have yet to try such monitoring in Win 10. I also use Emsisoft's Antimalware and its behavior blocker does monitor for direct/low level disk access.

Edited by itman
Link to comment
Share on other sites

 

I've found HIPS settings posted by an user, it includes MBR protection (that's what his post says) https://malwaretips....48/#post-150572

Are these settings good?

Yes. Those settings were copied from a security configuration guide for an earlier ver. of Eset, ver. 6 I believe, that is posted also on the malwaretips.com web site. Many of the rules in the guide now exist as default HIPS rules such as the monitoring of the registry "run" keys.

 

As I warned previously, any monitoring of drive direct access by the HIPS will cause issues with some existing Windows processes. The one most affected is shadow volume copying since it runs in the background. As such, you may not be present to respond to any alert with the result being a borked system backup occurring. So use of this type of HIPS monitoring is at the user's risk. 

 

I also have yet to try such monitoring in Win 10. I also use Emsisoft's Antimalware and its behavior blocker does monitor for direct/low level disk access.

 

Is it possible to add custom rules in HIPS settings to improve ransomware protection? Or maybe Smart mode is enough? I'm asking because I've seen Youtube video, where user was testing ESET 10 Beta on default settings and it didn't protect OS from zero-day ransomware sample.

Link to comment
Share on other sites

  • Most Valued Members

 

 

I've found HIPS settings posted by an user, it includes MBR protection (that's what his post says) https://malwaretips....48/#post-150572

Are these settings good?

Yes. Those settings were copied from a security configuration guide for an earlier ver. of Eset, ver. 6 I believe, that is posted also on the malwaretips.com web site. Many of the rules in the guide now exist as default HIPS rules such as the monitoring of the registry "run" keys.

 

As I warned previously, any monitoring of drive direct access by the HIPS will cause issues with some existing Windows processes. The one most affected is shadow volume copying since it runs in the background. As such, you may not be present to respond to any alert with the result being a borked system backup occurring. So use of this type of HIPS monitoring is at the user's risk. 

 

I also have yet to try such monitoring in Win 10. I also use Emsisoft's Antimalware and its behavior blocker does monitor for direct/low level disk access.

 

Is it possible to add custom rules in HIPS settings to improve ransomware protection? Or maybe Smart mode is enough? I'm asking because I've seen Youtube video, where user was testing ESET 10 Beta on default settings and it didn't protect OS from zero-day ransomware sample.

 

That youtube video wont be unique to just ESET products  ...........

NO security product from any vendor can give 100% protection against zero day ransomware or other types of virus/malware.

Like i said before, common sense is your best defence. Stay clear of sites offering pirated software and music and the like and always be skeptical of any attachments received in an email from anyone (including family).

You can always add custom rules to HIPS, but you could also render your system unusable by causing problems with windows system files being denied access to the files it needs in the process.

Link to comment
Share on other sites

Is it possible to add custom rules in HIPS settings to improve ransomware protection? Or maybe Smart mode is enough? I'm asking because I've seen Youtube video, where user was testing ESET 10 Beta on default settings and it didn't protect OS from zero-day ransomware sample.

Below is a .pfd link to an Eset tech paper produced by their Romanian distributer I beleive.

 

hxxp://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0ahUKEwjy4Of4t9DPAhUFWD4KHeQlBM8QFghdMAU&url=hxxp://www.nod32.com.hr/Portals/66/PDF/anti-ransomware-techbrief_en.pdf&usg=AFQjCNHN_-B-UcNEaldEAOXbtRNbA78xNg

 

The article was written for Eset Endpoint but you can "glean enough" details to create corresponding rules for Smart Security HIPS and firewall. Basically, the rules are to block script and PowerShell execution or dialing out. I would also make the HIPS rules "ask" versus "block" so that you don't auto block some necessary app or system process that uses cscript, wscript, or Powershell. I personally have never received alerts from any of these processes.

 

Note that there is a separate rule for explorer.exe of monitored processes. That is due to the way explorer.exe can be launched as a hidden process e.g. RegCleaner, SpywareBlaster, etc..

 

It is also possible like default HIPS rules have been created in ver. 10 since Eset states it now has script protection.  Comment on this Marcos?

Link to comment
Share on other sites

I have not gotten anything since the famous XP install virus, but I got a ramsomware a few months ago. Opened an email file that was similar

to an email receipt I was waiting for. SS9 did not catch it when I opened the file. No security program is perfect.

 

Glad I image my drive once a month.

Link to comment
Share on other sites

 

Is it possible to add custom rules in HIPS settings to improve ransomware protection? Or maybe Smart mode is enough? I'm asking because I've seen Youtube video, where user was testing ESET 10 Beta on default settings and it didn't protect OS from zero-day ransomware sample.

Below is a .pfd link to an Eset tech paper produced by their Romanian distributer I beleive.

 

hxxp://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0ahUKEwjy4Of4t9DPAhUFWD4KHeQlBM8QFghdMAU&url=hxxp://www.nod32.com.hr/Portals/66/PDF/anti-ransomware-techbrief_en.pdf&usg=AFQjCNHN_-B-UcNEaldEAOXbtRNbA78xNg

 

The article was written for Eset Endpoint but you can "glean enough" details to create corresponding rules for Smart Security HIPS and firewall. Basically, the rules are to block script and PowerShell execution or dialing out. I would also make the HIPS rules "ask" versus "block" so that you don't auto block some necessary app or system process that uses cscript, wscript, or Powershell. I personally have never received alerts from any of these processes.

 

Note that there is a separate rule for explorer.exe of monitored processes. That is due to the way explorer.exe can be launched as a hidden process e.g. RegCleaner, SpywareBlaster, etc..

 

It is also possible like default HIPS rules have been created in ver. 10 since Eset states it now has script protection.  Comment on this Marcos?

 

Thank you very much, it seems to be very helpful! 

Link to comment
Share on other sites

I have not gotten anything since the famous XP install virus, but I got a ramsomware a few months ago. Opened an email file that was similar

to an email receipt I was waiting for. SS9 did not catch it when I opened the file. No security program is perfect.

 

Glad I image my drive once a month.

You're right, backup is the best protection. Also you need to be strictly careful when opening email attachments.

However, ESET can be tweaked to better protect from ransomware. This .pdf posted by @itman looks pretty nice. When English ESET 10, I will definitely set these rules.

Also second good way is to enable learning mode for 2 weeks, use your PC as much as you can, and then set HIPS to interactive mode. Then every prompt by HIPS should be considered as a potential danger. 

Edited by adnage19
Link to comment
Share on other sites

Also second good way is to enable learning mode for 2 weeks, use your PC as much as you can, and then set HIPS to interactive mode. Then every prompt by HIPS should be considered as a potential danger. 

 

The best was to use HIPS interactive mode is right after an OS installation. In this status, you are insured that your PC is free of any malware.

 

Remember that when running a HIPS in interactive mode, any activities by 0-day malware for example will be allowed. So it is essential any potential risky activities including Internet ones be restricted during the training period.

 

Finally, there were initial duplicate rule creation issues with interactive mode when ver. 9 was released. Don't know if those were ever fully resolved.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...