adnage19 1 Posted October 18, 2016 Share Posted October 18, 2016 Hi, I would like to ask, how the new HIPS's anti-ransomware module exactly works? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,929 Posted October 19, 2016 Administrators Share Posted October 19, 2016 It monitors the behavior of running processes and asks you for an action if suspicious operations have been detected. Link to comment Share on other sites More sharing options...
novice 20 Posted October 19, 2016 Share Posted October 19, 2016 (edited) It monitors the behavior of running processes and asks you for an action if suspicious operations have been detected. The OP did not ask for the definition of HIPS; "monitors the behavior of running processes and asks you for an action if suspicious operations have been detected". He asked how the new HIPS's anti-ransomware module exactly works??? By the way, since I enabled HIPS in my NOD32, (2-3 years) I never got any alert about "a suspicious operation being detected" and I did a lot of things.... Edited October 19, 2016 by John Alex Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,084 Posted October 19, 2016 ESET Moderators Share Posted October 19, 2016 Hello, I would start my response with a joke: A woman asks a programmer how exactly the programming works, he things for a while and says it's a magic :-) The new Anti-ransomware protection is indeed based on HIPS and monitors activity of processes and it's reputation. In case it resembles behavior usual for filecoders it takes an action and informs the user. Regards, P.R. Link to comment Share on other sites More sharing options...
novice 20 Posted October 19, 2016 Share Posted October 19, 2016 (edited) The new Anti-ransomware protection is indeed based on HIPS and monitors activity of processes and it's reputation. In case it resembles behavior usual for filecoders it takes an action and informs the user. Regards, P.R. In theory sounds nice! As I said, in 2-3 years on 3 different PC I never had ANY alert generated by HIPS, and I did whatever is possible to get one: edit/delete registry key , alter Windows files, etc. In "Smart Mode" I did not get any reaction. In "Interactive Mode" I got 100% alerts. My best guess: HIPS is not able to detect a harmful behavior; either will not detect anything (in Smart Mode) or will detect everything (in Interactive Mode). If you know a way to trigger a HIPS alert in "Smart Mode", please share it with us. Edited October 19, 2016 by John Alex Link to comment Share on other sites More sharing options...
Administrators Marcos 4,929 Posted October 19, 2016 Administrators Share Posted October 19, 2016 HIPS does not generate any alerts nor asks for an action in default automatic mode. However, users may switch to Smart mode which is a kinda interactive mode where the user is prompted for an action only if a malware-typical operation is being attempted. Of course, that does not mean that one would be prompted before running any malicious files as it's impossible to distinguish between innocuous and malicious files without running them and monitoring their activity. However, for some typical malicious operations where the chance of false positives is minimal you should be prompted for an action. Link to comment Share on other sites More sharing options...
novice 20 Posted October 19, 2016 Share Posted October 19, 2016 HIPS does not generate any alerts nor asks for an action in default automatic mode. However, users may switch to Smart mode which is a kinda interactive mode where the user is prompted for an action only if a malware-typical operation is being attempted. Of course, that does not mean that one would be prompted before running any malicious files as it's impossible to distinguish between innocuous and malicious files without running them and monitoring their activity. However, for some typical malicious operations where the chance of false positives is minimal you should be prompted for an action. OK, I have my HIPS in Smart Mode; how can I trigger an alert? (I want to see, at least once an alert triggered by HIPS in NOD32) Link to comment Share on other sites More sharing options...
itman 1,630 Posted October 20, 2016 Share Posted October 20, 2016 I turned on "log all blocked activity" in the HIPS Advanced Settings section. Below is a HIPS log screen shot for blocked Process Monitor activity when the HIPS is set to Smart mode. What hasn't been mentioned is most of the HIPS blocking in Smart mode is done silently. Only when an unknown and untrusted process is doing modification activity will the user receive a popup alert. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,929 Posted October 20, 2016 Administrators Share Posted October 20, 2016 The blocks shown above actually come from Self-defense and are not caused by smart mode. In smart mode, you should be asked about certain suspicious actions like this: Link to comment Share on other sites More sharing options...
itman 1,630 Posted October 20, 2016 Share Posted October 20, 2016 The blocks shown above actually come from Self-defense and are not caused by smart mode. In smart mode, you should be asked about certain suspicious actions like this: ess8_hips_smart_mode.png Agreed. But if you look closely at the screen shot, the HIPS is partially blocking access to non-Eset processes; namely Winlogon and Lsass. Although those might be self-defense related but I don't see how? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,929 Posted October 21, 2016 Administrators Share Posted October 21, 2016 Agreed. But if you look closely at the screen shot, the HIPS is partially blocking access to non-Eset processes; namely Winlogon and Lsass. Although those might be self-defense related but I don't see how? If you look at the records in the Rule column, each starts with "Self-defense" so they all seems to be Self-defense blocks. Link to comment Share on other sites More sharing options...
itman 1,630 Posted October 21, 2016 Share Posted October 21, 2016 Agreed. But if you look closely at the screen shot, the HIPS is partially blocking access to non-Eset processes; namely Winlogon and Lsass. Although those might be self-defense related but I don't see how? If you look at the records in the Rule column, each starts with "Self-defense" so they all seems to be Self-defense blocks. Marcos, I saw the same self-defense HIPS generated block log entries for lsass and winlogon at boot time. The source was EMET's GUI .exe for which I had specifically allowed all actions via a user HIPS rule. So again my question is why is the HIPS monitoring lsass and winlogon for self-defense activity? These are system processes; not Eset processes. I would think this type of monitoring could cause issues with valid system/application activity. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,929 Posted October 21, 2016 Administrators Share Posted October 21, 2016 So again my question is why is the HIPS monitoring lsass and winlogon for self-defense activity? These are system processes; not Eset processes. I would think this type of monitoring could cause issues with valid system/application activity. Self-defense does not protect only ESET's processes and files but also crucial system processes. It's been so since Self-defense was first introduced. Link to comment Share on other sites More sharing options...
ESET Insiders toxinon12345 32 Posted October 23, 2016 ESET Insiders Share Posted October 23, 2016 I would believe Filecoder behavior blocking, it's a sort of dynamic process profiler/tracer, in contrast to AMS which uses process scanning. Link to comment Share on other sites More sharing options...
itman 1,630 Posted October 23, 2016 Share Posted October 23, 2016 I would believe Filecoder behavior blocking, it's a sort of dynamic process profiler/tracer, in contrast to AMS which uses process scanning. That is how Emsisoft protects; its looking for processes that are attempting to encrypt files. AMS is used to detect process code injection. Filecoders don't have to do this to encrypt files. The issue with ransomware is it encrypt files in directories that are not normally monitored by a HIPS such as the Documents folder. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,929 Posted October 23, 2016 Administrators Share Posted October 23, 2016 I would believe Filecoder behavior blocking, it's a sort of dynamic process profiler/tracer, in contrast to AMS which uses process scanning. AMS is used to detect process code injection. Filecoders don't have to do this to encrypt files. Not only. AMS can react on various events and trigger a memory scan. Link to comment Share on other sites More sharing options...
Recommended Posts