Jump to content

Details about Ransomware protection in Eset 10


Recommended Posts

It monitors the behavior of running processes and asks you for an action if suspicious operations have been detected.

The OP did not ask for the definition of HIPS; "monitors the behavior of running processes and asks you for an action if suspicious operations have been detected".

 

He asked how the new HIPS's anti-ransomware module exactly works???

 

By the way, since I enabled HIPS in my NOD32, (2-3 years) I never got any alert about "a suspicious operation being detected" and I did a lot of things....

Edited by John Alex
Link to post
Share on other sites
  • ESET Moderators

Hello,

 

I would start my response with a joke: A woman asks a programmer how exactly the programming works, he things for a while and says it's a magic :-)

The new Anti-ransomware protection is indeed based on HIPS and monitors activity of processes and it's reputation. In case it resembles behavior usual for filecoders it takes an action and informs the user.

 

Regards, P.R.

Link to post
Share on other sites

 

The new Anti-ransomware protection is indeed based on HIPS and monitors activity of processes and it's reputation. In case it resembles behavior usual for filecoders it takes an action and informs the user.

 

Regards, P.R.

In theory sounds nice! 

As I said, in 2-3 years on 3 different PC I never had ANY alert generated by HIPS, and I did whatever is possible to get one: edit/delete registry key , alter Windows files, etc.

 

In "Smart Mode" I did not get any reaction. In "Interactive Mode" I got 100% alerts.

 

My best guess: HIPS is not able to detect a harmful behavior; either will not detect anything (in Smart Mode) or will detect everything (in Interactive Mode).

 

If you know a way to trigger a HIPS alert in "Smart Mode", please share it with us.

Edited by John Alex
Link to post
Share on other sites
  • Administrators

HIPS does not generate any alerts nor asks for an action in default automatic mode. However, users may switch to Smart mode which is a kinda interactive mode where the user is prompted for an action only if a malware-typical operation is being attempted. Of course, that does not mean that one would be prompted before running any malicious files as it's impossible to distinguish between innocuous and malicious files without running them and monitoring their activity. However, for some typical malicious operations where the chance of false positives is minimal you should be prompted for an action.

Link to post
Share on other sites

HIPS does not generate any alerts nor asks for an action in default automatic mode. However, users may switch to Smart mode which is a kinda interactive mode where the user is prompted for an action only if a malware-typical operation is being attempted. Of course, that does not mean that one would be prompted before running any malicious files as it's impossible to distinguish between innocuous and malicious files without running them and monitoring their activity. However, for some typical malicious operations where the chance of false positives is minimal you should be prompted for an action.

OK, I have my HIPS in Smart Mode; how can I trigger an alert? (I want to see, at least once an alert triggered by HIPS in NOD32)

Link to post
Share on other sites

I turned on "log all blocked activity" in the HIPS Advanced Settings section. Below is a HIPS log screen shot for blocked Process Monitor activity when the HIPS is set to Smart mode.

 

What hasn't been mentioned is most of the HIPS blocking in Smart mode is done silently. Only when an unknown and untrusted process is doing modification activity will the user receive a popup alert.

 

post-6784-0-31939700-1476980013_thumb.png

 

 

 

 

Link to post
Share on other sites
  • Administrators

The blocks shown above actually come from Self-defense and are not caused by smart mode. In smart mode, you should be asked about certain suspicious actions like this:

 

post-10-0-89819100-1476992420_thumb.png

Link to post
Share on other sites

The blocks shown above actually come from Self-defense and are not caused by smart mode. In smart mode, you should be asked about certain suspicious actions like this:

 

attachicon.gifess8_hips_smart_mode.png

Agreed. But if you look closely at the screen shot, the HIPS is partially blocking access to non-Eset processes; namely Winlogon and Lsass. Although those might be self-defense related but I don't see how?

Link to post
Share on other sites
  • Administrators

Agreed. But if you look closely at the screen shot, the HIPS is partially blocking access to non-Eset processes; namely Winlogon and Lsass. Although those might be self-defense related but I don't see how?

If you look at the records in the Rule column, each starts with "Self-defense" so they all seems to be Self-defense blocks.

Link to post
Share on other sites

 

Agreed. But if you look closely at the screen shot, the HIPS is partially blocking access to non-Eset processes; namely Winlogon and Lsass. Although those might be self-defense related but I don't see how?

If you look at the records in the Rule column, each starts with "Self-defense" so they all seems to be Self-defense blocks.

 

Marcos, I saw the same self-defense HIPS generated block log entries for lsass and winlogon at boot time. The source was EMET's GUI .exe for which I had specifically allowed all actions via a user HIPS rule.

 

So again my question is why is the HIPS monitoring lsass and winlogon for self-defense activity? These are system processes; not Eset processes. I would think this type of monitoring could cause issues with valid system/application activity.

Link to post
Share on other sites
  • Administrators

So again my question is why is the HIPS monitoring lsass and winlogon for self-defense activity? These are system processes; not Eset processes. I would think this type of monitoring could cause issues with valid system/application activity.

Self-defense does not protect only ESET's processes and files but also crucial system processes. It's been so since Self-defense was first introduced.

Link to post
Share on other sites

I would believe Filecoder behavior blocking, it's a sort of dynamic process profiler/tracer, in contrast to AMS which uses process scanning.

That is how Emsisoft protects; its looking for processes that are attempting to encrypt files.

 

AMS is used to detect process code injection. Filecoders don't have to do this to encrypt files.

 

The issue with ransomware is it encrypt files in directories that are not normally monitored by a HIPS such as the Documents folder.

Link to post
Share on other sites
  • Administrators

 

I would believe Filecoder behavior blocking, it's a sort of dynamic process profiler/tracer, in contrast to AMS which uses process scanning.

 

AMS is used to detect process code injection. Filecoders don't have to do this to encrypt files.

 

Not only. AMS can react on various events and trigger a memory scan.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...