Using latest version, I'm not clear on how to properly configure HIPS. Right now I have no rules so I'm not sure that HIPS is doing anything to protect me. It's currently set for Automatic which (as near as I can tell) if there's no rule against an action, then allow anything. If so then it's useless, because you have to create rules to deny behaviors for each program.

Just wondering how you all use HIPS.

Thanks.

presently, it seems that "automatic with rules" is not the best choice but others choice are not easy for newbies

http://www.wilderssecurity.com/showthread.php?t=309273

Thanks. For a while I had HIPS set in "Learning Mode" because I think that was the default. After that it switched to "Automatic." But it's not clear to me what if anything NOD32 learned while it was in learning mode. It never asked for permission for anything during the learning period. As a result I don't seem to have any rules.

So what exactly was supposed to happen during "Learning Mode" and what is the best setting now?

Thanks again.

I like to know myself. Since my wife is a regular user of my main desktop I have mine set to auto.

-{ Quote: "Thanks. For a while I had HIPS set in "Learning Mode" because I think that was the default. After that it switched to "Automatic." But it's not clear to me what if anything NOD32 learned while it was in learning mode. It never asked for permission for anything during the learning period. As a result I don't seem to have any rules.

So what exactly was supposed to happen during "Learning Mode" and what is the best setting now?

Thanks again." }-

HIPS ask me what to do only in admin account on first reboot and never in limited right account (XP)

So should I just run the HIPS in learning mode for a couple weeks and then switch to interactive?

Hello,

-{ Quote: "So should I just run the HIPS in learning mode for a couple weeks and then switch to interactive?" }-
Correct.

-{ Quote: "Hello,


Correct." }-
OK thanks. I'm doing that now. What about under the HIPS settings of allow changes to "the application part of the registry" and allow changes to "data files" for which there is no rule defined? Once finished with learning mode is it recommended to have those enabled or disabled? I wish to have the more secure settings, so I am assuming they should be unchecked. But does that make a significant change in protection?

A HIPS allows or prohibits programs or processes to be launch.

The data and the register can be changed only by authorized programs or processes.

Caution: It's the user who decides whether a program or process is permitted or prohibited.

Interactive mode should be used only by experienced users.

I had learning mode on when I first installed this version. I think that was the default. But it never asked me for anything during that period and it did not generate any rules that I can see.

Should I turn it back on for another 14 days?

I am using interactive mode and it seems to be working well. However, you need to know what you're allowing.

-{ Quote: "A HIPS allows or prohibits programs or processes to be launch.

The data and the register can be changed only by authorized programs or processes.

Caution: It's the user who decides whether a program or process is permitted or prohibited.

Interactive mode should be used only by experienced users." }-

that is why automatic mode should be better !!!

-{ Quote: "[/SIZE]

that is why automatic mode should be better !!!" }-I agree 100%.
The interactive mode, with five check boxes and two drop down boxes for each interaction, can quickly drive you crazy. An antivirus shouldn't be that difficult to use.

Hello,

-{ Quote: "that is why automatic mode should be better" }-

I think it's not possible or the improvement will be small

A HIPS works on the principle of a white list: everything is prohibited except what is authorized by the white List.
An Antivirus works on the principle of a black list: everything is permitted except what is blocked by black list (signatures).

The HIPS cannot know in advance what will come from outside (legitimate programs or pests).

-{ Quote: "I agree 100%.
The interactive mode, with five check boxes and two drop down boxes for each interaction, can quickly drive you crazy. An antivirus shouldn't be that difficult to use." }-

I also wish the interactive mode was a little easier to use. But since it's not and my wife also uses this desktop I'm going to stick with auto. I've been using ESET since 2.7 and it has not let me down once, knocking on wood. So since HIPS is new with v5 and ESET has never let me down in the past I'm not going to worry about HIPS any more and move on.

One thing that could help novice HIPS users like myself would be some kind of list with programs names or types of programs with settings one can apply to their machine. (browsers, email, AV's, Spyware/malware scanners, iTunes, Adobe Reader, OS services/processes, and so forth.

Example: for a browser, or email client, always allow this and it's OK if it also does that.

Anyway I don't know if this is realistic to do since more programs now a days compared to a couple of years ago what more access to you PC than ever. But if we can get a HIPS list up as a sticky that advance users can edit and add programs and OS services/processes with suggested settings to use for HIPS, novice HIPS users like myself could use that list and apply it to their PC's.

I would be in favor of getting rid of the 'advanced' selection for interactive HIPS. Either allow it or not. Save the rule, or not.

If I were a novice user, I would enable "Advanced Heuristics On File Execution".

HIPS settings should be changed by experienced users.

-{ Quote: "I agree 100%.
The interactive mode, with five check boxes and two drop down boxes for each interaction, can quickly drive you crazy. An antivirus shouldn't be that difficult to use." }-

my Comodo free firewall have a white list for its HIPS, why NOD32/ESS HIPS couldnt have its one ??

In fact, I think that choosing HIPS was a bad decision and a poor strategy. The sandboxing would have been better and simpler solution for newbies. And no need for the editor to always update the white liste with all new apps release each week, month, year.....

-{ Quote: "If I were a novice user, I would enable "Advanced Heuristics On File Execution".

HIPS settings should be changed by experienced users." }-


not a good idea.

By default, Adv heur is already use for newly created and modified files , no need to scan files already known to be clean with AH. It is useless and cost too much in power and memory.

I have set mine to Learning Mode for a few days then Interactive Mode yesterday. Now I'm getting lots of prompts. Should I tick "Create rule" for every safe prompt?

The HIPS is still buggy. With no HIPS rules added in interactive mode, trying to fire up firefox, I get message, "Windows cannot access specified device, path, or file."
I'm not a big fan of the HIPS. If you're not careful, you can end up with an unusable computer.

If this is of any help, my orginal thread (http://www.wilderssecurity.com/showthread.php?t=307499) and findings on HIPS (http://kb.eset.com/esetkb/index?page=content&id=SOLN2811&ref=wsf)

-{ Quote: "Using latest version, I'm not clear on how to properly configure HIPS. Right now I have no rules so I'm not sure that HIPS is doing anything to protect me. It's currently set for Automatic which (as near as I can tell) if there's no rule against an action, then allow anything. If so then it's useless, because you have to create rules to deny behaviors for each program.

Just wondering how you all use HIPS.

Thanks." }-

-{ Quote: "If this is of any help, my orginal thread (http://www.wilderssecurity.com/showthread.php?t=307499) and findings on HIPS (http://kb.eset.com/esetkb/index?page=content&id=SOLN2811&ref=wsf)" }-Thanks. From the end of that thread it appears there are hidden and invisible rules that we cannot access and which nobody seems to know much about. So, if I understand correctly, the complete absence of any visible rules does not mean that HIPS is not working in automatic mode.

I tried learning mode and expected to be faced with a bunch of pop-ups allowing me to set some additional rules, but I managed to go for 14 days with not a single pop-up. However during this time Zemana popped up quite a few times and I set a number of rules within Zemana.

Is it possible that Zemana is catching everything first and voiding any HIPS activity in NOD32 AV? It was my understanding that Zemana anti-logger is compatible with ESET. Is that correct?

I have requested expansion on the HIPS (http://kb.eset.com/esetkb/index?page=content&id=SOLN2811&ref=wsf) solution number article.
Since all others including the cited article does not cite rules and configuration protocols.

Since I am not currently running the v5 home user engine, I cannot completely address your query as this time.

Wait for someone from ESET to make a better assesment of your situation.

Thank you.

-{ Quote: "
Is it possible that Zemana is catching everything first and voiding any HIPS activity in NOD32 AV? It was my understanding that Zemana anti-logger is compatible with ESET. Is that correct?" }-I am currently using NOD32 version 5.0.94.0 with Zemana. I have NOD32 HIPS set to "Automatic" since the other settings do not work properly. Zemana seems to be working fine when NOD32 HIPS is set to "Automatic". You can test Zemana using the "AntiTest" program from SpyShelter.com.

Hello,

-{ Quote: "Zemana seems to be working fine when NOD32 HIPS is set to "Automatic". You can test Zemana using the "AntiTest" program from SpyShelter.com." }-

To my knowledge Zemana offers no protection, it is only a scanner

-{ Quote: "Hello,
To my knowledge Zemana offers no protection, it is only a scanner" }-
That is incorrect. It offers keylogger protection as well as protection from code injection, registry access, driver loading, physical memory access. Zemana provides very good protection from zero day threats where AVs may fail:
http://malwareresearchgroup.com/malware-tests/flash-test-results/
Perhaps you are thinking of Zemana Anti-Malware, not Zemana AntiLogger.

Zemana detects any suspicious activity and conduct a behavioral analysis to identify the different types of threats.

But, question: is this software able to block intallation or uploading of malware?

-{ Quote: "Perhaps you are thinking of Zemana Anti-Malware, not Zemana AntiLogger." }-
Yes, perhaps, it's possible.

-{ Quote: "But, question: is this software able to block intallation or uploading of malware?" }-Yes. Sometimes it does this automatically, other times it displays a popup and requires user intervention.

O.k. I just downloaded 5.0.94.0, and I have no idea what HIPS even does, I use NOD32 "right out of the box," pretty much......so should I put mine in learning mode for 14 days, or just leave it set to automatic? Thanks in advance!

-{ Quote: "See these threads (http://www.wilderssecurity.com/search.php?searchid=4351343) on HIPS (http://kb.eset.com/esetkb/index?page=content&id=SOLN2811&ref=wsf)" }-
The first link doesn't show anything, and second link shows how to enable it. That isn't my concern, it was enabled by default. What I'm curious about is if leaving it in automatic mode is sufficient? It wasn't even part of NOD32 before, so I'm wondering how important it is, and what is the most user friendly configuration to use.

Searches for topics labelled HIPS on the ESET board and not sub-board yielded these findings:
http://www.wilderssecurity.com/search.php?searchid=4351474
Why the previous search link I posted broke, I do not know as it worked at the time of posting.

As I stated already, there are sufficient threads and ESET Solution Numbers quoted in these readily available and clearly marked threads to be of use to you, acillatem :ouch:

If you are not getting the support that meets your needs via Wilders, submit an Issue Ticket Request (http://go.eset.com/us/support/contact/s2?seg=home#) to ESET.

Please be reminded that most of us provide ESET Support since we are ESET users and have a passion for the software. None of us are available 24 x 7.

I wish all on the v5 engine luck with HIPS issues as I will no longer be attempting to assist in resolving such issues from here forward unless ESET provides better support information.

To see what the HIPS set to "Automatic" is blocking, check "Log all blocked operations" in the setup tree under HIPS->Advanced setup. The results will be displayed under Tools->Log files->HIPS.

-{ Quote: "To see what the HIPS set to "Automatic" is blocking, check "Log all blocked operations" in the setup tree under HIPS->Advanced setup. The results will be displayed under Tools->Log files->HIPS." }-
Thanks!

-{ Quote: "Searches for topics labelled HIPS on the ESET board and not sub-board yielded these findings:
http://www.wilderssecurity.com/search.php?searchid=4351474
Why the previous search link I posted broke, I do not know as it worked at the time of posting.

As I stated already, there are sufficient threads and ESET Solution Numbers quoted in these readily available and clearly marked threads to be of use to you, acillatem :ouch:
" }-
That link is broken as well. I know how to use the search function......I was asking if it's a big deal just to leave it at the default settings. If you're going to get annoyed, don't reply, simple as that.

Hello acillatem.

I use it in the default automatic-mode.

If you set it to interactive you will be asked loads of question, wich sounds as it's not the best idea for you at the moment, if you are an unexperienced HIPS user.

-{ Quote: "Hello acillatem.

I use it in the default automatic-mode.

If you set it to interactive you will be asked loads of question, wich sounds as it's not the best idea for you at the moment, if you are an unexperienced HIPS user." }-
Thanks!
Yes, probably not, as it is brand new to me.
I just plugged a USB drive in, and a window came up telling me it detected the drive, and it was ESET, and I simply ignored it. I'm assuming that is an example of what HIPS does, correct?

No that sounds like a pop-up saying that it scanned, or asked you if you wanted to scan a removeable device such as an portable HD or a USB as in your case.

Depending on your settings it will ask, or scan removable devices automatically. :)

-{ Quote: "No that sounds like a pop-up saying that it scanned, or asked you if you wanted to scan a removeable device such as an portable HD or a USB as in your case.

Depending on your settings it will ask, or scan removable devices automatically. :)" }-
Oh o.k.....thanks! Never saw that before this version.
So, with HIPS set to automatic, will I ever really know it's even there? I didn't set up any rules or anything, it's just set the way it is when installed.