HIPS Question

[HealingStargate]

I keep getting many of these type notices when I open the HIPS window.......

12/20/2011 6:03:37 PM C:\WINDOWS\system32\services.exe Delete from registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_EPFW\0000\LogConf\ForcedConfigVector blocked SelfDefense: Registry with full protection

I am wondering if it is something to be concerned about.

Thank you for any information.

KOR-

[HealingStargate]

I guess by no response from anyone it would mean there is no problem on my system
KOR-

[tommy456]

Quote:

Originally Posted by HealingStargate

I keep getting many of these type notices when I open the HIPS window.......

12/20/2011 6:03:37 PM C:\WINDOWS\system32\services.exe Delete from registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_EPFW\0000\LogConf\ForcedConfigVector blocked SelfDefense: Registry with full protection

I am wondering if it is something to be concerned about.

Thank you for any information.

KOR-

Which build have you currently installed ? and was this a clean install or over a previous version? the logging you can see is as far as know not something that you should be seeing if eset is correctly installed , best to contact support and they may wish to investigate further as to why this is happening

[HealingStargate]

I have 5.0.95.0 installed on XP32 sp3....

As far as I remember I tried to install over the last version BUT it would not let me and so I did an 'uninstall' and loaded up the current version.

Those notices I mentioned are not as prevalent as before but still happening.

I posted this question a few weeks ago but no one responded but you, thank you.

I don't know why no response from ESET moderators on this forum.

Anyone from ESET that would like to comment I would appreciate some info.

Thank you.
KOR-

[Escalader]

All I can give you as a user myself is:

1) I disabled ESET HIPS some time ago, Stem did some testing and it was found to be "buggy". That was enough for me not to rely on it "yet"

2) Try running a registry cleaner to rid yourself of this entry, that might work.


As to why Eset doesn't respond , I have no clue. Did you submit your question directly to the vendor?

[Marcos]

Probably the action was attempted by the OS for some reason, it's impossible to tell for sure.

[Marcos]

Quote:

Originally Posted by Escalader

1) I disabled ESET HIPS some time ago, Stem did some testing and it was found to be "buggy". That was enough for me not to rely on it "yet"

What issue did you run into?

[HealingStargate]

I just got a huge group of HIPS notices similar to what I sent here.
I put a ticket to ESET.
KOR-

[Marcos]

Quote:

Originally Posted by HealingStargate

I put a ticket to ESET.

Personally I doubt they will be able to shed any light given that the devs had no clue about the cause.

[HealingStargate]

Marcos-

Thank you for your reply.

I am wondering if it is a sign of a problem somewhere or if it is just a glitch.

Do you think another clean install is in order?

Just wondering if it is something serious.

Thank you.
KOR-

[Escalader]

Quote:

Originally Posted by Marcos

What issue did you run into?

Hi Marcos:

I'm trying to avoid any issues related to my use of OP FW Pro and as of today
Nod32 V5 5.0.95.0.


A full discussion with Stem and others on this combo is at:

http://www.wilderssecurity.com/showp...3&postcount=18


The question I put now is with the New Nod32 version do the issues regarding left over hooks still exist?

[tommy456]

Mine too has started to display the same thing again with Win XPSP3 ,also some other things that it is blocking or reporting to be blocking
C:\WINDOWS\system32\dwwin.exe Terminate/suspend another application
C:\Program Files\ESET\ESET Smart Security\egui.exe blocked SelfDefense: Protect ekrn and egui processes
C:\WINDOWS\system32\dwwin.exe Get access to file

C:\Program Files\ESET\ESET Smart Security\egui.exe some access blocked SelfDefense: Protect ESET files Write to file
And it don't even like TCP veiw from systinternals
C:\Program Files\TCPView\Tcpview.exe Get access to file C:\Program Files\ESET\ESET Smart Security\ekrn.exe some access blocked SelfDefense: Protect ESET files Write to file

And this is after a clean install using the eset uninstal tool several times , and also checking for rootkits ect with gmer,catchme ect nothing found

I have in the past week have me system become totally unresponsive , unable to prove that eset is the reason this time ,but the last time this freezing of the system occurred it was down to eset /hips , the hips logging was not visible until a few days ago, so

[Escalader]

Hi Tommy:

I'm thinking you are running into the conflicts between your intalled security products.

I the past the only way I have been able to resolve these issues is a step wise approach

1) have only 1 active real time (RT) HIPS. (is self defense a HIPS? an AV or a FW?)
2) have only 1 active RT AV

3) have only one active FW.

4) set all 3 of the above to mutually exclude each other.

5) If 1-4 fail, remove all security products using their uninstall utilities and clean up the computer registry and run a defrag

6) Reboot and given you are behind a router, see if your setup works "naked", if it does and it should update all o/s to latest and greatest

7 reboot and see again if your system works, it should

add the AV software back, update , reboot

9) add your FW back update set exclusions for AV and FW one to the other

10) turn off the AV HIPS and turn on the FW HIPS (if it has one) is it stable? No? turn off BOTH HIPS, is it stable? Yes? Turn off FW HIPS and turn on the AV hips. Is it stable? No turn all HIPS off. Rethink and Reboot and wait for the rescue squad

[tommy456]

Quote:

Originally Posted by Escalader

Hi Tommy:

I'm thinking you are running into the conflicts between your intalled security products.

I the past the only way I have been able to resolve these issues is a step wise approach

1) have only 1 active real time (RT) HIPS. (is self defense a HIPS? an AV or a FW?)
2) have only 1 active RT AV

3) have only one active FW.

4) set all 3 of the above to mutually exclude each other.

5) If 1-4 fail, remove all security products using their uninstall utilities and clean up the computer registry and run a defrag

6) Reboot and given you are behind a router, see if your setup works "naked", if it does and it should update all o/s to latest and greatest

7 reboot and see again if your system works, it should

add the AV software back, update , reboot

9) add your FW back update set exclusions for AV and FW one to the other

10) turn off the AV HIPS and turn on the FW HIPS (if it has one) is it stable? No? turn off BOTH HIPS, is it stable? Yes? Turn off FW HIPS and turn on the AV hips. Is it stable? No turn all HIPS off. Rethink and Reboot and wait for the rescue squad

Not quite sure what you are saying,
the logs suggest that the hips module belonging to eset smart security
is for some reason or other blocking legitimate windows processes, the

Quote:

C:\WINDOWS\system32\services.exe Delete from registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_EPFW\0000\LogConf\ForcedConfigVector blocked SelfDefense: Registry with full protection

I had with builds 5.0.93/4.0, I created a manual rule in the hips module to allow services.exe full access so it could delete ect ect, witch stopped the entries for that in the logs, eset just re-creates them, i think that it has something to do with the virus signature update process,

Why does it block or restrict some legit windows processes?
Which doesn't instill a lot of faith, as eset hips module being in overdrive could cause lots of unwanted effects such as slow downs,and crashes ect

The other thing is that using process monitor the eset EKRN.exe is continually scanning /trying to access or find some of it's own files that are not there on the system , in doing so causes a lot of CPU usage even some spikes which on a win7 machine causes things such as games to run very rough (choppy) movement with animation as it's spiking is hogging my CPU and preventing anything else accessing or being processed by the cpu

As for other realtime security products none that are run alongside eset

[Escalader]

Quote:

Originally Posted by tommy456

Not quite sure what you are saying,
the logs suggest that the hips module belonging to eset smart security
is for some reason or other blocking legitimate windows processes, the
I had with builds 5.0.93/4.0, I created a manual rule in the hips module to allow services.exe full access so it could delete ect ect, witch stopped the entries for that in the logs, eset just re-creates them, i think that it has something to do with the virus signature update process,

Why does it block or restrict some legit windows processes?
Which doesn't instill a lot of faith, as eset hips module being in overdrive could cause lots of unwanted effects such as slow downs,and crashes ect

The other thing is that using process monitor the eset EKRN.exe is continually scanning /trying to access or find some of it's own files that are not there on the system , in doing so causes a lot of CPU usage even some spikes which on a win7 machine causes things such as games to run very rough (choppy) movement with animation as it's spiking is hogging my CPU and preventing anything else accessing or being processed by the cpu

As for other realtime security products none that are run alongside eset

Hi Again:


I'm not trying to sell or tell you anything at all.

I figured based on what has been posted so far that the HIPS in ESET is giving you trouble no doubt due to bugs or to clashes with other security software. But all that is assumption as far as your set up goes. You would KNOW.

I wanted to try to help by giving you a protocol that I have used in these type of situations in the past. If it doesn't apply so be it.

All I can tell you is the last time Stem, me and some others dived into the matter of the ESET HIPS it was in concert with it working along side OP FW Pro. I'm doing that as this is posted. BUT the only way I could get it going calmly was to turn off the ESET HIPS feature.

Stem at last look (I think) found ESET HIPS buggy. That was a RC product so maybe it is fixed.

OP is coming out with an update/new release this month so my plan is leave it all alone til then.

Good luck, I tried so be it

[drgoodie]

Every day I see many of these messages in my HIPS Log. Today there are 30today as of 10:23 AM.

C:\WINDOWS\system32\services.exe Delete from registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_EPFWTDIR\0000\LogConf\BootConfigVector blocked SelfDefense:Registry with full protection

The "BootConfigVector" part of the message changes to "AllocConfigVector", "ForcedConfigVector", "BasicConfig", "Filtered Config", and "OverrideConfig".

Then the series of messages repeat again starting with "BootConfigVector".

These message have appeared every day since I loaded Eset onto my computer (first load on THIS computer).

I read all the above posts. I do not understand the suggestions for stopping these messages. Did any of the previous posters find a resolution? How can we get Eset to respond to our posts? Thanks for any enlightenment!

[Marcos]

Make sure you have logging of blocked operations disabled in the advanced HIPS setup. This option serves only for troubleshooting purposes.