HIPS?

[maaster]

Consider the following case which I have experienced personally:
I ran a malware application(intentionally for testing) but that was not there in ESET's signatures....hence it was undetected....the malware was a ransomware (win lock)....after running it I got a blank white screen that did not allow me to do any task...hence I had no option but to shutdown my computer and again start it...then I restored my computer..then the system worked fine...
I am not complaining that ESET failed me as no antiviruses can be 100% but I have some suggestions...
A few weeks before I tried kaspersky internet security and again I ran some malwares for tetsing....I tried to run the undetected samples and I was quite impressed with the way their HIPS(application control in KIS) performance...
If I ran a application that was not there in their signatures...a popup has been received with three options allow,restrict,block..If I click on restrict KIS will prevent the applications from modifying important registry values...
So this sounds better to any learning mode of HIPS in ESET which will generate so many prompts...Hence my suggestion is to identify important registry values that are necessary for proper functioning of the system and restrict it from unknown application(even clean) or allow the user to decide...
I think this can prevent zero day malware from infecting any PC....Don't say that this has been already there in some hidden HIPS rules...let us adopt this technique even though this is from a competitive vendor....

[SweX]

Well I feature that I could see useful in ESET's products like and "advanced setting" is that it would warn on unknown files Allow/Quarantine.

It may cause some FP's but as I said it should be a feature that is disabled by default, but can be allowed by the user if wanted.

And it should clearly be said in the gui next to the checkbox "this is a setting that can cause some false positives, only use this if you know how to handle false positives" or similar.

[Niels]

You need to put HIPS in interactive mode. If you do that you will be able to block certain actions. Or you can also choose policy mode. Which means that you first have to create rules, if there aren't any rules everything is blocked. But I wouldn't recommend to use the policy based mode. But I agree with you that if you are using the interactive mode you will receive lots of pop-up's, this is the case if you disable the setting of automatically allowing registry entries. Then you will get overwhelmed with pop-up's.

But even when I didn't disable the option to automatically allow registry changes. HIPS informed me when certain registry keys were changed.

Now there isn't any white listing in the HIPS.

Very good suggestion.

[maaster]

Quote:

Originally Posted by Niels

You need to put HIPS in interactive mode. If you do that you will be able to block certain actions. Or you can also choose policy mode. Which means that you first have to create rules, if there aren't any rules everything is blocked. But I wouldn't recommend to use the policy based mode. But I agree with you that if you are using the interactive mode you will receive lots of pop-up's, this is the case if you disable the setting of automatically allowing registry entries. Then you will get overwhelmed with pop-up's.

But even when I didn't disable the option to automatically allow registry changes. HIPS informed me when certain registry keys were changed.

Now there isn't any white listing in the HIPS.

Very good suggestion.

Hi thanks for complimenting my suggestion...Hope some ESET moderators address this issue....

[maaster]

Quote:

Originally Posted by SweX

Well I feature that I could see useful in ESET's products like and "advanced setting" is that it would warn on unknown files Allow/Quarantine.

It may cause some FP's but as I said it should be a feature that is disabled by default, but can be allowed by the user if wanted.

And it should clearly be said in the gui next to the checkbox "this is a setting that can cause some false positives, only use this if you know how to handle false positives" or similar.

I think you are saying about advanced heuristics...I have my advanced heuristics enabled...pls understand my suggestion...I suggest that some important registry entries must be identified and protected i.e)no modifications must be done to them by unknown applications(clean or malware)...

[SweX]

Quote:

Originally Posted by maaster

I think you are saying about advanced heuristics...I have my advanced heuristics enabled...pls understand my suggestion...I suggest that some important registry entries must be identified and protected i.e)no modifications must be done to them by unknown applications(clean or malware)...

No I mean files that hasn't been seen before in the ESET userbase, through ESET Live Grid.

Yes I understand what you are suggesting

[agoretsky]

Hello,

You may submit the undetected ransomware to ESET's virus lab by following the instructions in ESET Knowledgebase Article #141, "How do I submit a virus, website or potential false positive sample to ESET's lab?"

Regards,

Aryeh Goretsky

[maaster]

Quote:

Originally Posted by agoretsky

Hello,

You may submit the undetected ransomware to ESET's virus lab by following the instructions in ESET Knowledgebase Article #141, "How do I submit a virus, website or potential false positive sample to ESET's lab?"

Regards,

Aryeh Goretsky

It is now no use in submitting the samples as it woul have been already in ESET's signatures!I am just sugesting protecting the computer for zero DAY THREATS..

[agoretsky]

Hello,

Submitting malware which is not detected or cleaned properly to ESET's malware researchers ensures the product is updated to properly detect and remove such threats.

That includes updating such technologies as HIPS and heuristics, in addition to traditional signature-based remediation technologies.

Regards,

Aryeh Goretsky

[maaster]

There is no use saying in this forum....

[MasterTB]

The way I see it, HIPS in Eset doesn't do anything if the potentially malicious code is not picked up by any of the Malware scanning engines -definition or Heuristic-. And that Should NOT be the case.

HIPS should prevent, no matter what, any kind of tempering from code that is not definitively white listed (or cleared) by the malware scanning engines.

The fact that Eset didn't pick it up as a virus (or any other variant of malware) doesn't mean that the software is not malicious, hence if the HIPS is not doing anything to block it's working it is USELESS.

Don't get me wrong, I'm not suggesting Eset start using some kind of Sandbox or what ever but, until code is ruled completely clean, HIPS should be a line of defense and prevent certain modifications to the system or at least inform the user so that he/she can prevent it.

Not a programmer so I cannot suggest you how to do this but maaster's is a clear example of malware that could have been stopped but wasn't.

It's the same kind of debate we see with leak tests and the firewalls with HIPS. The ones that pass it simple don't trust the leak tests and treat them as if they where really malicious. Eset's approach (which I'm not saying it's wrong or anything, and it's shared by many other security companies) is that, if the program is not picked up as malicious, then it's left to do it's business.

And while that may be valid to a simple leak test, a malicious code (like the one we see mentioned in this thread) that is not picked up, can prove the whole thing (HIPS) useless if it is not independent to do it's work from the malware scanning engines.

Hope it's is clear enough to understand what I'm trying to say.

[maaster]

Sorry for not posting anything in this thread for a long time...Atlast I figured out how to use HIPS with the help from malwaretips forums..
First set HIPS to "Learning mode"..then allow all your frequently used applications to run...Rules will be created for each application...Beware to run only trusted applications...By default Learning mode will be applied for 15 days...When you are sure that all your frequently used applications had been run switch to "Interactive mode" or "policy based mode"...In interactive mode when an application that is not in the rules is trying to make changes it will alert the user..you can allow or disallow it...If you are running a new application and sure that it is legitimate click allow...Just use it like interactive mode in firewall...In policy based mode if the application not in the rules is trying to make changes.it will be blocked!When I first posted the question in this thread some ESET moderator should have explained how to use HIPS..instead none of them replied or asked me to report the samples...But still i feel HIPS can be improved by identifying important registry keys for startup.shutdown,booting etc and keep them protected...I reported the same to ESET customer care but no reply from them!

[Marcos]

I'd recommend using default settings, ie. automatic mode with rules. You wrote "But still i feel HIPS can be improved by identifying important registry keys for startup.shutdown,booting etc and keep them protected" which is nice and I already came up with this idea when HIPS was being developed but it's not that easy as you say because it's not only malware that writes into those registry keys but many more legit applications that read or write there. That said, performing any action automatically would cause issues for millions of users. Of course, HIPS is continually being developed and we have a lot of smart ideas that will be implemented over time.

[sweater]

I am sure many users only uses the default hips mode settings.

[maaster]

Quote:

Originally Posted by Marcos

I'd recommend using default settings, ie. automatic mode with rules. You wrote "But still i feel HIPS can be improved by identifying important registry keys for startup.shutdown,booting etc and keep them protected" which is nice and I already came up with this idea when HIPS was being developed but it's not that easy as you say because it's not only malware that writes into those registry keys but many more legit applications that read or write there. That said, performing any action automatically would cause issues for millions of users. Of course, HIPS is continually being developed and we have a lot of smart ideas that will be implemented over time.

But "automatic mode with rules" has just one rule!I already posted somewhere in this forum about this but with the reply that "rules are hidden"..but my question is why the rules are hidden?and what is the reason to hide from the user?If they feel that rules should not be changed,then there must be advanced user tab in HIPS also!Coming to identifying important registry keys,I am saying only to allow registry changes for applications that are already in ESET's databases...If any unidentified that may be legit application or malware tries to make changes show an alert window and let the user decide!quite simple as that!

[maaster]

Quote:

Originally Posted by sweater

I am sure many users only uses the default hips mode settings.

Current Default mode will do nothing!trust me!to make it efficient use learning mode...Yeah many users will only use default mode since no explanation has been given in ESET's site about learning mode!