How to configure HIPS?

[jmorlan]

Using latest version, I'm not clear on how to properly configure HIPS. Right now I have no rules so I'm not sure that HIPS is doing anything to protect me. It's currently set for Automatic which (as near as I can tell) if there's no rule against an action, then allow anything. If so then it's useless, because you have to create rules to deny behaviors for each program.

Just wondering how you all use HIPS.

Thanks.

[piranha]

presently, it seems that "automatic with rules" is not the best choice but others choice are not easy for newbies

http://www.wilderssecurity.com/showthread.php?t=309273

[jmorlan]

Thanks. For a while I had HIPS set in "Learning Mode" because I think that was the default. After that it switched to "Automatic." But it's not clear to me what if anything NOD32 learned while it was in learning mode. It never asked for permission for anything during the learning period. As a result I don't seem to have any rules.

So what exactly was supposed to happen during "Learning Mode" and what is the best setting now?

Thanks again.

[gugarci]

I like to know myself. Since my wife is a regular user of my main desktop I have mine set to auto.

[piranha]

Quote:

Originally Posted by jmorlan

Thanks. For a while I had HIPS set in "Learning Mode" because I think that was the default. After that it switched to "Automatic." But it's not clear to me what if anything NOD32 learned while it was in learning mode. It never asked for permission for anything during the learning period. As a result I don't seem to have any rules.

So what exactly was supposed to happen during "Learning Mode" and what is the best setting now?

Thanks again.

HIPS ask me what to do only in admin account on first reboot and never in limited right account (XP)

[acr1965]

So should I just run the HIPS in learning mode for a couple weeks and then switch to interactive?

[Sacles]

Hello,

Quote:

So should I just run the HIPS in learning mode for a couple weeks and then switch to interactive?

Correct.

[acr1965]

Quote:

Originally Posted by Sacles

Hello,


Correct.

OK thanks. I'm doing that now. What about under the HIPS settings of allow changes to "the application part of the registry" and allow changes to "data files" for which there is no rule defined? Once finished with learning mode is it recommended to have those enabled or disabled? I wish to have the more secure settings, so I am assuming they should be unchecked. But does that make a significant change in protection?

[Sacles]

A HIPS allows or prohibits programs or processes to be launch.

The data and the register can be changed only by authorized programs or processes.

Caution: It's the user who decides whether a program or process is permitted or prohibited.

Interactive mode should be used only by experienced users.

[jmorlan]

I had learning mode on when I first installed this version. I think that was the default. But it never asked me for anything during that period and it did not generate any rules that I can see.

Should I turn it back on for another 14 days?

[Thankful]

I am using interactive mode and it seems to be working well. However, you need to know what you're allowing.

[piranha]

Quote:

Originally Posted by Sacles

A HIPS allows or prohibits programs or processes to be launch.

The data and the register can be changed only by authorized programs or processes.

Caution: It's the user who decides whether a program or process is permitted or prohibited.

Interactive mode should be used only by experienced users.

that is why automatic mode should be better !!!

[Thankful]

Quote:

Originally Posted by piranha

[/size]

that is why automatic mode should be better !!!

I agree 100%.
The interactive mode, with five check boxes and two drop down boxes for each interaction, can quickly drive you crazy. An antivirus shouldn't be that difficult to use.

[Sacles]

Hello,

Quote:

that is why automatic mode should be better

I think it's not possible or the improvement will be small

A HIPS works on the principle of a white list: everything is prohibited except what is authorized by the white List.
An Antivirus works on the principle of a black list: everything is permitted except what is blocked by black list (signatures).

The HIPS cannot know in advance what will come from outside (legitimate programs or pests).

[gugarci]

Quote:

Originally Posted by Thankful

I agree 100%.
The interactive mode, with five check boxes and two drop down boxes for each interaction, can quickly drive you crazy. An antivirus shouldn't be that difficult to use.

I also wish the interactive mode was a little easier to use. But since it's not and my wife also uses this desktop I'm going to stick with auto. I've been using ESET since 2.7 and it has not let me down once, knocking on wood. So since HIPS is new with v5 and ESET has never let me down in the past I'm not going to worry about HIPS any more and move on.

One thing that could help novice HIPS users like myself would be some kind of list with programs names or types of programs with settings one can apply to their machine. (browsers, email, AV's, Spyware/malware scanners, iTunes, Adobe Reader, OS services/processes, and so forth.

Example: for a browser, or email client, always allow this and it's OK if it also does that.

Anyway I don't know if this is realistic to do since more programs now a days compared to a couple of years ago what more access to you PC than ever. But if we can get a HIPS list up as a sticky that advance users can edit and add programs and OS services/processes with suggested settings to use for HIPS, novice HIPS users like myself could use that list and apply it to their PC's.

[Thankful]

I would be in favor of getting rid of the 'advanced' selection for interactive HIPS. Either allow it or not. Save the rule, or not.

[toxinon12345]

If I were a novice user, I would enable "Advanced Heuristics On File Execution".

HIPS settings should be changed by experienced users.

[piranha]

Quote:

Originally Posted by Thankful

I agree 100%.
The interactive mode, with five check boxes and two drop down boxes for each interaction, can quickly drive you crazy. An antivirus shouldn't be that difficult to use.

my Comodo free firewall have a white list for its HIPS, why NOD32/ESS HIPS couldnt have its one ??

In fact, I think that choosing HIPS was a bad decision and a poor strategy. The sandboxing would have been better and simpler solution for newbies. And no need for the editor to always update the white liste with all new apps release each week, month, year.....

[piranha]

Quote:

Originally Posted by toxinon12345

If I were a novice user, I would enable "Advanced Heuristics On File Execution".

HIPS settings should be changed by experienced users.

not a good idea.

By default, Adv heur is already use for newly created and modified files , no need to scan files already known to be clean with AH. It is useless and cost too much in power and memory.

[Francis93]

I have set mine to Learning Mode for a few days then Interactive Mode yesterday. Now I'm getting lots of prompts. Should I tick "Create rule" for every safe prompt?

[Thankful]

The HIPS is still buggy. With no HIPS rules added in interactive mode, trying to fire up firefox, I get message, "Windows cannot access specified device, path, or file."
I'm not a big fan of the HIPS. If you're not careful, you can end up with an unusable computer.

[siljaline]

If this is of any help, my orginal thread and findings on HIPS

Quote:

Originally Posted by jmorlan

Using latest version, I'm not clear on how to properly configure HIPS. Right now I have no rules so I'm not sure that HIPS is doing anything to protect me. It's currently set for Automatic which (as near as I can tell) if there's no rule against an action, then allow anything. If so then it's useless, because you have to create rules to deny behaviors for each program.

Just wondering how you all use HIPS.

Thanks.

[jmorlan]

Quote:

Originally Posted by siljaline

If this is of any help, my orginal thread and findings on HIPS

Thanks. From the end of that thread it appears there are hidden and invisible rules that we cannot access and which nobody seems to know much about. So, if I understand correctly, the complete absence of any visible rules does not mean that HIPS is not working in automatic mode.

I tried learning mode and expected to be faced with a bunch of pop-ups allowing me to set some additional rules, but I managed to go for 14 days with not a single pop-up. However during this time Zemana popped up quite a few times and I set a number of rules within Zemana.

Is it possible that Zemana is catching everything first and voiding any HIPS activity in NOD32 AV? It was my understanding that Zemana anti-logger is compatible with ESET. Is that correct?

[siljaline]

I have requested expansion on the HIPS solution number article.
Since all others including the cited article does not cite rules and configuration protocols.

Since I am not currently running the v5 home user engine, I cannot completely address your query as this time.

Wait for someone from ESET to make a better assesment of your situation.

Thank you.

[Thankful]

Quote:

Originally Posted by jmorlan

Is it possible that Zemana is catching everything first and voiding any HIPS activity in NOD32 AV? It was my understanding that Zemana anti-logger is compatible with ESET. Is that correct?

I am currently using NOD32 version 5.0.94.0 with Zemana. I have NOD32 HIPS set to "Automatic" since the other settings do not work properly. Zemana seems to be working fine when NOD32 HIPS is set to "Automatic". You can test Zemana using the "AntiTest" program from SpyShelter.com.