HIPS and Rules

Hey toxinon12345
I will take the police base mode for a spin and see how it goes Thank you for taking your time to answer.

Take care

NoobStick

 

If you are not sure what you are doing with HIPS, it might be better to leave it in automatic mode. If you set it to policy mode, you risk blocking legitimate software updates, etc.

 

exactly, thats the reason why i recommend the interactive mode

 

I agree.

As far as I can see, Automatic mode pretty much allows everything except for any blocking rules that have been explicitly created; and Policy mode is probably too restrictive to be convenient for most users. That leaves Interactive mode which fully exploits the power of the HIPS but is flexible enough for normal use.

As you've previously said, for anyone who doesn't want to have to deal with a substantial number of alerts while the HIPS is learning the system, Learning mode can be used to suppress the alerts and create the initial policy before switching to Interactive mode at the end of the training period.

 

Hello pegr and toxinon12345
At the present time I have installed Vmware player were Eset RC 5 is running, and I have installed some of my most daily used programs. I have decided that this is going to be my playground were I try out diffrent HIPS solutions that RC 5 offers. HIPS is a great tool and I really want to understand it's feedback better.

Kind Regards

NoobStick

 

Actually, for the most part you don't really have to understand exactly what the HIPS alerts mean in order to be able to use HIPS effectively in Interactive mode.

The key thing to look at is the name of the source application file that is trying to perform the behaviour that the HIPS is monitoring and alerting on. If it is an executable that you recognise as belonging to the operating system or a known safe application, it should be okay to allow the behaviour, irrespective of whether it is a file, application, or registry type alert.

On the hand, if it is an executable that you don't recognise then block the behaviour and use a search engine to check out the file to see what it might be. If you are still unsure, submit the file to ESET for checking and maybe also upload it to an online malware checking service such as Virus Total. You can always change your mind and use the rules editor to change a block rule to an allow rule if you find you've blocked something you shouldn't have done.

By default each type of HIPS alert will only be displayed once for a source application because the rule created will apply globally to all target files, applications, or registry entries, depending on the type of alert. This is fine except for creating new processes when it is safest to allow access for each specific target application individually. As nearly all malware attacks start with creating a new process to execute the malware, this should be controlled. If it can't run, it can't harm.

It would be nice if ESET would put a detailed explanation as to what each type of HIPS alert means in the help file, but from what I can see, it doesn't look as though they are going to.

Hope that helps.

 

Hello pegr
Thank you for your constructive feedback and good advices, and yes your advices helps a lot
Yes it would definitely help a lot if ESET would put a detailed explanation as to what each type of HIPS alert means in the help file, but that is probably only wish thinking, but until then I'll follow your advice.

Take Care

NoobStick

 

You're welcome.

Regards