How to configure HIPS?

Discussion in 'ESET NOD32 Antivirus' started by jmorlan, Oct 17, 2011.

Thread Status:
Not open for further replies.
  1. jmorlan
    Offline

    jmorlan Registered Member

    Using latest version, I'm not clear on how to properly configure HIPS. Right now I have no rules so I'm not sure that HIPS is doing anything to protect me. It's currently set for Automatic which (as near as I can tell) if there's no rule against an action, then allow anything. If so then it's useless, because you have to create rules to deny behaviors for each program.

    Just wondering how you all use HIPS.

    Thanks.
  2. piranha
    Offline

    piranha Registered Member

  3. jmorlan
    Offline

    jmorlan Registered Member

    Thanks. For a while I had HIPS set in "Learning Mode" because I think that was the default. After that it switched to "Automatic." But it's not clear to me what if anything NOD32 learned while it was in learning mode. It never asked for permission for anything during the learning period. As a result I don't seem to have any rules.

    So what exactly was supposed to happen during "Learning Mode" and what is the best setting now?

    Thanks again.
  4. gugarci
    Offline

    gugarci Registered Member

    I like to know myself. Since my wife is a regular user of my main desktop I have mine set to auto.
    Last edited: Oct 18, 2011
  5. piranha
    Offline

    piranha Registered Member

    HIPS ask me what to do only in admin account on first reboot and never in limited right account (XP)
  6. acr1965
    Online

    acr1965 Registered Member

    So should I just run the HIPS in learning mode for a couple weeks and then switch to interactive?
  7. Sacles
    Offline

    Sacles Registered Member

    Hello,

    Correct.
  8. acr1965
    Online

    acr1965 Registered Member

    OK thanks. I'm doing that now. What about under the HIPS settings of allow changes to "the application part of the registry" and allow changes to "data files" for which there is no rule defined? Once finished with learning mode is it recommended to have those enabled or disabled? I wish to have the more secure settings, so I am assuming they should be unchecked. But does that make a significant change in protection?
  9. Sacles
    Offline

    Sacles Registered Member

    A HIPS allows or prohibits programs or processes to be launch.

    The data and the register can be changed only by authorized programs or processes.

    Caution: It's the user who decides whether a program or process is permitted or prohibited.

    Interactive mode should be used only by experienced users.
  10. jmorlan
    Offline

    jmorlan Registered Member

    I had learning mode on when I first installed this version. I think that was the default. But it never asked me for anything during that period and it did not generate any rules that I can see.

    Should I turn it back on for another 14 days?
  11. Thankful
    Offline

    Thankful Registered Member

    I am using interactive mode and it seems to be working well. However, you need to know what you're allowing.
  12. piranha
    Offline

    piranha Registered Member



    that is why automatic mode should be better !!!
  13. Thankful
    Offline

    Thankful Registered Member

    I agree 100%.
    The interactive mode, with five check boxes and two drop down boxes for each interaction, can quickly drive you crazy. An antivirus shouldn't be that difficult to use.
    Last edited: Oct 20, 2011
  14. Sacles
    Offline

    Sacles Registered Member

    Hello,

    I think it's not possible or the improvement will be small

    A HIPS works on the principle of a white list: everything is prohibited except what is authorized by the white List.
    An Antivirus works on the principle of a black list: everything is permitted except what is blocked by black list (signatures).

    The HIPS cannot know in advance what will come from outside (legitimate programs or pests).
  15. gugarci
    Offline

    gugarci Registered Member

    I also wish the interactive mode was a little easier to use. But since it's not and my wife also uses this desktop I'm going to stick with auto. I've been using ESET since 2.7 and it has not let me down once, knocking on wood. So since HIPS is new with v5 and ESET has never let me down in the past I'm not going to worry about HIPS any more and move on.

    One thing that could help novice HIPS users like myself would be some kind of list with programs names or types of programs with settings one can apply to their machine. (browsers, email, AV's, Spyware/malware scanners, iTunes, Adobe Reader, OS services/processes, and so forth.

    Example: for a browser, or email client, always allow this and it's OK if it also does that.

    Anyway I don't know if this is realistic to do since more programs now a days compared to a couple of years ago what more access to you PC than ever. But if we can get a HIPS list up as a sticky that advance users can edit and add programs and OS services/processes with suggested settings to use for HIPS, novice HIPS users like myself could use that list and apply it to their PC's.
    Last edited: Oct 21, 2011
  16. Thankful
    Offline

    Thankful Registered Member

    I would be in favor of getting rid of the 'advanced' selection for interactive HIPS. Either allow it or not. Save the rule, or not.
  17. toxinon12345
    Offline

    toxinon12345 Registered Member

    If I were a novice user, I would enable "Advanced Heuristics On File Execution".

    HIPS settings should be changed by experienced users.
  18. piranha
    Offline

    piranha Registered Member

    my Comodo free firewall have a white list for its HIPS, why NOD32/ESS HIPS couldnt have its one ??

    In fact, I think that choosing HIPS was a bad decision and a poor strategy. The sandboxing would have been better and simpler solution for newbies. And no need for the editor to always update the white liste with all new apps release each week, month, year.....
  19. piranha
    Offline

    piranha Registered Member


    not a good idea.

    By default, Adv heur is already use for newly created and modified files , no need to scan files already known to be clean with AH. It is useless and cost too much in power and memory.
    Last edited: Oct 22, 2011
  20. Francis93
    Offline

    Francis93 Registered Member

    I have set mine to Learning Mode for a few days then Interactive Mode yesterday. Now I'm getting lots of prompts. Should I tick "Create rule" for every safe prompt?
  21. Thankful
    Offline

    Thankful Registered Member

    The HIPS is still buggy. With no HIPS rules added in interactive mode, trying to fire up firefox, I get message, "Windows cannot access specified device, path, or file."
    I'm not a big fan of the HIPS. If you're not careful, you can end up with an unusable computer.
    Last edited: Oct 21, 2011
  22. siljaline
    Offline

    siljaline Registered Member

    If this is of any help, my orginal thread and findings on HIPS

  23. jmorlan
    Offline

    jmorlan Registered Member

    Thanks. From the end of that thread it appears there are hidden and invisible rules that we cannot access and which nobody seems to know much about. So, if I understand correctly, the complete absence of any visible rules does not mean that HIPS is not working in automatic mode.

    I tried learning mode and expected to be faced with a bunch of pop-ups allowing me to set some additional rules, but I managed to go for 14 days with not a single pop-up. However during this time Zemana popped up quite a few times and I set a number of rules within Zemana.

    Is it possible that Zemana is catching everything first and voiding any HIPS activity in NOD32 AV? It was my understanding that Zemana anti-logger is compatible with ESET. Is that correct?
  24. siljaline
    Offline

    siljaline Registered Member

    I have requested expansion on the HIPS solution number article.
    Since all others including the cited article does not cite rules and configuration protocols.

    Since I am not currently running the v5 home user engine, I cannot completely address your query as this time.

    Wait for someone from ESET to make a better assesment of your situation.

    Thank you.
  25. Thankful
    Offline

    Thankful Registered Member

    I am currently using NOD32 version 5.0.94.0 with Zemana. I have NOD32 HIPS set to "Automatic" since the other settings do not work properly. Zemana seems to be working fine when NOD32 HIPS is set to "Automatic". You can test Zemana using the "AntiTest" program from SpyShelter.com.
    Last edited: Oct 23, 2011
Thread Status:
Not open for further replies.