HIPS and Rules

I honestly dont know squat about creating rules but here goes.

In Automatic mode for HIPS, Icreated a rule for Internet Explorer to Block and ticked all the boxes in the Target Registry. I did not tic any other boxes in Target Files or Target Applications. I am trying or thinking, that by doing this, when I use Internet Explorer and anything trys to change the registry it will be blocked.

Is this correct? Did I actually create a rule?

Just trying to learn so I can maybe help others. Thanks

 

Using that auto sandbox tool that Avast has, that didnt work, it loaded. But when I go back and edit the rule and tic the box in Target Files and write to file, it actually would not run the auto sandbox tool.

feel free to chime in and assist this idiot, but I think I am getting there.

 

There are No idiot questions here, my friend
and exactly like you said ticking all boxes or ticking the box use for all operations and selecting block as the action will deny all registry operations for the source applications in the list

 

i think you have to swich from automatic to interaktive or policy mode to get this rules working.

 

Defined Rules work in all filtering modes and you will get the same results
So if you block a registry writing for a particular application, that app will be blocked in any Filtering Mode

all others operations not defined in the list are allowed in automatic mode, blocked in Policy mode, Asked in the Interactive Mode, and Allowed by Auto-Creating a Rule in the Learning mode

 

Dont use Avast Sandbox, use SandboxIE Instead.

 

O.k. thanks for the clarification!

 

When your HIPS was in 'Automatic mode,' how did you create that rule.

 

Advanced setup -> Computer -> HIPS -> Rule Editor -> Configure Rules -> New

 

LOL, the manual way - no wonder ('cause I'm thinking to myself; the 'Automatic mode never throws up any popups for rule config.)

Thanks.

 

You can create your own rules for allowing your applications more easily by setting the learning mode,
after x days the learning will finnish, at this point i recommend you to set the interactive mode, in case a new application is found it will prompt to you the action to take such as allow or deny and create rule

this works perfectly to me

 

Setting an application, that be a firewall or in this case HIPS in learningmode, can be very risky if you are not able to interpretive the rules created. Most user I know of will not be able to do that. I personally see that option as an advanced feature.
ONE of the problems wiht Esets HIPS in automatic mode, is the outrageous numbers of popups.
Yesterday I updated Adobe Reader X,.... for that I received 26 HIPS notifications,
I can easily imaging a normal user panic, because they have always be used to Eset was a set and forget solution, there only gave you a popup when something was wrong. Eset HIPS notifications needs some sort of guidance for the user IMHO.

Best Regards

MR Grumpy

 

Yeah, indeed when the modification of startup settings notification appears, it told me about the future possibility of rules controlled by ESET

 

Instead of waiting for the 14 days to finish I had rushed NOD32 through the learning stage by using each & every every application, extensively - already running interactive mode for some while, now.

 

exactly, i have whitelisted my frequently used applications by running them one by one, and then setting the interactive mode
or policy based mode
make sure your system is clean before following such steps

 

This is what I did too. It took less than an hour in Interactive mode to go through all of my applications and create the rules. Now I only occasionally see an alert.

I found the easiest way to create the rules is to accept each alert to apply globally to all targets. This limits the maximum number of alerts per executable as each type of alert will only be displayed once. So far, I've got 126 rules spread across 39 executables, which is an average of just over 3 alerts per executable.

The one exception to this are alerts to start a new application where I create a custom rule and specify the target unless the source application is fully trusted. Allowing every executable global permission to start other applications would destroy the value of the HIPS as an anti-executable.

 

why you prefer the more difficult way?

Is more easily by setting the learning mode

if you set block as the action to take,
the global flag "valid for all files" will block operations in all files, which to my eyes is good

if you need more control uncheck the box and add the necessary paths

 

Learning mode gives global permission to the source applications it creates "Start new application" rules for to start ANY target application, which destroys the value of HIPS as an anti-executable. Even if you use Learning mode, you'd still need to go through all of the rules afterwards to see which ones to restrict and delete them, then use Interactive mode to set them up again for specific targets.

I could have done this but I wanted to see how much of a pain it would be to create the entire policy manually. As I said, it was easy to do and didn't take long.

 

Taking into account my system is clean, allowed applications are not representing a danger to me

 

There's a difference between clean and trusted. My system is clean but that doesn't mean that every executable present on the system should automatically be trusted and given unrestricted permission to do whatever it likes.

Whilst it's OK to allow trusted software full access to the system, Internet facing applications, plus any operating system components that can be used to execute malware if unmonitored, should never be trusted and therefore should be restricted.

 

Watch this ESET is allowing modification of is own files in automatic mode

 

Hello Eset Users
First of all, my knowledge about HIPS is extremely limited, and it can only get better. I have been trying out Eset RC 5 and besides the way to talkative HIPS in automatic mode and the small windows update problem , it have been a very stable beta (now RC).
Okay my question goes like this....If I set HIPS in a 10 day learning mode and then shift back to automatic mode, will automatic mode then use the rules there were created while it was in learning mode. As you can read, my knowledge about the strong HIPS tool is almost non existing and it would therefore be great if Eset could create a small HIPS school video, for novice users. like me.

Kind Regards

NoobStick

 

After the learning mode finnish, set the interactive mode

 

Hey toxinon12345
Thanks for answering my fodnote here in this thread. If I set HIPS interactive mode then I am afraid that I will find myself helpless when a notification appears not knowing the right answer. My Idea was that HIPS in automatic mode after the learning periode would automatic made the right block/allow decision for me, on the behalf of the rules there already were created.

Kind Regards

NoobStick

 

if you want to auto-block the non learned operations, then set the policy based mode