How to configure HIPS?

Discussion in 'ESET NOD32 Antivirus' started by jmorlan, Oct 17, 2011.

Thread Status:
Not open for further replies.
  1. jmorlan

    jmorlan Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    69
    Using latest version, I'm not clear on how to properly configure HIPS. Right now I have no rules so I'm not sure that HIPS is doing anything to protect me. It's currently set for Automatic which (as near as I can tell) if there's no rule against an action, then allow anything. If so then it's useless, because you have to create rules to deny behaviors for each program.

    Just wondering how you all use HIPS.

    Thanks.
     
  2. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada
  3. jmorlan

    jmorlan Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    69
    Thanks. For a while I had HIPS set in "Learning Mode" because I think that was the default. After that it switched to "Automatic." But it's not clear to me what if anything NOD32 learned while it was in learning mode. It never asked for permission for anything during the learning period. As a result I don't seem to have any rules.

    So what exactly was supposed to happen during "Learning Mode" and what is the best setting now?

    Thanks again.
     
  4. gugarci

    gugarci Registered Member

    Joined:
    Mar 30, 2009
    Posts:
    288
    Location:
    Jersey
    I like to know myself. Since my wife is a regular user of my main desktop I have mine set to auto.
     
    Last edited: Oct 18, 2011
  5. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada
    HIPS ask me what to do only in admin account on first reboot and never in limited right account (XP)
     
  6. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    So should I just run the HIPS in learning mode for a couple weeks and then switch to interactive?
     
  7. Sacles

    Sacles Registered Member

    Joined:
    Dec 8, 2004
    Posts:
    372
    Location:
    Belgique
    Hello,

    Correct.
     
  8. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    OK thanks. I'm doing that now. What about under the HIPS settings of allow changes to "the application part of the registry" and allow changes to "data files" for which there is no rule defined? Once finished with learning mode is it recommended to have those enabled or disabled? I wish to have the more secure settings, so I am assuming they should be unchecked. But does that make a significant change in protection?
     
  9. Sacles

    Sacles Registered Member

    Joined:
    Dec 8, 2004
    Posts:
    372
    Location:
    Belgique
    A HIPS allows or prohibits programs or processes to be launch.

    The data and the register can be changed only by authorized programs or processes.

    Caution: It's the user who decides whether a program or process is permitted or prohibited.

    Interactive mode should be used only by experienced users.
     
  10. jmorlan

    jmorlan Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    69
    I had learning mode on when I first installed this version. I think that was the default. But it never asked me for anything during that period and it did not generate any rules that I can see.

    Should I turn it back on for another 14 days?
     
  11. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    I am using interactive mode and it seems to be working well. However, you need to know what you're allowing.
     
  12. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada


    that is why automatic mode should be better !!!
     
  13. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    I agree 100%.
    The interactive mode, with five check boxes and two drop down boxes for each interaction, can quickly drive you crazy. An antivirus shouldn't be that difficult to use.
     
    Last edited: Oct 20, 2011
  14. Sacles

    Sacles Registered Member

    Joined:
    Dec 8, 2004
    Posts:
    372
    Location:
    Belgique
    Hello,

    I think it's not possible or the improvement will be small

    A HIPS works on the principle of a white list: everything is prohibited except what is authorized by the white List.
    An Antivirus works on the principle of a black list: everything is permitted except what is blocked by black list (signatures).

    The HIPS cannot know in advance what will come from outside (legitimate programs or pests).
     
  15. gugarci

    gugarci Registered Member

    Joined:
    Mar 30, 2009
    Posts:
    288
    Location:
    Jersey
    I also wish the interactive mode was a little easier to use. But since it's not and my wife also uses this desktop I'm going to stick with auto. I've been using ESET since 2.7 and it has not let me down once, knocking on wood. So since HIPS is new with v5 and ESET has never let me down in the past I'm not going to worry about HIPS any more and move on.

    One thing that could help novice HIPS users like myself would be some kind of list with programs names or types of programs with settings one can apply to their machine. (browsers, email, AV's, Spyware/malware scanners, iTunes, Adobe Reader, OS services/processes, and so forth.

    Example: for a browser, or email client, always allow this and it's OK if it also does that.

    Anyway I don't know if this is realistic to do since more programs now a days compared to a couple of years ago what more access to you PC than ever. But if we can get a HIPS list up as a sticky that advance users can edit and add programs and OS services/processes with suggested settings to use for HIPS, novice HIPS users like myself could use that list and apply it to their PC's.
     
    Last edited: Oct 21, 2011
  16. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    I would be in favor of getting rid of the 'advanced' selection for interactive HIPS. Either allow it or not. Save the rule, or not.
     
  17. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    If I were a novice user, I would enable "Advanced Heuristics On File Execution".

    HIPS settings should be changed by experienced users.
     
  18. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada
    my Comodo free firewall have a white list for its HIPS, why NOD32/ESS HIPS couldnt have its one ??

    In fact, I think that choosing HIPS was a bad decision and a poor strategy. The sandboxing would have been better and simpler solution for newbies. And no need for the editor to always update the white liste with all new apps release each week, month, year.....
     
  19. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada

    not a good idea.

    By default, Adv heur is already use for newly created and modified files , no need to scan files already known to be clean with AH. It is useless and cost too much in power and memory.
     
    Last edited: Oct 22, 2011
  20. Francis93

    Francis93 Registered Member

    Joined:
    Feb 1, 2011
    Posts:
    311
    I have set mine to Learning Mode for a few days then Interactive Mode yesterday. Now I'm getting lots of prompts. Should I tick "Create rule" for every safe prompt?
     
  21. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    The HIPS is still buggy. With no HIPS rules added in interactive mode, trying to fire up firefox, I get message, "Windows cannot access specified device, path, or file."
    I'm not a big fan of the HIPS. If you're not careful, you can end up with an unusable computer.
     
    Last edited: Oct 21, 2011
  22. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    If this is of any help, my orginal thread and findings on HIPS

     
  23. jmorlan

    jmorlan Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    69
    Thanks. From the end of that thread it appears there are hidden and invisible rules that we cannot access and which nobody seems to know much about. So, if I understand correctly, the complete absence of any visible rules does not mean that HIPS is not working in automatic mode.

    I tried learning mode and expected to be faced with a bunch of pop-ups allowing me to set some additional rules, but I managed to go for 14 days with not a single pop-up. However during this time Zemana popped up quite a few times and I set a number of rules within Zemana.

    Is it possible that Zemana is catching everything first and voiding any HIPS activity in NOD32 AV? It was my understanding that Zemana anti-logger is compatible with ESET. Is that correct?
     
  24. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    I have requested expansion on the HIPS solution number article.
    Since all others including the cited article does not cite rules and configuration protocols.

    Since I am not currently running the v5 home user engine, I cannot completely address your query as this time.

    Wait for someone from ESET to make a better assesment of your situation.

    Thank you.
     
  25. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    I am currently using NOD32 version 5.0.94.0 with Zemana. I have NOD32 HIPS set to "Automatic" since the other settings do not work properly. Zemana seems to be working fine when NOD32 HIPS is set to "Automatic". You can test Zemana using the "AntiTest" program from SpyShelter.com.
     
    Last edited: Oct 23, 2011
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.