HIPS and Rules

Discussion in 'ESET NOD32 Antivirus/Smart Security Beta' started by trjam, Jun 15, 2011.

Thread Status:
Not open for further replies.
  1. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I honestly dont know squat about creating rules but here goes.

    In Automatic mode for HIPS, Icreated a rule for Internet Explorer to Block and ticked all the boxes in the Target Registry. I did not tic any other boxes in Target Files or Target Applications. I am trying or thinking, that by doing this, when I use Internet Explorer and anything trys to change the registry it will be blocked.

    Is this correct? Did I actually create a rule?

    Just trying to learn so I can maybe help others. Thanks
     
  2. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Using that auto sandbox tool that Avast has, that didnt work, it loaded. But when I go back and edit the rule and tic the box in Target Files and write to file, it actually would not run the auto sandbox tool.

    feel free to chime in and assist this idiot, but I think I am getting there.o_O
     
  3. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    There are No idiot questions here, my friend
    and exactly like you said ticking all boxes or ticking the box use for all operations and selecting block as the action will deny all registry operations for the source applications in the list
     
  4. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    i think you have to swich from automatic to interaktive or policy mode to get this rules working.
     
  5. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    Defined Rules work in all filtering modes and you will get the same results
    So if you block a registry writing for a particular application, that app will be blocked in any Filtering Mode

    all others operations not defined in the list are allowed in automatic mode, blocked in Policy mode, Asked in the Interactive Mode, and Allowed by Auto-Creating a Rule in the Learning mode
     
  6. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    Dont use Avast Sandbox, use SandboxIE Instead.
     
  7. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    O.k. thanks for the clarification!
     
  8. NodboN

    NodboN Registered Member

    Joined:
    Nov 3, 2007
    Posts:
    139
    When your HIPS was in 'Automatic mode,' how did you create that rule. ;)
     
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Advanced setup -> Computer -> HIPS -> Rule Editor -> Configure Rules -> New ;)
     
  10. NodboN

    NodboN Registered Member

    Joined:
    Nov 3, 2007
    Posts:
    139
    LOL, the manual way - no wonder ('cause I'm thinking to myself; the 'Automatic mode never throws up any popups for rule config.)

    Thanks. :D
     
  11. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    You can create your own rules for allowing your applications more easily by setting the learning mode,
    after x days the learning will finnish, at this point i recommend you to set the interactive mode, in case a new application is found it will prompt to you the action to take such as allow or deny and create rule

    this works perfectly to me
     
  12. Mr_Grumpy

    Mr_Grumpy Guest

    Joined:
    Jun 14, 2011
    Posts:
    0
    Setting an application, that be a firewall or in this case HIPS in learningmode, can be very risky if you are not able to interpretive the rules created. Most user I know of will not be able to do that. I personally see that option as an advanced feature.
    ONE of the problems wiht Esets HIPS in automatic mode, is the outrageous numbers of popups.
    Yesterday I updated Adobe Reader X,.... for that I received 26 HIPS notifications, o_O
    I can easily imaging a normal user panic, because they have always be used to Eset was a set and forget solution, there only gave you a popup when something was wrong. Eset HIPS notifications needs some sort of guidance for the user IMHO.

    Best Regards

    MR Grumpy
     
    Last edited: Jun 17, 2011
  13. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    Yeah, indeed when the modification of startup settings notification appears, it told me about the future possibility of rules controlled by ESET :blink:
     
  14. NodboN

    NodboN Registered Member

    Joined:
    Nov 3, 2007
    Posts:
    139
    Instead of waiting for the 14 days to finish I had rushed NOD32 through the learning stage by using each & every every application, extensively - already running interactive mode for some while, now.
     
  15. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    exactly, i have whitelisted my frequently used applications by running them one by one, and then setting the interactive mode
    or policy based mode
    make sure your system is clean before following such steps
     
  16. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    This is what I did too. It took less than an hour in Interactive mode to go through all of my applications and create the rules. Now I only occasionally see an alert.

    I found the easiest way to create the rules is to accept each alert to apply globally to all targets. This limits the maximum number of alerts per executable as each type of alert will only be displayed once. So far, I've got 126 rules spread across 39 executables, which is an average of just over 3 alerts per executable.

    The one exception to this are alerts to start a new application where I create a custom rule and specify the target unless the source application is fully trusted. Allowing every executable global permission to start other applications would destroy the value of the HIPS as an anti-executable.
     
  17. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    why you prefer the more difficult way?

    Is more easily by setting the learning mode

    if you set block as the action to take,
    the global flag "valid for all files" will block operations in all files, which to my eyes is good

    if you need more control uncheck the box and add the necessary paths
     
    Last edited: Jun 19, 2011
  18. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Learning mode gives global permission to the source applications it creates "Start new application" rules for to start ANY target application, which destroys the value of HIPS as an anti-executable. Even if you use Learning mode, you'd still need to go through all of the rules afterwards to see which ones to restrict and delete them, then use Interactive mode to set them up again for specific targets.

    I could have done this but I wanted to see how much of a pain it would be to create the entire policy manually. As I said, it was easy to do and didn't take long.
     
  19. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    Taking into account my system is clean, allowed applications are not representing a danger to me
     
  20. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    There's a difference between clean and trusted. My system is clean but that doesn't mean that every executable present on the system should automatically be trusted and given unrestricted permission to do whatever it likes.

    Whilst it's OK to allow trusted software full access to the system, Internet facing applications, plus any operating system components that can be used to execute malware if unmonitored, should never be trusted and therefore should be restricted.
     
  21. ashishsingh1508

    ashishsingh1508 Registered Member

    Joined:
    May 27, 2011
    Posts:
    125
    Location:
    Pune
    Watch this ESET is allowing modification of is own files in automatic mode :thumbd:
     

    Attached Files:

  22. NoobStick

    NoobStick Guest

    Joined:
    Jun 23, 2011
    Posts:
    0
    Hello Eset Users
    First of all, my knowledge about HIPS is extremely limited, and it can only get better. I have been trying out Eset RC 5 and besides the way to talkative HIPS in automatic mode and the small windows update problem ;) , it have been a very stable beta (now RC).
    Okay my question goes like this....If I set HIPS in a 10 day learning mode and then shift back to automatic mode, will automatic mode then use the rules there were created while it was in learning mode. As you can read, my knowledge about the strong HIPS tool is almost non existing and it would therefore be great if Eset could create a small HIPS school video, for novice users. ;) like me.

    Kind Regards

    NoobStick
     
  23. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    After the learning mode finnish, set the interactive mode
     
  24. NoobStick

    NoobStick Guest

    Joined:
    Jun 23, 2011
    Posts:
    0
    Hey toxinon12345
    Thanks for answering my fodnote here in this thread. If I set HIPS interactive mode then I am afraid that I will find myself helpless when a notification appears not knowing the right answer. My Idea was that HIPS in automatic mode after the learning periode would automatic made the right block/allow decision for me, on the behalf of the rules there already were created.

    Kind Regards

    NoobStick
     
  25. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    if you want to auto-block the non learned operations, then set the policy based mode
     
Thread Status:
Not open for further replies.