HIPS Question

Discussion in 'ESET Smart Security' started by HealingStargate, Dec 20, 2011.

Thread Status:
Not open for further replies.
  1. HealingStargate

    HealingStargate Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    160
    Location:
    USA
    I keep getting many of these type notices when I open the HIPS window.......

    12/20/2011 6:03:37 PM C:\WINDOWS\system32\services.exe Delete from registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_EPFW\0000\LogConf\ForcedConfigVector blocked SelfDefense: Registry with full protection

    I am wondering if it is something to be concerned about.

    Thank you for any information.

    KOR-
     
  2. HealingStargate

    HealingStargate Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    160
    Location:
    USA
    I guess by no response from anyone it would mean there is no problem on my system
    KOR-
     
  3. tommy456

    tommy456 Registered Member

    Joined:
    Jun 11, 2011
    Posts:
    137
    Which build have you currently installed ? and was this a clean install or over a previous version? the logging you can see is as far as know not something that you should be seeing if eset is correctly installed , best to contact support and they may wish to investigate further as to why this is happening
     
  4. HealingStargate

    HealingStargate Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    160
    Location:
    USA
    I have 5.0.95.0 installed on XP32 sp3....

    As far as I remember I tried to install over the last version BUT it would not let me and so I did an 'uninstall' and loaded up the current version.

    Those notices I mentioned are not as prevalent as before but still happening.

    I posted this question a few weeks ago but no one responded but you, thank you.

    I don't know why no response from ESET moderators on this forum.

    Anyone from ESET that would like to comment I would appreciate some info.

    Thank you.
    KOR-
     
  5. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    All I can give you as a user myself is:

    1) I disabled ESET HIPS some time ago, Stem did some testing and it was found to be "buggy". That was enough for me not to rely on it "yet"

    2) Try running a registry cleaner to rid yourself of this entry, that might work.


    As to why Eset doesn't respond , I have no clue. Did you submit your question directly to the vendor?
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Probably the action was attempted by the OS for some reason, it's impossible to tell for sure.
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    What issue did you run into?
     
  8. HealingStargate

    HealingStargate Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    160
    Location:
    USA
    I just got a huge group of HIPS notices similar to what I sent here.
    I put a ticket to ESET.
    KOR-
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Personally I doubt they will be able to shed any light given that the devs had no clue about the cause.
     
  10. HealingStargate

    HealingStargate Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    160
    Location:
    USA
    Marcos-

    Thank you for your reply.

    I am wondering if it is a sign of a problem somewhere or if it is just a glitch.

    Do you think another clean install is in order?

    Just wondering if it is something serious.

    Thank you.
    KOR-
     
  11. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Hi Marcos:

    I'm trying to avoid any issues related to my use of OP FW Pro and as of today
    Nod32 V5 5.0.95.0.


    A full discussion with Stem and others on this combo is at:

    https://www.wilderssecurity.com/showpost.php?p=1909683&postcount=18


    The question I put now is with the New Nod32 version do the issues regarding left over hooks still exist?
     
  12. tommy456

    tommy456 Registered Member

    Joined:
    Jun 11, 2011
    Posts:
    137
    Mine too has started to display the same thing again with Win XPSP3 ,also some other things that it is blocking or reporting to be blocking
    C:\WINDOWS\system32\dwwin.exe Terminate/suspend another application
    C:\Program Files\ESET\ESET Smart Security\egui.exe blocked SelfDefense: Protect ekrn and egui processes
    C:\WINDOWS\system32\dwwin.exe Get access to file

    C:\Program Files\ESET\ESET Smart Security\egui.exe some access blocked SelfDefense: Protect ESET files Write to file

    And it don't even like TCP veiw from systinternals
    C:\Program Files\TCPView\Tcpview.exe Get access to file C:\Program Files\ESET\ESET Smart Security\ekrn.exe some access blocked SelfDefense: Protect ESET files Write to file

    And this is after a clean install using the eset uninstal tool several times , and also checking for rootkits ect with gmer,catchme ect nothing found

    I have in the past week have me system become totally unresponsive , unable to prove that eset is the reason this time ,but the last time this freezing of the system occurred it was down to eset /hips , the hips logging was not visible until a few days ago, so o_O
     
    Last edited: Dec 30, 2011
  13. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Tommy:

    I'm thinking you are running into the conflicts between your intalled security products.

    I the past the only way I have been able to resolve these issues is a step wise approach

    1) have only 1 active real time (RT) HIPS. (is self defense a HIPS? an AV or a FW?)
    2) have only 1 active RT AV

    3) have only one active FW.

    4) set all 3 of the above to mutually exclude each other.

    5) If 1-4 fail, remove all security products using their uninstall utilities and clean up the computer registry and run a defrag

    6) Reboot and given you are behind a router, see if your setup works "naked", if it does and it should update all o/s to latest and greatest

    7 reboot and see again if your system works, it should

    :cool: add the AV software back, update , reboot

    9) add your FW back update set exclusions for AV and FW one to the other

    10) turn off the AV HIPS and turn on the FW HIPS (if it has one) is it stable? No? turn off BOTH HIPS, is it stable? Yes? Turn off FW HIPS and turn on the AV hips. Is it stable? No turn all HIPS off. Rethink and Reboot and wait for the rescue squad:D
     
  14. tommy456

    tommy456 Registered Member

    Joined:
    Jun 11, 2011
    Posts:
    137
    Not quite sure what you are saying,
    the logs suggest that the hips module belonging to eset smart security
    is for some reason or other blocking legitimate windows processes, the
    I had with builds 5.0.93/4.0, I created a manual rule in the hips module to allow services.exe full access so it could delete ect ect, witch stopped the entries for that in the logs, eset just re-creates them, i think that it has something to do with the virus signature update process,

    Why does it block or restrict some legit windows processes?
    Which doesn't instill a lot of faith, as eset hips module being in overdrive could cause lots of unwanted effects such as slow downs,and crashes ect

    The other thing is that using process monitor the eset EKRN.exe is continually scanning /trying to access or find some of it's own files that are not there on the system , in doing so causes a lot of CPU usage even some spikes which on a win7 machine causes things such as games to run very rough (choppy) movement with animation as it's spiking is hogging my CPU and preventing anything else accessing or being processed by the cpu

    As for other realtime security products none that are run alongside eset
     
  15. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Hi Again:


    I'm not trying to sell or tell you anything at all.

    I figured based on what has been posted so far that the HIPS in ESET is giving you trouble no doubt due to bugs or to clashes with other security software. But all that is assumption as far as your set up goes. You would KNOW.

    I wanted to try to help by giving you a protocol that I have used in these type of situations in the past. If it doesn't apply so be it.

    All I can tell you is the last time Stem, me and some others dived into the matter of the ESET HIPS it was in concert with it working along side OP FW Pro. I'm doing that as this is posted. BUT the only way I could get it going calmly was to turn off the ESET HIPS feature.

    Stem at last look (I think) found ESET HIPS buggy. That was a RC product so maybe it is fixed.

    OP is coming out with an update/new release this month so my plan is leave it all alone til then.

    Good luck, I tried so be it:D
     
  16. drgoodie

    drgoodie Registered Member

    Joined:
    Apr 7, 2012
    Posts:
    1
    Location:
    USA
    Every day I see many of these messages in my HIPS Log. Today there are 30today as of 10:23 AM.

    C:\WINDOWS\system32\services.exe Delete from registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_EPFWTDIR\0000\LogConf\BootConfigVector blocked SelfDefense:Registry with full protection

    The "BootConfigVector" part of the message changes to "AllocConfigVector", "ForcedConfigVector", "BasicConfig", "Filtered Config", and "OverrideConfig".

    Then the series of messages repeat again starting with "BootConfigVector".

    These message have appeared every day since I loaded Eset onto my computer (first load on THIS computer).

    I read all the above posts. I do not understand the suggestions for stopping these messages. Did any of the previous posters find a resolution? How can we get Eset to respond to our posts? Thanks for any enlightenment!
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Make sure you have logging of blocked operations disabled in the advanced HIPS setup. This option serves only for troubleshooting purposes.
     
Thread Status:
Not open for further replies.