nod32 v8 custom hips rules

Discussion in 'other anti-virus software' started by chrcol, Jun 5, 2016.

  1. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    782
    Location:
    UK
    This I have found powerful although lacking in some functionality, but I seem to have come across a nasty problem sadly, I have now got quite a lot of rules and the earliest rules I added stopped working and had to be duplicated. So I seem to have come across some kind of internal rule limit.

    Anyone else came across this?

    This will likely fast forward me installing rehips now to migrate hips workload to it.
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Presently have 80 user rules created w/o issues. Note I use ver. 8.
     
  3. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    Good decision.
     
  4. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    782
    Location:
    UK
    will count my rules, is possible I have more than 80.

    Most are rules to authorise starting or modifying applications. As I have a default ask policy for binary start.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    You might want to try exporting your existing rules, reset the HIPS to default, then import the rules and see if that fixes the problem.

    BTW - a hundred or so rules should not affect the HIPS. If you run in training mode, a rule is created for each distinct activity the HIPS encounters. So for one process alone, you could easily end up with 10 rules. One reason I never used training mode to create rules.
     
  6. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    782
    Location:
    UK
    not using training mode.

    I have a default ask for starting applications, but this isnt the same as training mode.

    explorer.exe is allowed to run anything in the program files folder and a couple of other whitelisted locations also to reduce the total rules.
     
  7. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    782
    Location:
    UK
    rehips I will be testing in a VM soon, and if looks good enough to use on my main rig, I will use it.
     
  8. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    782
    Location:
    UK
    The model seems ok to me, I am not going to be using it for its isolated process feature, but just for HIPS rules.
     
Loading...