Host-based Intrusion Prevention System (HIPS)

MONITOR_RED WARNING

Changes to HIPS settings should only be made by an experienced user. Incorrect configuration of HIPS settings can lead to system instability.

The Host-based Intrusion Prevention System (HIPS) protects your system from malware and unwanted activity attempting to negatively affect your computer. HIPS utilizes advanced behavioral analysis coupled with the detection capabilities of network filtering to monitor running processes, files and registry keys. HIPS is separate from Real-time file system protection and is not a firewall; it only monitors processes running within the operating system.

HIPS settings can be found under Advanced setup (F5) > Antivirus > HIPS > Basic. The HIPS state (enabled/disabled) is shown in the ESET Smart Security Premium main program window, under Setup > Computer protection.

CONFIG_HIPS

ESET Smart Security Premium uses built-in Self-Defense technology to prevent malicious software from corrupting or disabling your antivirus and antispyware protection, so you can be sure your system is protected at all times. It is necessary to restart Windows to disable HIPS or Self-Defense.

Enable Protected Service – Enables kernel protection (Windows 8.1, 10).

Advanced memory scanner works in combination with Exploit Blocker to strengthen protection against malware that has been designed to evade detection by antimalware products through the use of obfuscation or encryption. Advanced memory scanner is enabled by default. Read more about this type of protection in the glossary.

Exploit Blocker is designed to fortify commonly exploited application types such as web browsers, PDF readers, email clients and MS Office components. Exploit blocker is enabled by default. Read more about this type of protection in the glossary.

Ransomware protection is another layer of protection that works as a part of HIPS feature. You must have the LiveGrid reputation system enabled for Ransomware protection to work. Read more about this type of protection here.
 

Filtering can be performed in one of four modes:

Automatic mode – Operations are enabled with the exception of those blocked by pre-defined rules that protect your system.

Smart mode – The user will only be notified about very suspicious events.

Interactive mode – User will be prompted to confirm operations.

Policy-based mode – Operations are blocked.

Learning mode – Operations are enabled and a rule is created after each operation. Rules created in this mode can be viewed in the Rule editor, but their priority is lower than the priority of rules created manually or rules created in the automatic mode. When you select Learning mode from the HIPS Filtering mode drop down menu, the Learning mode will end at setting will become available. Select the time span that you want to engage learning mode for, the maximum duration is 14 days. When the specified duration has passed, you will be prompted to edit the rules created by HIPS while it was in learning mode. You can also choose a different filtering mode, or postpone the decision and continue using learning mode.

Mode set after learning mode expiration – Select the filtering mode after learning mode expires.

The HIPS system monitors events inside the operating system and reacts accordingly based on rules similar to those used by the personal firewall. Click Edit to open the HIPS rule management window. Here you can select, create, edit or delete rules. More details on rule creation and HIPS operations can be found in Edit a HIPS rule.

In the following example, we will demonstrate how to restrict unwanted behavior of applications:

1.Name the rule and select Block from the Action drop-down menu.

2.Enable the Notify user switch to display a notification any time that a rule is applied.

3.Select at least one operation for which the rule will be applied. In the Source applications window, select All applications from the drop-down menu to apply your new rule to all applications attempting to perform any of the selected application operations on the applications you specified.

4.Select Modify state of another application.

5.Select Specific applications from the drop-down menu and Add one or several applications you want to protect.

6.Click Finish to save your new rule.

CONFIG_HIPS_RULES_EXAMPLE