Host-based Intrusion Prevention System (HIPS)

MONITOR_RED WARNING

Changes to HIPS settings should only be made by an experienced user. Incorrect configuration of HIPS settings can lead to system instability.

The Host-based Intrusion Prevention System (HIPS) protects your system from malware and unwanted activity attempting to negatively affect your computer. HIPS utilizes advanced behavioral analysis coupled with the detection capabilities of network filtering to monitor running processes, files and registry keys. HIPS is separate from Real-time file system protection and is not a firewall; it only monitors processes running within the operating system.

HIPS settings can be found in Advanced setup (F5) > Antivirus > HIPS > Basic. The HIPS state (enabled/disabled) is shown in the ESET Endpoint Antivirus main program window, in the Setup > Computer.

CONFIG_HIPS

ESET Endpoint Antivirus uses built-in Self-defense technology to prevent malicious software from corrupting or disabling your antivirus and antispyware protection, so you can be sure your system is protected at all times. It is necessary to restart Windows to disable HIPS or Self-Defense.

Advanced memory scanner works in combination with Exploit Blocker to strengthen protection against malware that has been designed to evade detection by antimalware products through the use of obfuscation or encryption. Advanced memory scanner is enabled by default. Read more about this type of protection in the glossary.

Exploit Blocker is designed to fortify commonly exploited application types such as web browsers, PDF readers, email clients and MS Office components. Exploit blocker is enabled by default. Read more about this type of protection in the glossary.

Filtering can be performed in one of four modes:

Automatic mode – Operations are enabled with the exception of those blocked by pre-defined rules that protect your system.

Smart mode – The user will only be notified about very suspicious events.

Interactive mode – User will be prompted to confirm operations.

Policy-based mode – Operations are blocked.

Learning mode – Operations are enabled and a rule is created after each operation. Rules created in this mode can be viewed in the Rule editor, but their priority is lower than the priority of rules created manually or rules created in the automatic mode. When you select Learning mode from the HIPS Filtering mode drop down menu, the Learning mode will end at setting will become available. Select the duration that you want to engage learning mode, the maximum duration is 14 days. When the specified duration has passed, you will be prompted to edit the rules created by HIPS while it was in learning mode. You can also choose a different filtering mode, or postpone the decision and continue using learning mode.

Mode set after learning mode expiration – Define which filtering mode the ESET Endpoint Antivirus Personal firewall will revert to after the time period for learning mode ends.

The HIPS system monitors events inside the operating system and reacts accordingly based on rules similar to the rules used by the personal firewall. Click Edit to open the HIPS rule management window. Here you can select, create, edit or delete rules. More details on rule creation and HIPS operations can be found in the Edit rule chapter.

In the following example, we will demonstrate how to restrict unwanted behaviors of applications:

CONFIG_HIPS_RULES_EXAMPLE

1.Name the rule and select Block from the Action drop-down menu.
2.In the Operations affecting section, select at least one operation for  the rule.
3.Select the slider bar next to Log to enable logging for the new rule. Logs can be collected by Remote Administrator.
4.Select the slider bar next to Notify user to display a notification any time that a rule is applied. Click Next.

 

CONFIG_HIPS_RULES_EXAMPLE_2

5.In the Source applications window, select All applications from the drop-down menu to apply your new rule to all applications attempting to perform any of the selected operations. Click Next.
6.In the following window, select the slider bar next to Modify state of another application and click Next.
7.Select Specific applications from the drop-down menu and click Add to add one or more applications you want to block.
8.Click Finish to save your new rule.