HIPS

Host-based Intrusion Prevention System (HIPS) protects your system from malware and unwanted activity attempting to negatively affect your computer. HIPS utilizes advanced behavioral analysis coupled with the detection capabilities of network filtering to monitor running processes, files and registry keys. HIPS is separate from Real-time file system protection and is not a firewall; it only monitors processes running within the operating system.

note_icon_warning WARNING

Changes to HIPS settings should only be made by an experienced user. Incorrect configuration of HIPS settings can lead to system instability.

HIPS settings can be found in Advanced setup (F5) > Computer > HIPS > Basic. The HIPS state (enabled/disabled) is shown in the ESET Mail Security main program window, in the Setup tab, on the right side of the Computer section.

hips_main

ESET Mail Securityuses the built-in Self-defense technology as a part of HIPS to prevent malicious software from corrupting or disabling your antivirus and antispyware protection. Self-defense protects crucial system and ESET's processes, registry keys and files from being tampered with.

Advanced Memory Scanner works in combination with Exploit Blocker to strengthen protection against malware that has been designed to evade detection by antimalware products through the use of obfuscation or encryption. Advanced Memory Scanner is enabled by default. Read more about this type of protection in the glossary.

Exploit Blocker is designed to fortify commonly exploited application types such as web browsers, PDF readers, email clients and MS Office components. Exploit Blocker is enabled by default. Read more about this type of protection in the glossary.

Filtering can be performed in one of four modes:

Automatic mode - Operations are enabled with the exception of those blocked by pre-defined rules that protect your system.

Smart mode - The user will only be notified about very suspicious events.

Interactive mode - The user will be prompted to confirm operations.

Policy-based mode - Operations are blocked. Accepts only user/predefined rules.

Learning mode - Operations are enabled and a rule is created after each operation. Rules created in this mode can be viewed in the Rule editor, but their priority is lower than the priority of rules created manually or rules created in automatic mode. When you select Learning mode from the HIPS Filtering mode drop down menu, the Learning mode will end at setting will become available. Select the duration for which you want to engage learning mode (the maximum duration is 14 days). When the specified duration has passed, you will be prompted to edit the rules created by HIPS while it was in learning mode. You can also choose a different filtering mode, or postpone the decision and continue using learning mode.

The HIPS system monitors events inside the operating system and reacts accordingly based on rules similar to the rules used by the personal firewall. Click Edit to open the HIPS rule management window. Here you can select, create, edit or delete rules. More details on rule creation and HIPS operations can be found in the Edit rule chapter.

If the default action for a rule is set to Ask, a dialog window will be displayed each time that the rule is triggered. You can choose to Block or Allow the operation. If you do not choose an action in the given time, a new action is selected based on the rules.

dialog_hips

The dialog window allows you to create a rule based on any new action that HIPS detects and then define the conditions under which to allow or block that action. Settings for the exact parameters can be accessed by clicking More info. Rules created like this are considered equal to rules created manually, so a rule created from a dialog window can be less specific than the rule that triggered that dialog window. This means that after creating such a rule, the same operation can trigger the same window.

Temporarily remember this action for this process causes the action (Allow/Block) to be used until a change of rules or filtering mode, a HIPS module update or a system restart. After any of these three actions, temporary rules will be deleted.