HIPS

Host-based Intrusion Prevention System (HIPS) protects your system from malware and unwanted activity attempting to negatively affect your computer. HIPS utilizes advanced behavioral analysis coupled with the detection capabilities of network filtering to monitor running processes, files and registry keys. HIPS is separate from Real-time file system protection and is not a firewall; it only monitors processes running within the operating system.


WARNING

Changes to HIPS settings should only be made by an experienced user. Incorrect configuration of HIPS settings can lead to system instability.

Enable Self-Defense

ESET Mail Security has built-in Self-defense technology that prevents malicious software from corrupting or disabling your antivirus and antispyware protection, so you can be sure your system is protected at all times. Changes to the Enable HIPS and Enable SD (Self-Defense) settings take effect after the Windows operating system is restarted. Disabling the entire HIPS system will also require a computer restart.

Enable Protected Service

Microsoft has introduced a concept of protected services with Microsoft Windows Server 2012 R2. It prevents a service against malware attacks. Kernel of ESET Mail Security is running as a protected service by default. This feature is available on Microsoft Windows Server 2012 R2 and newer server operating systems.

Enable Advanced Memory Scanner

Works in combination with Exploit Blocker to strengthen protection against malware that has been designed to evade detection by antimalware products through the use of obfuscation or encryption. Advanced Memory Scanner is enabled by default. Read more about this type of protection in the glossary exlink.

Enable Exploit Blocker

Is designed to fortify commonly exploited application types such as web browsers, PDF readers, email clients and MS Office components. Exploit Blocker is enabled by default. Read more about this type of protection in the glossary exlink.

Enable Ransomware shield

To use this functionality enable HIPS and ESET Live Grid. Read more about Ransomware in the glossary exlink.

Filtering mode

You can choose one of the following filtering modes:

Automatic mode - Operations are enabled with the exception of those blocked by pre-defined rules that protect your system. Everything is allowed except actions denied by rule.

Smart mode - The user will only be notified about very suspicious events.

Interactive mode - The user will be prompted to confirm operations. Allow / deny access, Create rule, Temporarily remember this action.

Policy-based mode - Operations are blocked. Accepts only user/pre-defined rules.

Learning mode - Operations are enabled and a rule is created after each operation. Rules created in this mode can be viewed in the Rule editor, but their priority is lower than the priority of rules created manually or rules created in automatic mode. When you select Learning mode from the HIPS Filtering mode drop-down menu, the Learning mode will end at setting will become available. Select the duration for which you want to engage learning mode (the maximum duration is 14 days). When the specified duration has passed, you will be prompted to edit the rules created by HIPS while it was in learning mode. You can also choose a different filtering mode, or postpone the decision and continue using learning mode.

Rules

Rules determine which applications will be granted access to which files, parts of registry or other applications. The HIPS system monitors events inside the operating system and reacts accordingly based on rules similar to the rules used by the personal firewall. Click Edit to open the HIPS rule management window. If the default action for a rule is set to Ask, a dialog window will be displayed each time that the rule is triggered. You can choose to Block or Allow the operation. If you do not choose an action in the given time, a new action is selected based on the rules.

The dialog window allows you to create a rule based on any new action that HIPS detects and then define the conditions under which to Allow or Block that action. Click Details to see further information. Rules created like this are considered equal to rules created manually, so a rule created from a dialog window can be less specific than the rule that triggered that dialog window. This means that after creating such a rule, the same operation can trigger the same window.

dialog_hips

Ask every time

Dialog window will be displayed each time that the rule is triggered. You can choose to Deny or Allow the operation.

Remember until application quits

Choosing an action Deny or Allow will create a temporary HIPS rule that will be used until the application in question is closed. Also, if you change filtering mode, modify rules, or when HIPS module is updated, and if you restart the system, temporary rules will be deleted.

Create rule and remember permanently

Create a new HIPS rule. You can later modify this rule in the HIPS rule management section.