HIPS rule settings

This window gives you an overview of existing HIPS rules.

Rule

User-defined or automatically chosen rule name.

Enabled

Deactivate this switch if you want to keep the rule in the list but do not want to use it.

Action

The rule specifies an action – Allow, Block or Ask – that should be performed if the conditions are right.

Sources

The rule will be used only if the event is triggered by an application(s).

Targets

The rule will be used only if the operation is related to a specific file, application or registry entry.

Log severity

If you activate this option, information about this rule will be written to the HIPS log.

Notify

A small pop-up window appears in the lower-right corner if an event is triggered.

Create a new rule, click Add new HIPS rules or Edit selected entries.

Rule name

User-defined or automatically chosen rule name.

Action

The rule specifies an action Allow, Block or Ask that should be performed if the conditions are right.

Operations affecting

You must select the type of operation for which the rule will be applied. The rule will be used only for this type of operation and for the selected target. The rule consists of parts that describe the conditions triggering this rule.

Source applications

The rule will be used only if the event is triggered by this application(s). Select Specific applications from drop-down menu and click Add to add new files or folders or you can select All applications from the drop-down menu to add all applications.


NOTE

Some operations of specific rules pre-defined by HIPS cannot be blocked and are allowed by default. In addition, not all system operations are monitored by HIPS. HIPS monitors operations that may be considered unsafe.

Descriptions of important operations:

File operations:

Delete file

Application is asking for permission to delete the target file.

Write to file

Application is asking for permission to write to the target file.

Direct access to disk

Application is trying to read from or write to the disk in a non-standard way that will circumvent common Windows procedures. This may result in files being modified without the application of corresponding rules. This operation may be caused by malware trying to evade detection, backup software trying to make an exact copy of a disk, or a partition manager trying to reorganize disk volumes.

Install global hook

Refers to calling the SetWindowsHookEx function from the MSDN library.

Load driver

Installation and loading of drivers onto the system.

The rule will only be used if the operation is related to this target. Select Specific files from the drop-down menu and click Add to add new files or folders. Alternatively, you can select All files from the drop-down menu to add all applications.

 

Application operations:

Debug another application

Attaching a debugger to the process. While debugging an application, many details of its behavior can be viewed and modified and its data can be accessed.

Intercept events from another application

The source application is attempting to catch events targeted at a specific application (for example a keylogger trying to capture browser events).

Terminate/suspend another application

Suspending, resuming or terminating a process (can be accessed directly from Process Explorer or the Processes window).

Start new application

Starting of new applications or processes.

Modify state of another application

The source application is attempting to write into the target applications' memory or run code on its behalf. This functionality may be useful to protect an essential application by configuring it as a target application in a rule blocking the use of this operation.

The rule will only be used if the operation is related to this target. Select Specific applications from the drop-down menu and click Add to add new files or folders. Alternatively, you can select All applications from the drop-down menu to add all applications.

 

Registry operations:

Modify startup settings

Any changes in settings that define which applications will be run at Windows startup. These can be found, for example, by searching for the Run key in the Windows Registry.

Delete from registry

Deleting a registry key or its value.

Rename registry key

Renaming registry keys.

Modify registry

Creating new values of registry keys, changing existing values, moving data in the database tree or setting user or group rights for registry keys.

The rule will only be used if the operation is related to this target. Select Specific entries from the drop-down menu and click Add to add new files or folders. Alternatively, you can select All entries from the drop-down menu to add all applications.


NOTE

You can use wildcards with certain restrictions when entering a target. Instead of a particular key the * (asterisk) symbol can be used in registry paths. For example HKEY_USERS\*\software can mean HKEY_USER\.default\software but not HKEY_USERS\S-1-2-21-2928335913-73762274-491795397-7895\.default\software. HKEY_LOCAL_MACHINE\system\ControlSet* is not a valid registry key path. A registry key path containing \* defines "this path, or any path on any level after that symbol". This is the only way of using wildcards for file targets. First, the specific part of a path will be evaluated, then the path following the wildcard symbol (*).


WARNING

You may receive a notification if you create an overly generic rule.