ESET - HIPS on Policy Mode - some concerns

[Soulbound]

I did a simple test today by exporting my current rules and delete everything. Then set the default only rule of ESET HIPS and set it to Policy Based Mode.

What I did next was using CCleaner to scan registry and delete invalid references (in this case OLD firewall rules).

As you can see its actions were blocked.

What I didn't expect however is the actions that were partially blocked access. The actual exe was searchindexer.exe
But then the same exact process gets blocked.

Any thoughts?
Note: Despite the above observation, policy based mode is still considered a sort of lockout mode.

 

[bitbizket]

ESET HIPS is still buggy.
Just set your HIPS to Smart Mode and create important HIPS rules.
There's some lying around in this forum if you're not sure.

 

[Rishi]

User feed synchronization/msfeedsync = refer to RSS feed rules in browsers , Ccleaner might be checking those but as it says partially blocked, the feed filters/rules should remain intact.Need to confirm this.
logfiles partial access= ccleaner reading the invalid logs, partial access I believe furthur modification is blocked
taskhost = get access to another file = registry scan for loading DLLs on startup, for startup items module of Ccleaner
audiodg = get access to another file= related to audio driver logs, again furthur modification should be prevented.

I think these are needed by Ccleaner indirectly to access the "real" entries/logs which need deletion.Partial access could only mean one thing, read but not modified.

 

[Soulbound]

Thanks for the info. Unfortunately I am not running eset with policy hips. I did install just to update the settings to reflect some nee games added and removed obsolete rules. I'm currently running a different solution and the standalone hips of McAfee function very differently from eset. In any case I do not know of many eset users running a full lock down hips config. Most use automatic or smart mode. @illumination @Overkill @exterminator20 I believe you guys used or still use every now and again eset. If so care to test poly based with another program? Worse case scenario I'll fire up a vm but last I checked it had some problems on w10. I only updated the rules so I cannot verify either way. Thanks

 

[Exterminator]

I haven't used ESET since I had some problems with version 9 in Windows 10 back in November and also with removal of ESET.
I found a 3rd party uninstaller would not work(completely uninstall it) or stall and that the ESET removal tool actually uninstalls your net adapter which if their backup and reinstallation of it actually worked would not be a problem.Unfortunately this was not the case and without a backup or restore point your going to have to reinstall it and in the meantime no internet connection.
Version 8 did not have this problem.
In the meantime I was trying Avast IS 2016 on desktop and a Lenovo Laptop and running EIS on my ROG.Right now I am back on KIS 2016 on desktop.
I am however running ESS 9 on an HP desktop that is used by my Wife & Daughter which is just set to default settings.
I know @illumination just went back to ESET so he might be able to shed some light on this

 

[illumination]

I just landed back on Eset, and have HIPS set in smart mode. I just finished a clean install of this system, so once I have everything back on including the VM, I could take a look. I normally do not mess with Policy mode as I find it a tad over kill, interactive mode will bombard you with pop ups, Policy mode will keep you more then busy I would assume.

 

[BoraMurdar]

Smart Mode was always checked on my system and it could successfully intercept commands made by programs wanting to change, update or delete certain keys. Seems that ESET predefined rules and sections which can/cannot be changed in Smart Mode.
Other modes are simple, Policy will block anything that deviate rules already made by you or the Learning Mode. Interactive rules will ask you about anything and everything
It's the best that you turn the Smart Mode on as other modes are not productive at all