Configure ESET as default-deny (bye ransomware!)

[RoboMan]

Good morning mortals! I hereby share with you some amazing HIPS rules for ESET that will work as default-deny to prevent infections such as ransomware. You can check the source here.

You can test under your own risk. I have enabled them all with ESET Internet Security 19 and it works flawlessly, feeling no need for extra companion software.

To start with, head to HIPS module under settings, and click EDIT button.

IMPORTANT: create a system restore point before making these changes, just in case.

Spoiler: I. Deny processes from script executables

1. Click Add, and type “Deny child processes from script executables” into the Rule name field.

1. From the Action drop-down menu, select Block.
   Enable the following options:
   • Applications
   • Enabled
   • Logging severity (Warning)
   • Notify user

Figure 1-2

1. Click Next and in the Source applications window, click Add and type in the following names, clicking OK and then Add after each one:
   • C:\Windows\System32\wscript.exe
   • C:\Windows\System32\cscript.exe
   • C:\Windows\SysWOW64\wscript.exe
   • C:\Windows\SysWOW64\cscript.exe
   • C:\Windows\System32\ntvdm.exe

Figure 1-3

1. Click Next, click the slider bar next to Start new application to enable it and then click Next.

.

Figure 1-4

1. Select All applications from the drop-down menu and click Finish.

Figure 1-5
Leave the HIPS rules window open and continue to the next section.

Spoiler: II. Deny script processes started by explorer

1. In the HIPS rules window, click Add.

Figure 2-1

1. Type “Deny script processes started by explorer” into the Rule name field.
2. From the Action drop-down menu, select Block.
   
   Enable the following options:
   • Applications
   • Enabled
   • Logging severity (Warning)
   • Notify user

Click Next.

Figure 2-2

1. In the Source applications window, click Add, type “C:\Windows\explorer.exe” into the Specify file pathfield and then click OK. Click Next.

Figure 2-3

1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.

Figure 2-4

1. Click Add and in the Applications window, click Add and type in the following process names, clicking OK and then Add after each one:
   • C:\Windows\System32\wscript.exe
   • C:\Windows\System32\cscript.exe
   • C:\Windows\SysWOW64\wscript.exe
   • C:\Windows\SysWOW64\cscript.exe

Click Finish.

Figure 2-5
Click the image to view larger in new window

Leave the HIPS rules window open and continue to the next section.

Spoiler: III. Deny child processes from Office 2013/2016 processes

1. In the HIPS rules window, click Add.

Figure 3-1

1. Type “Deny child processes from Office 2013 processes” into the Rule name field.
2. From the Action drop-down menu, select Block.
   Enable the following options:
   • Applications
   • Enabled
   • Logging severity (warning)
   • Notify user

Click Next.

Figure 3-2

1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
   • C:\Program Files\Microsoft Office\Office15\WINWORD.EXE
   • C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE
   • C:\Program Files\Microsoft Office\Office15\EXCEL.EXE
   • C:\Program Files\Microsoft Office\Office15\POWERPNT.EXE
   • C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE
   • C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE
   • C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE
   • C:\Program Files (x86)\Microsoft Office\Office15\POWERPNT.EXE

Click Next.

Figure 3-3

1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.

Figure 3-4

1. In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one:
   • C:\Windows\System32\cmd.exe
   • C:\Windows\SysWOW64\cmd.exe
   • C:\Windows\System32\wscript.exe
   • C:\Windows\SysWOW64\wscript.exe
   • C:\Windows\System32\cscript.exe
   • C:\Windows\SysWOW64\cscript.exe
   • C:\Windows\System32\ntvdm.exe
   • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
   • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
   • C:\Windows\System32\regsvr32.exe
   • C:\Windows\SysWOW64\regsvr32.exe
   • C:\Windows\System32\rundll32.exe
   • C:\Windows\SysWOW64\rundll32.exe

Add additional Office versions as needed, repeating the same instructions as above.

• 2016 = Office16
• 2010 = Office14

Click Finish.

Figure 3-5

Leave the HIPS rules window open and continue to the next section.

Spoiler: IV. Deny child processes for regsrv32.exe

1. In the HIPS rules window, click Add.

Figure 4-1

1. Type “Deny child processes for regsrv32.exe” into the Rule name field.
2. From the Action drop-down menu, select Block.
   Enable the following options:
   • Applications
   • Enabled
   • Logging severity (warning)
   • Notify user

Click Next.

Figure 4-2

1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
   • C:\Windows\System32\regsvr32.exe
   • C:\Windows\SysWOW64\regsvr32.exe

Click Next.

Figure 4-3

1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.

Figure 4-4

1. In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one:
   • C:\Windows\System32\cmd.exe
   • C:\Windows\SysWOW64\cmd.exe
   • C:\Windows\System32\wscript.exe
   • C:\Windows\SysWOW64\wscript.exe
   • C:\Windows\System32\cscript.exe
   • C:\Windows\SysWOW64\cscript.exe
   • C:\Windows\System32\ntvdm.exe
   • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
   • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Click Finish.

Figure 4-5

Leave the HIPS rules window open and continue to the next section.

Spoiler: V. Deny child processes for mshta.exe

1. In the HIPS rules window, click Add.

Figure 5-1

1. Type “Deny child processes for mshta.exe” into the Rule name field.
2. From the Action drop-down menu, select Block.
   
   Enable the following options:
   • Applications
   • Enabled
   • Logging severity (warning)
   • Notify user

Click Next

Figure 5-2

1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
   • C:\Windows\System32\mshta.exe
   • C:\Windows\SysWOW64\mshta.exe

Click Next.

Figure 5-3

1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.

Figure 5-4

1. Select All applications from the drop-down menu and click Finish.

Figure 5-5

Leave the HIPS rules window open and continue to the next section.

Spoiler: VI. Deny child processes for rundll32.exe

1. In the HIPS rules window, click Add.

Figure 6-1

1. Type “Deny child processes for rundll32.exe” into the Rule name field.
2. From the Action drop-down menu, select Block.
   
   Enable the following options:
   • Applications
   • Enabled
   • Logging severity (warning)
   • Notify user

Click Next.

Figure 6-2

1. In the Source applications window, click Add and type in the following file name:
   • C:\Windows\System32\rundll32.exe

Click OK and then click Next.

Figure 6-3

1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.

Figure 6-4

1. In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one:
   • C:\Windows\System32\cmd.exe
   • C:\Windows\SysWOW64\cmd.exe
   • C:\Windows\System32\wscript.exe
   • C:\Windows\SysWOW64\wscript.exe
   • C:\Windows\System32\cscript.exe
   • C:\Windows\SysWOW64\cscript.exe
   • C:\Windows\System32\ntvdm.exe
   • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
   • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Click Finish.

Figure 6-5

Leave the HIPS rules window open and continue to the next section.

Spoiler: VII. Deny child processes for powershell.exe

1. In the HIPS rules window, click Add.

Figure 7-1

1. Type “Deny child processes for powershell.exe” into the Rule name field.
2. From the Action drop-down menu, select Block.
   
   Enable the following options:
   • Applications
   • Enabled
   • Logging severity (warning)
   • Notify user

Click Next.

Figure 7-2

1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
   • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
   • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Click Next.

Figure 7-3

1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.

Figure 7-4

1. Select All applications from the drop-down menu and click Finish.

Figure 7-5

1. When finished adding HIPS rules, click Finish to save the policy settings.

Figure 7-6

The whole configuration file (including these HIPS rules and the mentioned rules in Q&A - Configure ESET Antivirus for Maximum Security (by RoboMan)) can be downloaded here: UPLOAD.EE - eset_19.xml - Download

 

[bob974]

Hello @RoboMan, it would be interesting to have the Xml file to implement the parameters....

 

[sepik]

Thanks, appreciated! Tho, i'n not using ESET, but couple of my friends are.

 

[RoboMan]

Hello @RoboMan, it would be interesting to have the Xml file to implement the parameters....

The whole configuration file (including these HIPS rules and the mentioned rules in Q&A - Configure ESET Antivirus for Maximum Security (by RoboMan) can be downloaded here: UPLOAD.EE - eset_19.xml - Download

 

[bob974]

That's really cool. Thank you @RoboMan(Y). Do you think it can be used for the "smart" version ?

 

[uduoix]

ESET should make this more user-friendly

 

[SearchLight]

Way to go Roboman! Thanks and appreciated, too.

Btw, does your latest config file include all the Office rules that Eset suggested? In my case, I only inserted the first Office Rule that they describe although I do not use Office.

 

[Nestor]

ESET should make this more user-friendly

I agree.In some AV suites you must be a computer expert or safety enthusiast to configure them to achieve malware safety, although most people don't know the basics.

 

[outlawxtorn]

Thanks @RoboMan. What's a good about of time to keep learning mode on with the firewall?

 

[RoboMan]

Thanks @RoboMan. What's a good about of time to keep learning mode on with the firewall?

I usually leave it in learning mode between 3 to 7 days, with maximum interaction possible (opening every single thing I use).

Way to go Roboman! Thanks and appreciated, too.

Btw, does your latest config file include all the Office rules that Eset suggested? In my case, I only inserted the first Office Rule that they describe although I do not use Office.

This HIPS rules I mention are all included in my configuration file!

That's really cool. Thank you @RoboMan(Y). Do you think it can be used for the "smart" version ?

Yes, it can!

 

[amico81]

@RoboMan is the configuration file for Eset IS only or is it compatible for Eset Nod32 too?

 

[SearchLight]

The whole configuration file (including these HIPS rules and the mentioned rules in Q&A - Configure ESET Antivirus for Maximum Security (by RoboMan) can be downloaded here: UPLOAD.EE - eset_19.xml - Download

RoboMan, fyi I just noticed your Config file also contains Firewall rules for your other programs. Some were in Spanish. I deleted them. As a suggestion, you might want to review, and delete accordingly. Thought you would want to know.

 

[Andy Ful]

RoboMan
Those rules are not default-deny. They are similar in idea to Attack Surface Reduction for scripts and MS Office.
These are pretty good HIPS rules, which can stop most malicious scripts and macros. But, I am afraid that they cannot stop some well known infections chains. For example, they can be bypassed by:

• files with some well known dangerous extensions: BAT, CMD, CPL, CHM, etc.
• a shortcut or macro which uses some LOLBins like cmd.exe, wmic.exe.

There can possibly be a problem with macros and scripts, which uses WMI, because when script Interpreter uses WMI to run something, then the child process is not the child of the Interpreter. This can usually fool many security solutions (but not WD Exploit Protection).

 

[HarborFront]

RoboMan
Those rules are not default-deny. They are similar in idea to Attack Surface Reduction for scripts and MS Office.
These are pretty good HIPS rules, which can stop most malicious scripts and macros. But, I am afraid that they cannot stop some well known infections chains. For example, they can be bypassed by:

• files with some well known dangerous extensions: BAT, CMD, CPL, CHM, etc.
• a shortcut or macro which uses some LOLBins like cmd.exe, wmic.exe.

There can possibly be a problem with macros and scripts, which uses WMI, because when script Interpreter uses WMI to run something, then the child process is not the child of the Interpreter. This can usually fool many security solutions (but not WD Exploit Protection).

So what do you propose to overcome the shortages you mentioned i.e. to complement the HIPS rules by @RoboMan ?

Or to use any software to perform the same as the HIPS rules or better without using ESET IS?

 

[Dave Russo]

Roboman Thank you, once again for all the work you put in to this latest download,Certainly above and beyond!

 

[Andy Ful]

So what do you propose to overcome the shortages you mentioned i.e. to complement the HIPS rules by @RoboMan ?

Or to use any software to perform the same as the HIPS rules or better without using ESET IS?

I do not know fully Eset HIPS capabilities, so I cannot say for sure what is required. If there are not other HIPS rules related to script Interpreters, then something like tweaked SysHardener can help.
Furthermore, Eset allows adding some more HIPS rules for explorer.exe, cmd.exe, wmic.exe and other LOLBins. But, this must be adjusted to the particular machine. The Eset Logs and warnings can help with it.

 

[Dave Russo]

Tried running RanSim, Chrome blocks it, Edge allowed it ,Eset even with configuration did real poor ,Tried Windows Defender with Syshardener blocked test, then tried Kaspersky Total security and that also blocked this test .

 

[Andy Ful]

Tried running RanSim, Chrome blocks it, Edge allowed it ,Eset even with configuration did real poor ,Tried Windows Defender with Syshardener blocked test, then tried Kaspersky Total security and that also blocked this test .

RunSim uses WMI to run tests, and does not use script engines. That is why Eset can have a problem. But most of the tested malware will be blocked by Eset in the real world scenario. Simply, Eset with properly set HIPS, will block the delivery of the ransomware payload via weaponized documents or scripts.

 

[RoboMan]

@RoboMan is the configuration file for Eset IS only or is it compatible for Eset Nod32 too?

Any ESET version with HIPS!

RoboMan
Those rules are not default-deny. They are similar in idea to Attack Surface Reduction for scripts and MS Office.
These are pretty good HIPS rules, which can stop most malicious scripts and macros. But, I am afraid that they cannot stop some well known infections chains. For example, they can be bypassed by:

• files with some well known dangerous extensions: BAT, CMD, CPL, CHM, etc.
• a shortcut or macro which uses some LOLBins like cmd.exe, wmic.exe.

There can possibly be a problem with macros and scripts, which uses WMI, because when script Interpreter uses WMI to run something, then the child process is not the child of the Interpreter. This can usually fool many security solutions (but not WD Exploit Protection).

Good you got the point! I admit i suck at wording!

Of course these HIPS rules aren't a replace for anything, that's why it's part of a suite! I'm pretty sure these rules with the rest of the program correctly configured can stop most threats Of course not everything!

 

[Wraith]

As always another great post from @RoboMan. I use ESET with these HIPS rules but I have modified some of the rules. I have HIPS configured to disable execution of wscript, cscript, powershell, mshta, ask if anything tries to modify the hosts file, ask for changes in startup applications. I think it's also a good option to set rules in the firewall to ask for outgoing connections from command prompt and regsvr32.