Robbie

Level 28
Verified
Content Creator
Good morning mortals! I hereby share with you some amazing HIPS rules for ESET that will work as default-deny to prevent infections such as ransomware. You can check the source here.

You can test under your own risk. I have enabled them all with ESET Internet Security 19 and it works flawlessly, feeling no need for extra companion software.



To start with, head to HIPS module under settings, and click EDIT button.

IMPORTANT: create a system restore point before making these changes, just in case.
1. Click Add, and type “Deny child processes from script executables” into the Rule name field.

  1. From the Action drop-down menu, select Block.
    Enable the following options:
    • Applications
    • Enabled
    • Logging severity (Warning)
    • Notify user

Figure 1-2
  1. Click Next and in the Source applications window, click Add and type in the following names, clicking OK and then Add after each one:
    • C:\Windows\System32\wscript.exe
    • C:\Windows\System32\cscript.exe
    • C:\Windows\SysWOW64\wscript.exe
    • C:\Windows\SysWOW64\cscript.exe
    • C:\Windows\System32\ntvdm.exe

Figure 1-3
  1. Click Next, click the slider bar next to Start new application to enable it and then click Next.
.

Figure 1-4
  1. Select All applications from the drop-down menu and click Finish.

Figure 1-5
Leave the HIPS rules window open and continue to the next section.
  1. In the HIPS rules window, click Add.


Figure 2-1

  1. Type “Deny script processes started by explorer” into the Rule name field.
  2. From the Action drop-down menu, select Block.

    Enable the following options:
    • Applications
    • Enabled
    • Logging severity (Warning)
    • Notify user
Click Next.



Figure 2-2

  1. In the Source applications window, click Add, type “C:\Windows\explorer.exe” into the Specify file pathfield and then click OK. Click Next.


Figure 2-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.


Figure 2-4

  1. Click Add and in the Applications window, click Add and type in the following process names, clicking OK and then Add after each one:
    • C:\Windows\System32\wscript.exe
    • C:\Windows\System32\cscript.exe
    • C:\Windows\SysWOW64\wscript.exe
    • C:\Windows\SysWOW64\cscript.exe
Click Finish.


Figure 2-5
Click the image to view larger in new window


Leave the HIPS rules window open and continue to the next section.
  1. In the HIPS rules window, click Add.


Figure 3-1

  1. Type “Deny child processes from Office 2013 processes” into the Rule name field.
  2. From the Action drop-down menu, select Block.
    Enable the following options:
    • Applications
    • Enabled
    • Logging severity (warning)
    • Notify user
Click Next.



Figure 3-2

  1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Program Files\Microsoft Office\Office15\WINWORD.EXE
    • C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE
    • C:\Program Files\Microsoft Office\Office15\EXCEL.EXE
    • C:\Program Files\Microsoft Office\Office15\POWERPNT.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\POWERPNT.EXE
Click Next.



Figure 3-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.


Figure 3-4

  1. In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\cmd.exe
    • C:\Windows\SysWOW64\cmd.exe
    • C:\Windows\System32\wscript.exe
    • C:\Windows\SysWOW64\wscript.exe
    • C:\Windows\System32\cscript.exe
    • C:\Windows\SysWOW64\cscript.exe
    • C:\Windows\System32\ntvdm.exe
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\System32\regsvr32.exe
    • C:\Windows\SysWOW64\regsvr32.exe
    • C:\Windows\System32\rundll32.exe
    • C:\Windows\SysWOW64\rundll32.exe
Add additional Office versions as needed, repeating the same instructions as above.

  • 2016 = Office16
  • 2010 = Office14
Click Finish.



Figure 3-5

Leave the HIPS rules window open and continue to the next section.
  1. In the HIPS rules window, click Add.


Figure 4-1

  1. Type “Deny child processes for regsrv32.exe” into the Rule name field.
  2. From the Action drop-down menu, select Block.
    Enable the following options:
    • Applications
    • Enabled
    • Logging severity (warning)
    • Notify user
Click Next.



Figure 4-2

  1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\regsvr32.exe
    • C:\Windows\SysWOW64\regsvr32.exe
Click Next.



Figure 4-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.


Figure 4-4

  1. In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\cmd.exe
    • C:\Windows\SysWOW64\cmd.exe
    • C:\Windows\System32\wscript.exe
    • C:\Windows\SysWOW64\wscript.exe
    • C:\Windows\System32\cscript.exe
    • C:\Windows\SysWOW64\cscript.exe
    • C:\Windows\System32\ntvdm.exe
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Click Finish.



Figure 4-5

Leave the HIPS rules window open and continue to the next section.
  1. In the HIPS rules window, click Add.


Figure 5-1

  1. Type “Deny child processes for mshta.exe” into the Rule name field.
  2. From the Action drop-down menu, select Block.

    Enable the following options:
    • Applications
    • Enabled
    • Logging severity (warning)
    • Notify user
Click Next



Figure 5-2

  1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\mshta.exe
    • C:\Windows\SysWOW64\mshta.exe
Click Next.



Figure 5-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.


Figure 5-4

  1. Select All applications from the drop-down menu and click Finish.


Figure 5-5

Leave the HIPS rules window open and continue to the next section.
  1. In the HIPS rules window, click Add.


Figure 6-1

  1. Type “Deny child processes for rundll32.exe” into the Rule name field.
  2. From the Action drop-down menu, select Block.

    Enable the following options:
    • Applications
    • Enabled
    • Logging severity (warning)
    • Notify user
Click Next.



Figure 6-2

  1. In the Source applications window, click Add and type in the following file name:
    • C:\Windows\System32\rundll32.exe
Click OK and then click Next.



Figure 6-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.


Figure 6-4

  1. In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\cmd.exe
    • C:\Windows\SysWOW64\cmd.exe
    • C:\Windows\System32\wscript.exe
    • C:\Windows\SysWOW64\wscript.exe
    • C:\Windows\System32\cscript.exe
    • C:\Windows\SysWOW64\cscript.exe
    • C:\Windows\System32\ntvdm.exe
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Click Finish.



Figure 6-5

Leave the HIPS rules window open and continue to the next section.
  1. In the HIPS rules window, click Add.


Figure 7-1

  1. Type “Deny child processes for powershell.exe” into the Rule name field.
  2. From the Action drop-down menu, select Block.

    Enable the following options:
    • Applications
    • Enabled
    • Logging severity (warning)
    • Notify user
Click Next.



Figure 7-2

  1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Click Next.



Figure 7-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.


Figure 7-4

  1. Select All applications from the drop-down menu and click Finish.


Figure 7-5

  1. When finished adding HIPS rules, click Finish to save the policy settings.


Figure 7-6
The whole configuration file (including these HIPS rules and the mentioned rules in Q&A - Configure ESET Antivirus for Maximum Security (by RoboMan)) can be downloaded here: UPLOAD.EE - eset_19.xml - Download
 
Last edited:

SearchLight

Level 9
Verified
Way to go Roboman! Thanks and appreciated, too.

Btw, does your latest config file include all the Office rules that Eset suggested? In my case, I only inserted the first Office Rule that they describe although I do not use Office.
 

Robbie

Level 28
Verified
Content Creator
Thanks @RoboMan. What's a good about of time to keep learning mode on with the firewall?
I usually leave it in learning mode between 3 to 7 days, with maximum interaction possible (opening every single thing I use).
Way to go Roboman! Thanks and appreciated, too.

Btw, does your latest config file include all the Office rules that Eset suggested? In my case, I only inserted the first Office Rule that they describe although I do not use Office.
This HIPS rules I mention are all included in my configuration file!
That's really cool. Thank you @RoboMan(Y). Do you think it can be used for the "smart" version ?
Yes, it can!
 

SearchLight

Level 9
Verified
Last edited:

Andy Ful

Level 45
Verified
Trusted
Content Creator
RoboMan
Those rules are not default-deny. They are similar in idea to Attack Surface Reduction for scripts and MS Office.(y)
These are pretty good HIPS rules, which can stop most malicious scripts and macros. But, I am afraid that they cannot stop some well known infections chains. For example, they can be bypassed by:
  • files with some well known dangerous extensions: BAT, CMD, CPL, CHM, etc.
  • a shortcut or macro which uses some LOLBins like cmd.exe, wmic.exe.
There can possibly be a problem with macros and scripts, which uses WMI, because when script Interpreter uses WMI to run something, then the child process is not the child of the Interpreter. This can usually fool many security solutions (but not WD Exploit Protection).
 
Last edited:

HarborFront

Level 46
Verified
Content Creator
RoboMan
Those rules are not default-deny. They are similar in idea to Attack Surface Reduction for scripts and MS Office.(y)
These are pretty good HIPS rules, which can stop most malicious scripts and macros. But, I am afraid that they cannot stop some well known infections chains. For example, they can be bypassed by:
  • files with some well known dangerous extensions: BAT, CMD, CPL, CHM, etc.
  • a shortcut or macro which uses some LOLBins like cmd.exe, wmic.exe.
There can possibly be a problem with macros and scripts, which uses WMI, because when script Interpreter uses WMI to run something, then the child process is not the child of the Interpreter. This can usually fool many security solutions (but not WD Exploit Protection).
So what do you propose to overcome the shortages you mentioned i.e. to complement the HIPS rules by @RoboMan ?

Or to use any software to perform the same as the HIPS rules or better without using ESET IS?
 

Andy Ful

Level 45
Verified
Trusted
Content Creator
So what do you propose to overcome the shortages you mentioned i.e. to complement the HIPS rules by @RoboMan ?

Or to use any software to perform the same as the HIPS rules or better without using ESET IS?
I do not know fully Eset HIPS capabilities, so I cannot say for sure what is required. If there are not other HIPS rules related to script Interpreters, then something like tweaked SysHardener can help.
Furthermore, Eset allows adding some more HIPS rules for explorer.exe, cmd.exe, wmic.exe and other LOLBins. But, this must be adjusted to the particular machine. The Eset Logs and warnings can help with it.
 

Andy Ful

Level 45
Verified
Trusted
Content Creator
Tried running RanSim, Chrome blocks it, Edge allowed it ,Eset even with configuration did real poor ,Tried Windows Defender with Syshardener blocked test, then tried Kaspersky Total security and that also blocked this test .
RunSim uses WMI to run tests, and does not use script engines. That is why Eset can have a problem. But most of the tested malware will be blocked by Eset in the real world scenario. Simply, Eset with properly set HIPS, will block the delivery of the ransomware payload via weaponized documents or scripts.
 

Robbie

Level 28
Verified
Content Creator
@RoboMan is the configuration file for Eset IS only or is it compatible for Eset Nod32 too?
Any ESET version with HIPS!
RoboMan
Those rules are not default-deny. They are similar in idea to Attack Surface Reduction for scripts and MS Office.(y)
These are pretty good HIPS rules, which can stop most malicious scripts and macros. But, I am afraid that they cannot stop some well known infections chains. For example, they can be bypassed by:
  • files with some well known dangerous extensions: BAT, CMD, CPL, CHM, etc.
  • a shortcut or macro which uses some LOLBins like cmd.exe, wmic.exe.
There can possibly be a problem with macros and scripts, which uses WMI, because when script Interpreter uses WMI to run something, then the child process is not the child of the Interpreter. This can usually fool many security solutions (but not WD Exploit Protection).
Good you got the point! I admit i suck at wording!

Of course these HIPS rules aren't a replace for anything, that's why it's part of a suite! I'm pretty sure these rules with the rest of the program correctly configured can stop most threats :) Of course not everything!
 

devjit2018

Level 12
Verified
Malware Tester
As always another great post from @RoboMan. I use ESET with these HIPS rules but I have modified some of the rules. I have HIPS configured to disable execution of wscript, cscript, powershell, mshta, ask if anything tries to modify the hosts file, ask for changes in startup applications. I think it's also a good option to set rules in the firewall to ask for outgoing connections from command prompt and regsvr32.