blackice

Level 3
ESET HIPS should prevent cmd from launching powershell if the rules are configured correctly. In my case it does block cmd from launching powershell.
It worked for me also when I tried @Andy Ful ’s tests, just had other issues to solve. On that note my image restore got messed up so I’m doing a fresh install of Windows 10. Should be no issues now with powershell trying to open from svchost.exe every 25 minutes (no clue what was causing it). But, I haven’t reinstalled ESET with the old settings yet since I haven’t had time.
 

Andy Ful

Level 40
Content Creator
Trusted
Verified
ESET HIPS should prevent cmd from launching powershell if the rules are configured correctly. In my case it does block cmd from launching powershell.
You can configure Eset to prevent any EXE file you like, from launching another EXE file you want. Yet, there are many possibilities - some are not obvious, like executing via COM objects and LOLBins.
COM objects are accessible via most of the scripting engines. So, generally configuring HIPS via child processes is not easy.
 

blackice

Level 3
You can configure Eset to prevent any EXE file you like, from launching another EXE file you want. Yet, there are many possibilities - some are not obvious, like executing via COM objects and LOLBins.
COM objects are accessible via most of the scripting engines. So, generally configuring HIPS via child processes is not easy.
It seems as though fully locking things down concerning powershell with HIPS is an arduous task of trial and error, not to mention there always being something you missed. Only the most diligent will not get security fatigue. As fun as it is to play with it it is pushing me towards ‘configuring’ something else to ‘defend’ my device and call it a day, but that’s for another thread.
 

Andy Ful

Level 40
Content Creator
Trusted
Verified
It seems as though fully locking things down concerning powershell with HIPS is an arduous task of trial and error, not to mention there always being something you missed. Only the most diligent will not get security fatigue. As fun as it is to play with it it is pushing me towards ‘configuring’ something else to ‘defend’ my device and call it a day, but that’s for another thread.
I do not have time now to check it, but devjit2018 showed already how to prevent all applications from executing powershell.exe.
https://malwaretips.com/threads/configure-eset-as-default-deny-bye-ransomware.91105/post-803860
If you will block in this way all scripting engines (wscript.exe, cscript.exe, mshta.exe, hh.exe, wmic.exe, scrcons.exe, etc.), then the access to COM objects will be very restricted. So finally, it will be hard for the attacker to execute the scripting code.
 

blackice

Level 3
I do not have time now to check it, but devjit2018 showed already how to prevent all applications from executing powershell.exe.
https://malwaretips.com/threads/configure-eset-as-default-deny-bye-ransomware.91105/post-803860
If you will block in this way all scripting engines, then (wscript.exe, cscript.exe, mshta.exe, hh.exe, wmic.exe, scrcons.exe, etc.), then the access to COM objects will be very restricted.
Ah, I misunderstood your comment. I actually had tried his rules and they seemed to work. I thought you were implying that there were ways around those rules. My mistake. Thank you for the clarification.
 

blackice

Level 3

devjit2018

Level 8
It seems as though fully locking things down concerning powershell with HIPS is an arduous task of trial and error, not to mention there always being something you missed. Only the most diligent will not get security fatigue. As fun as it is to play with it it is pushing me towards ‘configuring’ something else to ‘defend’ my device and call it a day, but that’s for another thread.
Yes precisely. Creating HIPS rules needs time and patience since every machine is unique. You may have software that requires powershell or wscript. Setting ESET to block powershell/wscript will render that software useless that requires any of them to operate properly. That's why it's recommended that only advanced users should tinker with the HIPS. Casual users should just use the HIPS in Smart Mode.
 

blackice

Level 3
Yes precisely. Creating HIPS rules needs time and patience since every machine is unique. You may have software that requires powershell or wscript. Setting ESET to block powershell/wscript will render that software useless that requires any of them to operate properly. That's why it's recommended that only advanced users should tinker with the HIPS. Casual users should just use the HIPS in Smart Mode.
With a fresh install and most everything loaded I’m having no issues with the hips rules. (y)
 
Last edited: