Configure ESET as default-deny (bye ransomware!)

[oldschool]

The only issue I always had with VS is the delay to execute programs,

Honestly I've never see any slowdown with execution other than a small one to install as @devjit2018 points out. I suppose if you're opening a large app that is too big to upload, in which case you would see that message and the reason for the time lag.

 

[davisd]

Whenever using Eset, this is the way for me, Smart mode + rules with launching of specific apps is disallowed, additionally alone deny rule for rundll32 which can be fast enabled/disabled, so usability of system is not lost whenever I want to change some internal windows settings. Ask rules for like control.exe, msconfig.exe, etc. Keeping an eye on Log files is also important thing to do. No need for 3th party tools. List is not complete, just the idea. Disadvantage I find in doing this is no wildcard support for application paths, and that is a real bitch, so cannot fully make Eset a default-deny like.

 

[Wraith]

Whenever using Eset, this is the way for me, Smart mode + rules with launching of specific apps is disallowed, additionally alone deny rule for rundll32 which can be fast enabled/disabled, so usability of system is not lost whenever I want to change some internal windows settings. Ask rules for like control.exe, msconfig.exe, etc. Keeping an eye on Log files is also important thing to do. No need for 3th party tools. List is not complete, just the idea. Disadvantage I find in doing this is no wildcard support for application paths, and that is a real bitch, so cannot fully make Eset a default-deny like.

View attachment 215222
View attachment 215227

Yes ATM ESET HIPS does not support wildcards but I hope it will be supported soon. You seem to have a lot of LoLbins covered with the HIPS. Just asking, did you take the entire list of the vulnerable processes from ERP and add those to the HIPS? That's what I did in my ESET HIPS settings.

 

[davisd]

Yes ATM ESET HIPS does not support wildcards but I hope it will be supported soon. You seem to have a lot of LoLbins covered with the HIPS. Just asking, did you take the entire list of the vulnerable processes from ERP and add those to the HIPS? That's what I did in my ESET HIPS settings.

The people asking for wildcard support in HIPS goes way back to like 5+ years ago already, still not available, it's ridiculous. I believe they don't want to do it, since more and more other AV products go stupidly-simple-mode, without user intervention needed when threats are found, as statistics say globally, people make wrong decisions answering on prompts etc, so I doubt they are going to make Eset more complex in advanced settings which you can configure already, lets not forget Eset is just an "Antivirus", so it was never meant to make these type of crazy HIPS rules, but only AV suite which I can think of can be configured to archieve this type of system lockdown is Kaspersky. Every Eset user wanting to play with HIPS is just 3-4 clicks away of completely bricking their system as making too generic rule you won't be able to boot, notifications goes 800+ in few seconds, and all system just crash, so percentage of failure rate making wrong rules is very high, and Eset forums would go totally bonkers.

I don't really like Eset suggestions of ransomware protection by making "child proccess" denial rules, but they are meant for business products, so. I don't really know what vuln list ERP has, I have my own made over time, but I believe every rule and line must be specifically adjusted for each user system accordingly, to not brake the systems functionality depending on the user needs and programs used daily. For regular home users, one can deny most commonly abused, like wscript, cscript, powershell, etc. ~5-10 rules in Eset HIPS which is not hard, by greatly reducing attack chain vectors.

 

[RoboMan]

Every Eset user wanting to play with HIPS is just 3-4 clicks away of completely bricking their system as making too generic rule you won't be able to boot

I bricked my system twice in a week by playing with HIPS rules LOL

 

[Bill K]

I bricked my system twice in a week by playing with HIPS rules LOL

As the expression goes... "A little knowledge is a dangerous thing!" Guess that's how we learn though, you're not alone.

 

[RoboMan]

As the expression goes... "A little knowledge is a dangerous thing!" Guess that's how we learn though, you're not alone.

Of course! We're built on testing and being wrong! There's no other way to learn in the battlefield than fu** everything up!

 

[Wraith]

I bricked my system twice in a week by playing with HIPS rules LOL

Did you try to boot into Safe Mode and remove ESET using their removal tool?

 

[RoboMan]

Did you try to boot into Safe Mode and remove ESET using their removal tool?

Yeah, no worries, I had restore points and images. All I had to do was boot into safe mode and restore.

 

[blackice]

Does anyone know if these are the right paths for denying child processes for Office365? I know it has different paths than Office otherwise uses.

 

[ForgottenSeer 72227]

I've been playing around with Eset again and am trying to use/create HIPS rules to cover some areas. I tried the Deny child processes from script executables from Eset (first one in the first post) and it was going crazy. I've used this rule in past and there were no issues. I have HIPS set to smart mode, but for some reason it's flagging programs like crazy. It won't even let me load Chrome. I tried a restart and unfortunately it broke Windows, I had to uninstall Eset in safe mode to get it fixed. I'm on W10 1903, has anyone else experience this issue? I've created the rule exactly like Eset has described, but for some reason it doesn't like something with my system. I'm wondering if it's an issue with W10 1903? I'm also on a local account, but that shouldn't matter.

 

[blackice]

I've been playing around with Eset again and am trying to use/create HIPS rules to cover some areas. I tried the Deny child processes from script executables from Eset (first one in the first post) and it was going crazy. I've used this rule in past and there were no issues. I have HIPS set to smart mode, but for some reason it's flagging programs like crazy. It won't even let me load Chrome. I tried a restart and unfortunately it broke Windows, I had to uninstall Eset in safe mode to get it fixed. I'm on W10 1903, has anyone else experience this issue? I've created the rule exactly like Eset has described, but for some reason it doesn't like something with my system. I'm wondering if it's an issue with W10 1903? I'm also on a local account, but that shouldn't matter.

The only time I’ve had a HIPS hit was when I first set it up with those rules. Something was trying to open powershell every 20 minutes. I’m pretty sure it was some printer software...but I clean installed just in case. It’s never happened since. Never had it block any usual programs.

 

[davisd]

I've been playing around with Eset again and am trying to use/create HIPS rules to cover some areas. I tried the Deny child processes from script executables from Eset (first one in the first post) and it was going crazy. I've used this rule in past and there were no issues. I have HIPS set to smart mode, but for some reason it's flagging programs like crazy. It won't even let me load Chrome. I tried a restart and unfortunately it broke Windows, I had to uninstall Eset in safe mode to get it fixed. I'm on W10 1903, has anyone else experience this issue? I've created the rule exactly like Eset has described, but for some reason it doesn't like something with my system. I'm wondering if it's an issue with W10 1903? I'm also on a local account, but that shouldn't matter.

The first thing I believe is very important, that there's no other security programs installed along Eset, so there's no interference, if one goes with HIPS rules. You might have made some rule too generic if your windows broke apart, make sure you didn't tick "Files/Registry entries" at "Operations affecting", those two should be used only to create very specific rules and locations. You should have received a warning at the end of HIPS rule creation. You must identify very specifically what was blocked via "Log files" to find the culprit, because some important information might slip by through your eyesight at HIPS prompts. But I know the feeling when Eset smashes your PC because of the HIPS rules.. you just don't want to use Eset ever again. One have to overcome frustration after it has happened, at the end, it's just a human error. Shouldn't be an issue with 1903 and standard account, I'm on the same.

 

[ForgottenSeer 72227]

The only time I’ve had a HIPS hit was when I first set it up with those rules. Something was trying to open powershell every 20 minutes. I’m pretty sure it was some printer software...but I clean installed just in case. It’s never happened since. Never had it block any usual programs.

Hmm interesting, thanks for the feedback. I'll have to try it out again and see if I can figure it out. It definitely seems strange as I've used this rule before without any issues, but that was on the previous version of W10.

The first thing I believe is very important, that there's no other security programs installed along Eset, so there's no interference, if one goes with HIPS rules. You might have made some rule too generic if your windows broke apart, make sure you didn't tick "Files/Registry entries" at "Operations affecting", those two should be used only to create very specific rules and locations. You should have received a warning at the end of HIPS rule creation. You must identify very specifically what was blocked via "Log files" to find the culprit, because some important information might slip by through your eyesight at HIPS prompts. But I know the feeling when Eset smashes your PC because of the HIPS rules.. you just don't want to use Eset ever again. One have to overcome frustration after it has happened, at the end, it's just a human error. Shouldn't be an issue with 1903 and standard account, I'm on the same.
View attachment 215615

Thanks @davisd!

I didn't get that error when I finished creating the rule. The only other security program that I had installed on my system was OSA, but I uninstalled it before installing Eset. I also had Configure defender set to max, but I set it to default and restarted the computer before installing Eset, so either of those shouldn't have caused any issues. For another test, I reinstalled Eset and just put that one rule in to HIPS and same thing, it was going off like crazy. I did look at the logs and I didn't see anything strange other than Chrome, or the new Edge browser being blocked, as those were the 2 programs I tried to open after that rule was created. I did follow the step by step exactly and just copy and pasted the file paths from the instructions. The only thing that changed for me from the last time I tried Eset was I am now using W10 1903, hence why I feel like it may be the issue, but maybe there's something else at play.

It's a head scratcher for sure, but I'll try it again to see if I can figure it out. If not, I can just put it in smart mode and use OSA along side it without any custom rules. You are right though, it's things like this that always bring me back to WD as it can be very annoying to deal with something like this, especially if you are following a step by step instruction that was created by the company themselves.

 

[blackice]

Hmm interesting, thanks for the feedback. I'll have to try it out again and see if I can figure it out. It definitely seems strange as I've used this rule before without any issues, but that was on the previous version of W10.



Thanks @davisd!

I didn't get that error when I finished creating the rule. The only other security program that I had installed on my system was OSA, but I uninstalled it before installing Eset. I also had Configure defender set to max, but I set it to default and restarted the computer before installing Eset, so either of those shouldn't have caused any issues. For another test, I reinstalled Eset and just put that one rule in to HIPS and same thing, it was going off like crazy. I did look at the logs and I didn't see anything strange other than Chrome, or the new Edge browser being blocked, as those were the 2 programs I tried to open after that rule was created. I did follow the step by step exactly and just copy and pasted the file paths from the instructions. The only thing that changed for me from the last time I tried Eset was I am now using W10 1903, hence why I feel like it may be the issue, but maybe there's something else at play.

It's a head scratcher for sure, but I'll try it again to see if I can figure it out. If not, I can just put it in smart mode and use OSA along side it without any custom rules. You are right though, it's things like this that always bring me back to WD as it can be very annoying to deal with something like this, especially if you are following a step by step instruction that was created by the company themselves.

This is puzzling. I’m on 1903 with a standard account and use both chrome and edge dev with these rules. My PC seems to get along well with ESET. Not sure what it could be, especially since you reinstalled.

 

[davisd]

but maybe there's something else at play.

Unfortunately cannot replicate, Edge Dev and Chrome starting fine with 0 HIPS log entry warnings on 1903 + standard account + no extensions/default browser settings with "Deny child processes from script executables" rule created. My only guess now would be that OSA or Configure_Defender didn't revert to system defaults, or some extension is at fault you're using, but highly unlikely. Maybe post here some of the log events from HIPS when you tried to open Chrome/Edge Dev, as without those, it's hard to understand what you mean by "HIPS going off like crazy", there should have been a precise prompt what exactly was going on at that given time, I'm just interested as I haven't seen this particular Eset rule creating browser launching problems.

 

[blackice]

Unfortunately cannot replicate, Edge Dev and Chrome starting fine with 0 HIPS log entry warnings on 1903 + standard account + no extensions/default browser settings with "Deny child processes from script executables" rule created. My only guess now would be that OSA or Configure_Defender didn't revert to system defaults, or some extension is at fault you're using, but highly unlikely. Maybe post here some of the log events from HIPS when you tried to open Chrome/Edge Dev, as without those, it's hard to understand what you mean by "HIPS going off like crazy", there should have been a precise prompt what exactly was going on at that given time, I'm just interested as I haven't seen this particular Eset rule creating browser launching problems.

I would guess that it’s not OSA, as I just leave it active with some pretty extreme rules next to ESET and haven’t had any issues. But, I could be totally wrong. I know it has quite a bit of overlap, but I have no issues and it uses almost no resources.

@Raiden I would ask around the ESET forums. There’s some very helpful people there. Also the ESET v12 thread at Wilder’s is helpful. ITMAN on there is extremely knowledgeable, and Marcos from ESET can also be found in both those forums regularly.

 

[ForgottenSeer 72227]

Unfortunately cannot replicate, Edge Dev and Chrome starting fine with 0 HIPS log entry warnings on 1903 + standard account + no extensions/default browser settings with "Deny child processes from script executables" rule created. My only guess now would be that OSA or Configure_Defender didn't revert to system defaults, or some extension is at fault you're using, but highly unlikely. Maybe post here some of the log events from HIPS when you tried to open Chrome/Edge Dev, as without those, it's hard to understand what you mean by "HIPS going off like crazy", there should have been a precise prompt what exactly was going on at that given time, I'm just interested as I haven't seen this particular Eset rule creating browser launching problems.

Thanks!

Ya I'm going to have a closer look tonight and see what can be causing it. I'm going to check via powershell to make sure that the settings for WD were reverted back to normal.

Sorry I should have explained myself more when it comes to saying it's going crazy. I noticed that when I opened chrome for example the alert window for that hips rule won't stop. It will keep going endlessly, even if I acknowledge the prompt. I'll try it again and take some screen shots. Glad to hear it's working fine on 1903, so now I know ots due to something else.

I would guess that it’s not OSA, as I just leave it active with some pretty extreme rules next to ESET and haven’t had any issues. But, I could be totally wrong. I know it has quite a bit of overlap, but I have no issues and it uses almost no resources.

@Raiden I would ask around the ESET forums. There’s some very helpful people there. Also the ESET v12 thread at Wilder’s is helpful. ITMAN on there is extremely knowledgeable, and Marcos from ESET can also be found in both those forums regularly.

Thanks!

Ya if I cannot figure it out I may try a reinstall of windows just to reset everything and go from there. If it still doesn't work, I'll definitely post a message on the eset forum and see what they say.

 

[blackice]

Ya if I cannot figure it out I may try a reinstall of windows just to reset everything and go from there. If it still doesn't work, I'll definitely post a message on the eset forum and see what they say.

You have more energy than me. If I had that issue I'd probably just use the ESET uninstall tool and be back to WD. But, I have a toddler and one on the way. No time for nonsense.

 

[ForgottenSeer 72227]

You have more energy than me. If I had that issue I'd probably just use the ESET uninstall tool and be back to WD. But, I have a toddler and one on the way. No time for nonsense.

That is very true! I usually have little patience for this type of thing, but I guess I'll have to see how I feel tonight