Configure ESET as default-deny (bye ransomware!)

RoboMan

Level 34
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
Good morning mortals! I hereby share with you some amazing HIPS rules for ESET that will work as default-deny to prevent infections such as ransomware. You can check the source here.

You can test under your own risk. I have enabled them all with ESET Internet Security 19 and it works flawlessly, feeling no need for extra companion software.

KB6119Figure7-1.png


To start with, head to HIPS module under settings, and click EDIT button.

IMPORTANT: create a system restore point before making these changes, just in case.
1. Click Add, and type “Deny child processes from script executables” into the Rule name field.

  1. From the Action drop-down menu, select Block.
    Enable the following options:
    • Applications
    • Enabled
    • Logging severity (Warning)
    • Notify user
KB6119Figure1-1c.png

Figure 1-2
  1. Click Next and in the Source applications window, click Add and type in the following names, clicking OK and then Add after each one:
    • C:\Windows\System32\wscript.exe
    • C:\Windows\System32\cscript.exe
    • C:\Windows\SysWOW64\wscript.exe
    • C:\Windows\SysWOW64\cscript.exe
    • C:\Windows\System32\ntvdm.exe
KB6119Figure1-2.png

Figure 1-3
  1. Click Next, click the slider bar next to Start new application to enable it and then click Next.
.
KB6119Figure1-3.png

Figure 1-4
  1. Select All applications from the drop-down menu and click Finish.
KB6119Figure1-4.png

Figure 1-5
Leave the HIPS rules window open and continue to the next section.
  1. In the HIPS rules window, click Add.
KB6119Figure2-1.png


Figure 2-1

  1. Type “Deny script processes started by explorer” into the Rule name field.
  2. From the Action drop-down menu, select Block.

    Enable the following options:
    • Applications
    • Enabled
    • Logging severity (Warning)
    • Notify user
Click Next.

KB6119Figure1-1c.png


Figure 2-2

  1. In the Source applications window, click Add, type “C:\Windows\explorer.exe” into the Specify file pathfield and then click OK. Click Next.
KB6119Figure2-3.png


Figure 2-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.
KB6119Figure2-4.png


Figure 2-4

  1. Click Add and in the Applications window, click Add and type in the following process names, clicking OK and then Add after each one:
    • C:\Windows\System32\wscript.exe
    • C:\Windows\System32\cscript.exe
    • C:\Windows\SysWOW64\wscript.exe
    • C:\Windows\SysWOW64\cscript.exe
Click Finish.
KB6119Figure2-5.png


Figure 2-5
Click the image to view larger in new window


Leave the HIPS rules window open and continue to the next section.
  1. In the HIPS rules window, click Add.
KB6119Figure3-1.png


Figure 3-1

  1. Type “Deny child processes from Office 2013 processes” into the Rule name field.
  2. From the Action drop-down menu, select Block.
    Enable the following options:
    • Applications
    • Enabled
    • Logging severity (warning)
    • Notify user
Click Next.

KB6119Figure3-2b.png


Figure 3-2

  1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Program Files\Microsoft Office\Office15\WINWORD.EXE
    • C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE
    • C:\Program Files\Microsoft Office\Office15\EXCEL.EXE
    • C:\Program Files\Microsoft Office\Office15\POWERPNT.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\POWERPNT.EXE
Click Next.

KB6119Figure3-3B.png


Figure 3-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.
KB6119Figure3-4.png


Figure 3-4

  1. In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\cmd.exe
    • C:\Windows\SysWOW64\cmd.exe
    • C:\Windows\System32\wscript.exe
    • C:\Windows\SysWOW64\wscript.exe
    • C:\Windows\System32\cscript.exe
    • C:\Windows\SysWOW64\cscript.exe
    • C:\Windows\System32\ntvdm.exe
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\System32\regsvr32.exe
    • C:\Windows\SysWOW64\regsvr32.exe
    • C:\Windows\System32\rundll32.exe
    • C:\Windows\SysWOW64\rundll32.exe
Add additional Office versions as needed, repeating the same instructions as above.

  • 2016 = Office16
  • 2010 = Office14
Click Finish.

KB6119Figure3-5.png


Figure 3-5

Leave the HIPS rules window open and continue to the next section.
  1. In the HIPS rules window, click Add.
KB6119Figure4-1.png


Figure 4-1

  1. Type “Deny child processes for regsrv32.exe” into the Rule name field.
  2. From the Action drop-down menu, select Block.
    Enable the following options:
    • Applications
    • Enabled
    • Logging severity (warning)
    • Notify user
Click Next.

KB6119Figure4-2b.png


Figure 4-2

  1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\regsvr32.exe
    • C:\Windows\SysWOW64\regsvr32.exe
Click Next.

KB6119Figure4-3.png


Figure 4-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.
KB6119Figure4-4.png


Figure 4-4

  1. In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\cmd.exe
    • C:\Windows\SysWOW64\cmd.exe
    • C:\Windows\System32\wscript.exe
    • C:\Windows\SysWOW64\wscript.exe
    • C:\Windows\System32\cscript.exe
    • C:\Windows\SysWOW64\cscript.exe
    • C:\Windows\System32\ntvdm.exe
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Click Finish.

KB6119Figure4-5.png


Figure 4-5

Leave the HIPS rules window open and continue to the next section.
  1. In the HIPS rules window, click Add.
KB6119Figure5-1.png


Figure 5-1

  1. Type “Deny child processes for mshta.exe” into the Rule name field.
  2. From the Action drop-down menu, select Block.

    Enable the following options:
    • Applications
    • Enabled
    • Logging severity (warning)
    • Notify user
Click Next

KB6119Figure5-2b.png


Figure 5-2

  1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\mshta.exe
    • C:\Windows\SysWOW64\mshta.exe
Click Next.

KB6119Figure5-3.png


Figure 5-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.
KB6119Figure5-4.png


Figure 5-4

  1. Select All applications from the drop-down menu and click Finish.
KB6119Figure5-5.png


Figure 5-5

Leave the HIPS rules window open and continue to the next section.
  1. In the HIPS rules window, click Add.
KB6119Figure6-1.png


Figure 6-1

  1. Type “Deny child processes for rundll32.exe” into the Rule name field.
  2. From the Action drop-down menu, select Block.

    Enable the following options:
    • Applications
    • Enabled
    • Logging severity (warning)
    • Notify user
Click Next.

KB6119Figure6-2b.png


Figure 6-2

  1. In the Source applications window, click Add and type in the following file name:
    • C:\Windows\System32\rundll32.exe
Click OK and then click Next.

KB6119Figure6-3.png


Figure 6-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.
KB6119Figure6-4.png


Figure 6-4

  1. In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\cmd.exe
    • C:\Windows\SysWOW64\cmd.exe
    • C:\Windows\System32\wscript.exe
    • C:\Windows\SysWOW64\wscript.exe
    • C:\Windows\System32\cscript.exe
    • C:\Windows\SysWOW64\cscript.exe
    • C:\Windows\System32\ntvdm.exe
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Click Finish.

KB6119Figure6-5.png


Figure 6-5

Leave the HIPS rules window open and continue to the next section.
  1. In the HIPS rules window, click Add.
KB6119Figure7-1.png


Figure 7-1

  1. Type “Deny child processes for powershell.exe” into the Rule name field.
  2. From the Action drop-down menu, select Block.

    Enable the following options:
    • Applications
    • Enabled
    • Logging severity (warning)
    • Notify user
Click Next.

KB6119Figure7-2b.png


Figure 7-2

  1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Click Next.

KB6119Figure7-3.png


Figure 7-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.
KB6119Figure7-4.png


Figure 7-4

  1. Select All applications from the drop-down menu and click Finish.
KB6119Figure7-5.png


Figure 7-5

  1. When finished adding HIPS rules, click Finish to save the policy settings.
KB6119Figure7-6b.png


Figure 7-6
The whole configuration file (including these HIPS rules and the mentioned rules in Q&A - Configure ESET Antivirus for Maximum Security (by RoboMan)) can be downloaded here: UPLOAD.EE - eset_19.xml - Download
 
Last edited:

RoboMan

Level 34
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399

SearchLight

Level 13
Verified
Top Poster
Well-known
Jul 3, 2017
625
Way to go Roboman! Thanks and appreciated, too.

Btw, does your latest config file include all the Office rules that Eset suggested? In my case, I only inserted the first Office Rule that they describe although I do not use Office.
 

RoboMan

Level 34
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
Thanks @RoboMan. What's a good about of time to keep learning mode on with the firewall?
I usually leave it in learning mode between 3 to 7 days, with maximum interaction possible (opening every single thing I use).
Way to go Roboman! Thanks and appreciated, too.

Btw, does your latest config file include all the Office rules that Eset suggested? In my case, I only inserted the first Office Rule that they describe although I do not use Office.
This HIPS rules I mention are all included in my configuration file!
That's really cool. Thank you @RoboMan(Y). Do you think it can be used for the "smart" version ?
Yes, it can!
 

SearchLight

Level 13
Verified
Top Poster
Well-known
Jul 3, 2017
625
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
RoboMan
Those rules are not default-deny. They are similar in idea to Attack Surface Reduction for scripts and MS Office.(y)
These are pretty good HIPS rules, which can stop most malicious scripts and macros. But, I am afraid that they cannot stop some well known infections chains. For example, they can be bypassed by:
  • files with some well known dangerous extensions: BAT, CMD, CPL, CHM, etc.
  • a shortcut or macro which uses some LOLBins like cmd.exe, wmic.exe.
There can possibly be a problem with macros and scripts, which uses WMI, because when script Interpreter uses WMI to run something, then the child process is not the child of the Interpreter. This can usually fool many security solutions (but not WD Exploit Protection).
 
Last edited:

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
RoboMan
Those rules are not default-deny. They are similar in idea to Attack Surface Reduction for scripts and MS Office.(y)
These are pretty good HIPS rules, which can stop most malicious scripts and macros. But, I am afraid that they cannot stop some well known infections chains. For example, they can be bypassed by:
  • files with some well known dangerous extensions: BAT, CMD, CPL, CHM, etc.
  • a shortcut or macro which uses some LOLBins like cmd.exe, wmic.exe.
There can possibly be a problem with macros and scripts, which uses WMI, because when script Interpreter uses WMI to run something, then the child process is not the child of the Interpreter. This can usually fool many security solutions (but not WD Exploit Protection).
So what do you propose to overcome the shortages you mentioned i.e. to complement the HIPS rules by @RoboMan ?

Or to use any software to perform the same as the HIPS rules or better without using ESET IS?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
So what do you propose to overcome the shortages you mentioned i.e. to complement the HIPS rules by @RoboMan ?

Or to use any software to perform the same as the HIPS rules or better without using ESET IS?
I do not know fully Eset HIPS capabilities, so I cannot say for sure what is required. If there are not other HIPS rules related to script Interpreters, then something like tweaked SysHardener can help.
Furthermore, Eset allows adding some more HIPS rules for explorer.exe, cmd.exe, wmic.exe and other LOLBins. But, this must be adjusted to the particular machine. The Eset Logs and warnings can help with it.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Tried running RanSim, Chrome blocks it, Edge allowed it ,Eset even with configuration did real poor ,Tried Windows Defender with Syshardener blocked test, then tried Kaspersky Total security and that also blocked this test .
RunSim uses WMI to run tests, and does not use script engines. That is why Eset can have a problem. But most of the tested malware will be blocked by Eset in the real world scenario. Simply, Eset with properly set HIPS, will block the delivery of the ransomware payload via weaponized documents or scripts.
 

RoboMan

Level 34
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
@RoboMan is the configuration file for Eset IS only or is it compatible for Eset Nod32 too?
Any ESET version with HIPS!
RoboMan
Those rules are not default-deny. They are similar in idea to Attack Surface Reduction for scripts and MS Office.(y)
These are pretty good HIPS rules, which can stop most malicious scripts and macros. But, I am afraid that they cannot stop some well known infections chains. For example, they can be bypassed by:
  • files with some well known dangerous extensions: BAT, CMD, CPL, CHM, etc.
  • a shortcut or macro which uses some LOLBins like cmd.exe, wmic.exe.
There can possibly be a problem with macros and scripts, which uses WMI, because when script Interpreter uses WMI to run something, then the child process is not the child of the Interpreter. This can usually fool many security solutions (but not WD Exploit Protection).
Good you got the point! I admit i suck at wording!

Of course these HIPS rules aren't a replace for anything, that's why it's part of a suite! I'm pretty sure these rules with the rest of the program correctly configured can stop most threats :) Of course not everything!
 

Wraith

Level 13
Verified
Top Poster
Well-known
Aug 15, 2018
634
As always another great post from @RoboMan. I use ESET with these HIPS rules but I have modified some of the rules. I have HIPS configured to disable execution of wscript, cscript, powershell, mshta, ask if anything tries to modify the hosts file, ask for changes in startup applications. I think it's also a good option to set rules in the firewall to ask for outgoing connections from command prompt and regsvr32.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top