Configure ESET as default-deny (bye ransomware!)

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
ESET HIPS should prevent cmd from launching powershell if the rules are configured correctly. In my case it does block cmd from launching powershell.

It worked for me also when I tried @Andy Ful ’s tests, just had other issues to solve. On that note my image restore got messed up so I’m doing a fresh install of Win 10. Should be no issues now with powershell trying to open from svchost.exe every 25 minutes (no clue what was causing it). But, I haven’t reinstalled ESET with the old settings yet since I haven’t had time.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
ESET HIPS should prevent cmd from launching powershell if the rules are configured correctly. In my case it does block cmd from launching powershell.
You can configure Eset to prevent any EXE file you like, from launching another EXE file you want. Yet, there are many possibilities - some are not obvious, like executing via COM objects and LOLBins.
COM objects are accessible via most of the scripting engines. So, generally configuring HIPS via child processes is not easy.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
You can configure Eset to prevent any EXE file you like, from launching another EXE file you want. Yet, there are many possibilities - some are not obvious, like executing via COM objects and LOLBins.
COM objects are accessible via most of the scripting engines. So, generally configuring HIPS via child processes is not easy.

It seems as though fully locking things down concerning powershell with HIPS is an arduous task of trial and error, not to mention there always being something you missed. Only the most diligent will not get security fatigue. As fun as it is to play with it it is pushing me towards ‘configuring’ something else to ‘defend’ my device and call it a day, but that’s for another thread.
 

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,064
1.jpg2.jpg

Before creating these rules I used Macrium. Now the question is, how can I run the cmd for example to make an sfc? Excuse me I'm a novice user. Thank you.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
It seems as though fully locking things down concerning powershell with HIPS is an arduous task of trial and error, not to mention there always being something you missed. Only the most diligent will not get security fatigue. As fun as it is to play with it it is pushing me towards ‘configuring’ something else to ‘defend’ my device and call it a day, but that’s for another thread.
I do not have time now to check it, but devjit2018 showed already how to prevent all applications from executing powershell.exe.
https://malwaretips.com/threads/configure-eset-as-default-deny-bye-ransomware.91105/post-803860
If you will block in this way all scripting engines (wscript.exe, cscript.exe, mshta.exe, hh.exe, wmic.exe, scrcons.exe, etc.), then the access to COM objects will be very restricted. So finally, it will be hard for the attacker to execute the scripting code.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
I do not have time now to check it, but devjit2018 showed already how to prevent all applications from executing powershell.exe.
https://malwaretips.com/threads/configure-eset-as-default-deny-bye-ransomware.91105/post-803860
If you will block in this way all scripting engines, then (wscript.exe, cscript.exe, mshta.exe, hh.exe, wmic.exe, scrcons.exe, etc.), then the access to COM objects will be very restricted.

Ah, I misunderstood your comment. I actually had tried his rules and they seemed to work. I thought you were implying that there were ways around those rules. My mistake. Thank you for the clarification.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Ah, I misunderstood your comment. I actually had tried his rules and they seemed to work. I thought you were implying that there were ways around those rules. My mistake. Thank you for the clarification.
This method is probably quite effective, but I cannot say that it is bullet-proof.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731

Wraith

Level 13
Verified
Top Poster
Well-known
Aug 15, 2018
634
It seems as though fully locking things down concerning powershell with HIPS is an arduous task of trial and error, not to mention there always being something you missed. Only the most diligent will not get security fatigue. As fun as it is to play with it it is pushing me towards ‘configuring’ something else to ‘defend’ my device and call it a day, but that’s for another thread.
Yes precisely. Creating HIPS rules needs time and patience since every machine is unique. You may have software that requires powershell or wscript. Setting ESET to block powershell/wscript will render that software useless that requires any of them to operate properly. That's why it's recommended that only advanced users should tinker with the HIPS. Casual users should just use the HIPS in Smart Mode.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Yes precisely. Creating HIPS rules needs time and patience since every machine is unique. You may have software that requires powershell or wscript. Setting ESET to block powershell/wscript will render that software useless that requires any of them to operate properly. That's why it's recommended that only advanced users should tinker with the HIPS. Casual users should just use the HIPS in Smart Mode.

With a fresh install and most everything loaded I’m having no issues with the hips rules. (y)
 
Last edited:

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Would you think VoodooShield would be a good addition to this setup? Or is it too much? Looking forward to hear your opinions.

I think VS would be a great addition for extra scripting protection. I was using NVT OSArmor with it to cover blind spots. I’m not sure about the system impact of VS, OSA is virtually a feather.
 

Wraith

Level 13
Verified
Top Poster
Well-known
Aug 15, 2018
634
Would you think VoodooShield would be a good addition to this setup? Or is it too much? Looking forward to hear your opinions.
It largely depends on you my friend. If you want an anti executable that has VT integrated then VS will be your only option. Else if you just want good protection against scripts then OSArmor will suffice. For those who have lifetime licenses, AppGuard is an excellent tool to use alongside ESET/KIS.
 

RoboMan

Level 34
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
It largely depends on you my friend. If you want an anti executable that has VT integrated then VS will be your only option. Else if you just want good protection against scripts then OSArmor will suffice. For those who have lifetime licenses, AppGuard is an excellent tool to use alongside ESET/KIS.
The only issue I always had with VS is the delay to execute programs, I guess because it has to compare it with VirusTotal. I would very much like to use OSA, if you would share with me your configuration file for it, that would cover the best script protection and basic features, I would very much appreciate it.

Or if anybody could share with me their OSA configuration file with good script protection, I'd be very thankful.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
The only issue I always had with VS is the delay to execute programs, I guess because it has to compare it with VirusTotal. I would very much like to use OSA, if you would share with me your configuration file for it, that would cover the best script protection and basic features, I would very much appreciate it.

Or if anybody could share with me their OSA configuration file with good script protection, I'd be very thankful.

I can share it when I get back to my pc. I basically looked at the video CruelSister did on it and clicked on some other optional boxes. It’s pretty easy to play with since you can untick anything that gives you issues, and set exception. Default is good for most scripts. I block Powershell and CMD and just disable OSA when I need those since I rarely use them. I think my file has some exceptions you may or may not want for ConfigureDefender.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
So the config file isn't an allowed file type for posting. If you PM me I can get it to you somehow. However I would say start with default, CS has a couple recommended options and then experiment from there. Either way, let me know.
 

Wraith

Level 13
Verified
Top Poster
Well-known
Aug 15, 2018
634
The only issue I always had with VS is the delay to execute programs, I guess because it has to compare it with VirusTotal
VS shouldn't delay the execution of programs which are started from the root directories of the C drive(system space) like windows, program files. It normally checks the user space like program data, appears, desktop, downloads,documents. I've never had the delay while running VS with ESET except when executing from the downloads folder. OSArmor you won't even notice is there. It just sits there quietly doing it's job. I used to have it with ESET but since tweaking the HIPS, running SysHardener and ditching MS Office I don't require it anymore.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top