Configure ESET as default-deny (bye ransomware!)

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,043
The only issue I always had with VS is the delay to execute programs,

Honestly I've never see any slowdown with execution other than a small one to install as @devjit2018 points out. I suppose if you're opening a large app that is too big to upload, in which case you would see that message and the reason for the time lag.
 

davisd

Level 3
Verified
Well-known
Jan 27, 2019
107
Whenever using Eset, this is the way for me, Smart mode + rules with launching of specific apps is disallowed, additionally alone deny rule for rundll32 which can be fast enabled/disabled, so usability of system is not lost whenever I want to change some internal windows settings. Ask rules for like control.exe, msconfig.exe, etc. Keeping an eye on Log files is also important thing to do. No need for 3th party tools. List is not complete, just the idea. Disadvantage I find in doing this is no wildcard support for application paths, and that is a real bitch, so cannot fully make Eset a default-deny like.

215222

eset logs.JPG
 
Last edited:

Wraith

Level 13
Verified
Top Poster
Well-known
Aug 15, 2018
634
Whenever using Eset, this is the way for me, Smart mode + rules with launching of specific apps is disallowed, additionally alone deny rule for rundll32 which can be fast enabled/disabled, so usability of system is not lost whenever I want to change some internal windows settings. Ask rules for like control.exe, msconfig.exe, etc. Keeping an eye on Log files is also important thing to do. No need for 3th party tools. List is not complete, just the idea. Disadvantage I find in doing this is no wildcard support for application paths, and that is a real bitch, so cannot fully make Eset a default-deny like.

View attachment 215222
View attachment 215227
Yes ATM ESET HIPS does not support wildcards but I hope it will be supported soon. You seem to have a lot of LoLbins covered with the HIPS. Just asking, did you take the entire list of the vulnerable processes from ERP and add those to the HIPS? That's what I did in my ESET HIPS settings. :p
 

davisd

Level 3
Verified
Well-known
Jan 27, 2019
107
Yes ATM ESET HIPS does not support wildcards but I hope it will be supported soon. You seem to have a lot of LoLbins covered with the HIPS. Just asking, did you take the entire list of the vulnerable processes from ERP and add those to the HIPS? That's what I did in my ESET HIPS settings. :p
The people asking for wildcard support in HIPS goes way back to like 5+ years ago already, still not available, it's ridiculous. I believe they don't want to do it, since more and more other AV products go stupidly-simple-mode, without user intervention needed when threats are found, as statistics say globally, people make wrong decisions answering on prompts etc, so I doubt they are going to make Eset more complex in advanced settings which you can configure already, lets not forget Eset is just an "Antivirus", so it was never meant to make these type of crazy HIPS rules, but only AV suite which I can think of can be configured to archieve this type of system lockdown is Kaspersky. Every Eset user wanting to play with HIPS is just 3-4 clicks away of completely bricking their system as making too generic rule you won't be able to boot, notifications goes 800+ in few seconds, and all system just crash, so percentage of failure rate making wrong rules is very high, and Eset forums would go totally bonkers.

I don't really like Eset suggestions of ransomware protection by making "child proccess" denial rules, but they are meant for business products, so. I don't really know what vuln list ERP has, I have my own made over time, but I believe every rule and line must be specifically adjusted for each user system accordingly, to not brake the systems functionality depending on the user needs and programs used daily. For regular home users, one can deny most commonly abused, like wscript, cscript, powershell, etc. ~5-10 rules in Eset HIPS which is not hard, by greatly reducing attack chain vectors.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
Does anyone know if these are the right paths for denying child processes for Office365? I know it has different paths than Office otherwise uses.

215436
 
  • Like
Reactions: AtlBo and oldschool
F

ForgottenSeer 72227

I've been playing around with Eset again and am trying to use/create HIPS rules to cover some areas. I tried the Deny child processes from script executables from Eset (first one in the first post) and it was going crazy. I've used this rule in past and there were no issues. I have HIPS set to smart mode, but for some reason it's flagging programs like crazy. It won't even let me load Chrome. I tried a restart and unfortunately it broke Windows, I had to uninstall Eset in safe mode to get it fixed. I'm on W10 1903, has anyone else experience this issue? I've created the rule exactly like Eset has described, but for some reason it doesn't like something with my system. I'm wondering if it's an issue with W10 1903? I'm also on a local account, but that shouldn't matter.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
I've been playing around with Eset again and am trying to use/create HIPS rules to cover some areas. I tried the Deny child processes from script executables from Eset (first one in the first post) and it was going crazy. I've used this rule in past and there were no issues. I have HIPS set to smart mode, but for some reason it's flagging programs like crazy. It won't even let me load Chrome. I tried a restart and unfortunately it broke Windows, I had to uninstall Eset in safe mode to get it fixed. I'm on W10 1903, has anyone else experience this issue? I've created the rule exactly like Eset has described, but for some reason it doesn't like something with my system. I'm wondering if it's an issue with W10 1903? I'm also on a local account, but that shouldn't matter.
The only time I’ve had a HIPS hit was when I first set it up with those rules. Something was trying to open powershell every 20 minutes. I’m pretty sure it was some printer software...but I clean installed just in case. It’s never happened since. Never had it block any usual programs.
 

davisd

Level 3
Verified
Well-known
Jan 27, 2019
107
I've been playing around with Eset again and am trying to use/create HIPS rules to cover some areas. I tried the Deny child processes from script executables from Eset (first one in the first post) and it was going crazy. I've used this rule in past and there were no issues. I have HIPS set to smart mode, but for some reason it's flagging programs like crazy. It won't even let me load Chrome. I tried a restart and unfortunately it broke Windows, I had to uninstall Eset in safe mode to get it fixed. I'm on W10 1903, has anyone else experience this issue? I've created the rule exactly like Eset has described, but for some reason it doesn't like something with my system. I'm wondering if it's an issue with W10 1903? I'm also on a local account, but that shouldn't matter.
The first thing I believe is very important, that there's no other security programs installed along Eset, so there's no interference, if one goes with HIPS rules. You might have made some rule too generic if your windows broke apart, make sure you didn't tick "Files/Registry entries" at "Operations affecting", those two should be used only to create very specific rules and locations. You should have received a warning at the end of HIPS rule creation. You must identify very specifically what was blocked via "Log files" to find the culprit, because some important information might slip by through your eyesight at HIPS prompts. But I know the feeling when Eset smashes your PC because of the HIPS rules.. you just don't want to use Eset ever again. One have to overcome frustration after it has happened, at the end, it's just a human error. Shouldn't be an issue with 1903 and standard account, I'm on the same.
eset_warn.jpg
 
F

ForgottenSeer 72227

The only time I’ve had a HIPS hit was when I first set it up with those rules. Something was trying to open powershell every 20 minutes. I’m pretty sure it was some printer software...but I clean installed just in case. It’s never happened since. Never had it block any usual programs.

Hmm interesting, thanks for the feedback. I'll have to try it out again and see if I can figure it out. It definitely seems strange as I've used this rule before without any issues, but that was on the previous version of W10.

The first thing I believe is very important, that there's no other security programs installed along Eset, so there's no interference, if one goes with HIPS rules. You might have made some rule too generic if your windows broke apart, make sure you didn't tick "Files/Registry entries" at "Operations affecting", those two should be used only to create very specific rules and locations. You should have received a warning at the end of HIPS rule creation. You must identify very specifically what was blocked via "Log files" to find the culprit, because some important information might slip by through your eyesight at HIPS prompts. But I know the feeling when Eset smashes your PC because of the HIPS rules.. you just don't want to use Eset ever again. One have to overcome frustration after it has happened, at the end, it's just a human error. Shouldn't be an issue with 1903 and standard account, I'm on the same.
View attachment 215615

Thanks @davisd!

I didn't get that error when I finished creating the rule. The only other security program that I had installed on my system was OSA, but I uninstalled it before installing Eset. I also had Configure defender set to max, but I set it to default and restarted the computer before installing Eset, so either of those shouldn't have caused any issues. For another test, I reinstalled Eset and just put that one rule in to HIPS and same thing, it was going off like crazy. I did look at the logs and I didn't see anything strange other than Chrome, or the new Edge browser being blocked, as those were the 2 programs I tried to open after that rule was created. I did follow the step by step exactly and just copy and pasted the file paths from the instructions. The only thing that changed for me from the last time I tried Eset was I am now using W10 1903, hence why I feel like it may be the issue, but maybe there's something else at play.

It's a head scratcher for sure, but I'll try it again to see if I can figure it out. If not, I can just put it in smart mode and use OSA along side it without any custom rules. You are right though, it's things like this that always bring me back to WD as it can be very annoying to deal with something like this, especially if you are following a step by step instruction that was created by the company themselves.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
Hmm interesting, thanks for the feedback. I'll have to try it out again and see if I can figure it out. It definitely seems strange as I've used this rule before without any issues, but that was on the previous version of W10.



Thanks @davisd!

I didn't get that error when I finished creating the rule. The only other security program that I had installed on my system was OSA, but I uninstalled it before installing Eset. I also had Configure defender set to max, but I set it to default and restarted the computer before installing Eset, so either of those shouldn't have caused any issues. For another test, I reinstalled Eset and just put that one rule in to HIPS and same thing, it was going off like crazy. I did look at the logs and I didn't see anything strange other than Chrome, or the new Edge browser being blocked, as those were the 2 programs I tried to open after that rule was created. I did follow the step by step exactly and just copy and pasted the file paths from the instructions. The only thing that changed for me from the last time I tried Eset was I am now using W10 1903, hence why I feel like it may be the issue, but maybe there's something else at play.

It's a head scratcher for sure, but I'll try it again to see if I can figure it out. If not, I can just put it in smart mode and use OSA along side it without any custom rules. You are right though, it's things like this that always bring me back to WD as it can be very annoying to deal with something like this, especially if you are following a step by step instruction that was created by the company themselves.
This is puzzling. I’m on 1903 with a standard account and use both chrome and edge dev with these rules. My PC seems to get along well with ESET. Not sure what it could be, especially since you reinstalled.
 

davisd

Level 3
Verified
Well-known
Jan 27, 2019
107
but maybe there's something else at play.
Unfortunately cannot replicate, Edge Dev and Chrome starting fine with 0 HIPS log entry warnings on 1903 + standard account + no extensions/default browser settings with "Deny child processes from script executables" rule created. My only guess now would be that OSA or Configure_Defender didn't revert to system defaults, or some extension is at fault you're using, but highly unlikely. Maybe post here some of the log events from HIPS when you tried to open Chrome/Edge Dev, as without those, it's hard to understand what you mean by "HIPS going off like crazy", there should have been a precise prompt what exactly was going on at that given time, I'm just interested as I haven't seen this particular Eset rule creating browser launching problems. o_O
 
Last edited:

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
Unfortunately cannot replicate, Edge Dev and Chrome starting fine with 0 HIPS log entry warnings on 1903 + standard account + no extensions/default browser settings with "Deny child processes from script executables" rule created. My only guess now would be that OSA or Configure_Defender didn't revert to system defaults, or some extension is at fault you're using, but highly unlikely. Maybe post here some of the log events from HIPS when you tried to open Chrome/Edge Dev, as without those, it's hard to understand what you mean by "HIPS going off like crazy", there should have been a precise prompt what exactly was going on at that given time, I'm just interested as I haven't seen this particular Eset rule creating browser launching problems. o_O
I would guess that it’s not OSA, as I just leave it active with some pretty extreme rules next to ESET and haven’t had any issues. But, I could be totally wrong. I know it has quite a bit of overlap, but I have no issues and it uses almost no resources.

@Raiden I would ask around the ESET forums. There’s some very helpful people there. Also the ESET v12 thread at Wilder’s is helpful. ITMAN on there is extremely knowledgeable, and Marcos from ESET can also be found in both those forums regularly.
 
F

ForgottenSeer 72227

Unfortunately cannot replicate, Edge Dev and Chrome starting fine with 0 HIPS log entry warnings on 1903 + standard account + no extensions/default browser settings with "Deny child processes from script executables" rule created. My only guess now would be that OSA or Configure_Defender didn't revert to system defaults, or some extension is at fault you're using, but highly unlikely. Maybe post here some of the log events from HIPS when you tried to open Chrome/Edge Dev, as without those, it's hard to understand what you mean by "HIPS going off like crazy", there should have been a precise prompt what exactly was going on at that given time, I'm just interested as I haven't seen this particular Eset rule creating browser launching problems. o_O

Thanks!

Ya I'm going to have a closer look tonight and see what can be causing it. I'm going to check via powershell to make sure that the settings for WD were reverted back to normal.

Sorry I should have explained myself more when it comes to saying it's going crazy. I noticed that when I opened chrome for example the alert window for that hips rule won't stop. It will keep going endlessly, even if I acknowledge the prompt. I'll try it again and take some screen shots. Glad to hear it's working fine on 1903, so now I know ots due to something else.

I would guess that it’s not OSA, as I just leave it active with some pretty extreme rules next to ESET and haven’t had any issues. But, I could be totally wrong. I know it has quite a bit of overlap, but I have no issues and it uses almost no resources.

@Raiden I would ask around the ESET forums. There’s some very helpful people there. Also the ESET v12 thread at Wilder’s is helpful. ITMAN on there is extremely knowledgeable, and Marcos from ESET can also be found in both those forums regularly.

Thanks!

Ya if I cannot figure it out I may try a reinstall of windows just to reset everything and go from there. If it still doesn't work, I'll definitely post a message on the eset forum and see what they say.:)(y)
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
Ya if I cannot figure it out I may try a reinstall of windows just to reset everything and go from there. If it still doesn't work, I'll definitely post a message on the eset forum and see what they say.:)(y)
You have more energy than me. If I had that issue I'd probably just use the ESET uninstall tool and be back to WD. But, I have a toddler and one on the way. No time for nonsense.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top