OK I have a scenario for you guys. Maybe I can explain this. There are other options that I don't mention, but the point is to show that answering to alerts in a certain way yields fantastic results from HIPS.
My Choices:
Auto-Contain->On->Limited (I want to see malware fail
)
HIPS->Safe Mode->also "Do not create rules for safe applications" helps
So here is the scenario. Run new "Unrecognized" app->Opens in container and decent chance app might be functional enough to use, yet changes will remain in the container. So far no trust has been created in the files list so HIPS will function as desired->Use app and it invokes some child process->HIPS alerts about the new "Unrecognized" (usually) starting and asks should the process be allowed. Here is the key. I was making it an allowed process or whatever if I knew what it was, but that deactivates HIPS AND I believe turns the process from "Unrecognized" to "Trusted" in files list. OK, for me, this is a big mistake, but it's easy to miss this. Even it this doesn't raise the trust rating, it's far better to never except in the case of an installer designate an "Unrecongized" file anything like "Windows" or "Allowed" etc. I mean even if you wrote the script yourself. What if someone wrote malware that overwrote your script (auto-find .bats and inject malware or whatever). OK the reason not to do this is that, if you don't make a blanket designation of an app that turns off HIPS, the "Unrecognized" parent process you started and that started the new process will automatically use the "Exclusions" dialog in HIPS to record each child process it starts. OK, so the single exclusion means that I can collect exclusions over time for the program and make sure it doesn't step outside the ones I allow. So then if someday it wants to use cmd.exe or something I can choose Block and "Remember choice" and a block exclusion will be created so that the functionality will be auto-blocked.
This is powerful. I think it only really fully works with Auto-contain set to on. I could be wrong about that. It's hard to test every possibility, but look through your HIPS rules and see if you have alot of "Allowed application" and "Windows application" type rules or anything other than Custom. Delete the Non-custom rules and start over for those processes. Finally, when you get a HIPS alert (other than an installer...you should designate this an installer), the seguence to use is just STRAIGHT allow and then "Remember this choice" or STRAIGHT block and "Remember this choice".
Hope any of this makes sense. In theory, you could set up Explorer.exe to create an exclusion for the first HIPS rule for each app you open from Start Menu or from a folder. Not that it matters or that Explorer.exe is all that important to control that way (it's safe), but you can easily watch over individual processes by staying away from the non-custom HIPS rules and collect those allow and block exclusions to keep "Unrecognized" in the cage. Yes, programs that seem good can contain malware too.
