- May 25, 2011
- 313
Hi how do i import HIPS rules?? i have interactive mode enabled atm but its very annoying manually creating rules for everysingle actions so i got some preconfig rules for the hips but see no option to import them>
<?xml version="1.0" encoding="utf-8"?>
<ESET>
<SECTION ID="1000103">
<SETTINGS>
<PLUGINS>
<PLUGIN ID="1000001">
<PROFILES>
<NODE NAME="@My profile" TYPE="SUBNODE">
<NODE NAME="enabled" VALUE="1" TYPE="DWORD" />
<NODE NAME="selfdefense" VALUE="1" TYPE="DWORD" />
<NODE NAME="debug" VALUE="0" TYPE="DWORD" />
<NODE NAME="filteringMode" VALUE="18" TYPE="DWORD" />
<NODE NAME="learningModeEnd" VALUE="AAAAAAAAAAA=" TYPE="BINARY" />
<NODE NAME="rulesDiff" TYPE="XML">
<OPTIONS>
<OPTION OPTNAME="LogBlocked" VALUE="0" ID="2" DESC="Log all blocked operations" />
<OPTION OPTNAME="RegistryDefaultAllow" VALUE="1" ID="3" DESC="Allow changes to the application part of the registry for which there is no rule defined" />
<OPTION OPTNAME="FileDefaultAllow" VALUE="1" ID="4" DESC="Allow changes to data files for which there is no rule defined" />
</OPTIONS>
<RULE ID="{D0DD7B81-3119-416B-90B2-5CB2AB00956A}" NAME="Aux: Protect egui and ekrn processes" ACTION="E" DISABLED="0">
<OPERATIONS>
<OPERATION ID="Application_Stop" />
</OPERATIONS>
<TARGETS>
<PE_MODULE PATH="%PROGRAMFILES%\ESET\ESET NOD32 Antivirus\egui.exe" />
<PE_MODULE PATH="%PROGRAMFILES%\ESET\ESET NOD32 Antivirus\ekrn.exe" />
<PE_MODULE PATH="%PROGRAMFILES%\ESET\ESET Smart Security\egui.exe" />
<PE_MODULE PATH="%PROGRAMFILES%\ESET\ESET Smart Security\ekrn.exe" />
</TARGETS>
</RULE>
<RULE ID="{97CC2571-D49C-4455-A7B0-33C9E7E57DCB}" NAME="Aux: Protect ESET files" ACTION="E" DISABLED="0">
<OPERATIONS>
<OPERATION ID="File_Delete" />
<OPERATION ID="File_Modify" />
</OPERATIONS>
<TARGETS>
<FILE PATH="%PROGRAMFILES%\ESET\ESET NOD32 Antivirus" />
<FILE PATH="%PROGRAMFILES%\ESET\ESET Smart Security" />
</TARGETS>
</RULE>
<RULE ID="{72E4A483-1B7F-42FA-BE8A-6909FC29881B}" NAME="System files" ACTION="7" DISABLED="1">
<OPERATIONS>
<OPERATION ID="File_Delete" />
<OPERATION ID="File_Modify" />
</OPERATIONS>
<TARGETS>
<FILE PATH="%WinDir%\system32\drivers\etc\hosts" />
<FILE PATH="%SystemDrive%\autoexec.bat" />
<FILE PATH="%SystemDrive%\boot.ini" />
<FILE PATH="%WinDir%\system.ini" />
<FILE PATH="%WinDir%\win.ini" />
<FILE PATH="%SystemDrive%\config.sys" />
<FILE PATH="%WinDir%\*.exe" />
<FILE PATH="%WinDir%\*.dll" />
<FILE PATH="%WinDir%\*.sys" />
<FILE PATH="%WinDir%\system32\ntoskrnl.exe" />
<FILE PATH="%WinDir%\system32\ntkrnlpa.exe" />
</TARGETS>
</RULE>
<RULE ID="{154C73D5-59AE-47D3-965E-3C9E748E7C6D}" NAME="System processes" ACTION="7" DISABLED="1">
<OPERATIONS>
<OPERATION ID="Application_Stop" />
</OPERATIONS>
<TARGETS>
<PE_MODULE PATH="%windir%\system32\smss.exe" />
<PE_MODULE PATH="%windir%\system32\csrss.exe" />
<PE_MODULE PATH="%windir%\system32\services.exe" />
<PE_MODULE PATH="%windir%\system32\lsass.exe" />
<PE_MODULE PATH="%windir%\system32\svchost.exe" />
<PE_MODULE PATH="%windir%\system32\spoolsv.exe" />
<PE_MODULE PATH="%windir%\system32\alg.exe" />
</TARGETS>
</RULE>
<RULE ID="{3E7FA15C-933F-49AF-AC7E-F2BC8576613E}" NAME="System settings | Security" ACTION="7" DISABLED="1">
<OPERATIONS>
<OPERATION ID="Registry_Delete" />
<OPERATION ID="Registry_Rename" />
<OPERATION ID="Registry_Modify" />
</OPERATIONS>
<TARGETS>
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\TemplatePolicies\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\TemplatePolicies\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Policies\CurrentVersion\Internet Settings\Zones\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\Session Manager\Memory Management\EnforceWriteProtection" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\Session Manager\Memory Management\EnforceWriteProtection" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Driver Signing\Policy" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Services\SharedAccess\Parameters\FirewallPolicy\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\*avp.exe" />
<REGKEY PATH="HKEY_CLASSES_ROOT\*.exe\" />
<REGKEY PATH="HKEY_CLASSES_ROOT\*.exe\*\*" />
<REGKEY PATH="HKEY_CLASSES_ROOT\.exe\*" />
</TARGETS>
</RULE>
<RULE ID="{ACDEE3B1-8979-4FC0-8548-ACB0AF873B2F}" NAME="System settings | Services" ACTION="7" DISABLED="1">
<OPERATIONS>
<OPERATION ID="Registry_Delete" />
<OPERATION ID="Registry_Rename" />
<OPERATION ID="Registry_Modify" />
</OPERATIONS>
<TARGETS>
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Services\*\ImagePath" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Services\*\Parameters\ServiceDll" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Services\VXD\*\StaticVxD" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Services\Tcpip\Parameters\DataBasePath" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Services\Tcpip\Parameters\Interfaces\*\NameServer" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Services\Tcpip\Parameters\PersistentRoutes\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Hardware\Description\system\Configuration Data" />
</TARGETS>
</RULE>
<RULE ID="{5DF61E07-9235-4EB9-8460-DEAFEE135778}" NAME="System settings | Startup" ACTION="7" DISABLED="1">
<OPERATIONS>
<OPERATION ID="File_Delete" />
<OPERATION ID="File_Modify" />
<OPERATION ID="Registry_Delete" />
<OPERATION ID="Registry_Rename" />
<OPERATION ID="Registry_Modify" />
</OPERATIONS>
<TARGETS>
<FILE PATH="%ALLUSERSPROFILE%\Menu Inicio\Programas\Inicio" />
<FILE PATH="%USERPROFILE%\Menu Inicio\Programas\Inicio" />
<FILE PATH="%SystemRoot%\Tasks" />
<REGKEY PATH="HKEY_CURRENT_USER\*file\shell\open\command\*" />
<REGKEY PATH="HKEY_CURRENT_USER\*file\shell\open\command\*" />
<REGKEY PATH="HKEY_CURRENT_USER\*file\shell\runas\command\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AEDebug\Debugger" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*\DllName" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows*\CurrentVersion\Run*" />
<REGKEY PATH="HKEY_CURRENT_USER\Software\Microsoft\Windows*\CurrentVersion\Run*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Mirabilis\ICQ\Agent\Apps\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\ICQ*\Path" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*\StubPath" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WOW\BOOT\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WOW\NonWindowsApp\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WOW\Standard\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\currentcontrolset\control\Session Manager\BootExecute" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\software\Microsoft\VBA\Monitors\*\CLSID" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Control Panel\Desktop\SCRNSAVE.EXE" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\software\Policies\Microsoft\Windows\System\Scripts\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Policies\System\Shell" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Windows\CurrentVersion\Explorer\FileExts\.exe\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MPRServices\*\DLLName" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders\Common Startup" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders\Startup" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders\Start menu" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders\Common Start Menu" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Control\Session Manager\Environment\Comspec" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Control\BootVerificationProgram\ImagePath" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Control\VirtualDeviceDrivers\VDD" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Control\SafeBoot\AlternateShell" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Control\SafeBoot\Minimal\*\ImagePath" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Control\Safeboot\Network\*\ImagePath" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Control\SafeBoot\Minimal\*\Parameters\ServiceDll" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\load" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\run" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Control\SafeBoot\Network\*\Parameters\ServiceDll" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*\Debugger" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SetupExecute" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Execute" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Desktop\Components\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Plugins\Extension\location" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Control\TerminalServer\Wds\Rdpwd\startupprograms" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Desktop\Components\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Plugins\Extension\*\location" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Extensions\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Win.ini\load" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Win.ini\run" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\winlogon" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot\shell" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Classes\Protocols\Filter\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Classes\Protocols\Filter\*\*" />
<REGKEY PATH="HKEY_CLASSES_ROOT\Protocols\Filter\*" />
<REGKEY PATH="HKEY_CLASSES_ROOT\Protocols\Filter\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Classes\Protocols\Handler\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Classes\Protocols\Handler\*\*" />
<REGKEY PATH="HKEY_CLASSES_ROOT\Protocols\Handler\*" />
<REGKEY PATH="HKEY_CLASSES_ROOT\Protocols\Handler\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ColumnHandlers\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ColumnHandlers\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Ctf\LangBarAddin\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Ctf\LangBarAddin\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\*\Shell\*\command\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cdrom\AutoRun" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoPlayHandlers\CancelAutoplay\Files\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Control\Session Manager\SubSystems\Windows" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Control\Session Manager\KnownDlls" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Control\Lsa\Notification Packages" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*\VerifierDlls" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Control\Lsa\Authentication Packages" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Control\Lsa\Security Packages" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Control\Keyboard Layouts\*\*" />
<REGKEY PATH="HKEY_LOCAL_MACHINE\System\ControlSet???\Control\Session Manager\AppCertDlls\*" />
</TARGETS>
</RULE>
</NODE>
</NODE>
</PROFILES>
</PLUGIN>
</PLUGINS>
</SETTINGS>
</SECTION>
</ESET>
Yes that's true..... The best way to configure the HIPS for the average Eset user at this point would be the 'Learning Mode' (Of course assuming that the system is clean) for 2 or 3 days so that the HIPS has the time to learn the system , after that the Interactive mode should be fine....jamescv7 said:Seems making a pre-configured HIPS is newly for advance user only.