[KB8921] User-specific HIPS hardening for improved ransomware protection in ESET applications for Windows

Required user permissions

This article assumes that you have the appropriate access rights and permissions to perform the tasks below.

If you are unable to perform the tasks below (the option is unavailable), create a second administrator user in ESET PROTECT or ESET PROTECT On-Prem with all access rights.

Issue

  • Enhance ransomware protection by creating specific HIPS rules in ESET applications for Windows
  • Protect the most sensitive folders or files against unwanted access

Details

Click to expand

A Host-based Intrusion Prevention System (HIPS) monitors system activity and uses a set of pre-defined rules to detect suspicious behavior. When this type of activity is identified, the HIPS self-defense mechanism stops the offending program or process from carrying out the potentially harmful activity.

You can use ESET HIPS to effectively protect most sensitive folders or files against unwanted access:

  • Identify folders containing critical sensitive data
  • Determine which applications require access to this data
  • Block file modification and deletion for all other applications
  • Explicitly allow access only for approved applications

This approach should be user-specific and implemented by an experienced administrator who configures HIPS rules to provide strong protection against ransomware, ensuring that only approved applications are allowed to modify or delete critical folders or files.

Read more about configuring additional HIPS rules in ESET business applications or via ESET PROTECT or ESET PROTECT On-Prem or see the HIPS documentation.

Solution

Experienced administrators

This content is intended for experienced IT administrators.

By default, HIPS is pre-configured to ensure maximum protection of the system. While the creation of a HIPS rule might be necessary to resolve an issue in certain infrequent cases, the manipulation of HIPS rules requires advanced knowledge of applications and operating systems and is not recommended.

Other ESET applications (managed and non-managed)

In this article, ESET Endpoint Security for Windows has been used as an example.

The procedure also applies to ESET Endpoint Antivirus for Windows, ESET Mail Security for Microsoft Exchange Server, and ESET Server Security for Microsoft Windows Server.

Note that the HIPS rules settings UI differs slightly between ESET business applications (Advanced setup) and policy-based configuration in ESET PROTECT or ESET PROTECT On‑Prem.

The procedure also applies to ESET home and small office applications for Windows (via Advanced setup).

  1. Open the ESET PROTECT Web Console.

  2. Create a policy in ESET PROTECT or ESET PROTECT On-Prem.

  3. Click Settings, select ESET Endpoint for Windows from the drop-down menu. Click ProtectionsHIPS and click Edit next to Rules

  4. Click Add.

  5. Follow the steps below to create Block access and Allow access HIPS rules.

    HIPS rules

    A Block access HIPS rule explicitly denies a defined operation or interaction between processes, folders or files, or registry entries. When the rule conditions are met, the action is prevented, helping to block unwanted or potentially malicious behavior.

    An Allow access HIPS rule explicitly permits a defined operation or interaction. When matched, the specified activity is allowed without restriction, ensuring trusted applications or processes can function correctly even if other rules might otherwise block them.

Create the Block access HIPS rule

    1. Type a rule name and select Block from the Action drop-down menu. Click the toggle next to Target files to enable it. Select the appropriate option from the Logging severity drop-down menu. Click the toggle next to Notify user to enable it, then click Next.

      Logging severity

      Logging severity should be set carefully by the administrator to avoid excessive or spam-like log generation.

    2. Verify that the All applications option is selected from the drop-down menu, then click Next. Click the toggles next to Delete file and Write to file to enable them, and click Next.

    3. Select Specific files from the drop-down menu and click Add. In the Add window, type or copy/paste the file path and click OKFinish.

Create the Allow access HIPS rule

    1. Type a rule name and select Allow from the Action drop-down menu. Click the toggle next to Target files to enable it. Select the appropriate option from the Logging severity drop-down menu and click Next.

      Logging severity

      Logging severity should be set carefully by the administrator to avoid excessive or spam-like log generation.

    2. Verify that the Specific applications option is selected from the drop-down menu and click Add. In the Add window, type or copy/paste the file path and click OKNext.

    3. Click the toggle next to Delete file, Write to file, and Direct access to disk to enable these options and click Next.

    4. Verify that the Specific files option is selected from the drop-down menu and click Add. In the Add window, type or copy/paste the folder or file path and click OKFinish.

      Wildcards

      An asterisk in a rule can only be used to match a specific key; for example, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\*\Start.

      Other ways of using wildcards are not supported. 

  1. Review the created rules and click OK.

  2. Click the drop-down menu next to Edit and select how HIPS rules defined by this policy will interact with previously defined HIPS rules on the assigned computers. In this example, Replace is selected for both options. Click Finish.

Computers assigned to this policy will receive these new HIPS rules the next time they check into ESET PROTECT or ESET PROTECT On-Prem.

English
Last Updated: May 28, 2026

Additional resources

User guides

ESET Forum

YouTube videos
ESET Support News ESET Customer Advisories ESET Status Portal ESET Technical Support

Existing customer?