[KB5687] Create a HIPS rule and enforce it on a client workstation using ESET Remote Administrator (6.x)


ESET business product no longer supported

This content applies to an ESET product version that is currently in End of Life status and is no longer supported. This content is no longer updated. 

For a complete list of supported products and support level definitions, review the ESET End of Life policy for business products.

Upgrade ESET business products.

ESET's Host-based Intrusion Prevention System (HIPS) is included in ESET Endpoint Security, ESET Endpoint Antivirus, ESET Mail Security for Microsoft Exchange, and ESET File Security for Microsoft Windows Server. HIPS monitors system activity and uses a set of pre-defined rules to recognize suspicious system behavior. When this type of activity is identified, the HIPS self-defense mechanism stops the offending program or process from carrying out potentially harmful activity. Changes to the Enable HIPS and Enable Self-defense settings take effect after the Windows operating system is restarted.


 Endpoint users: Perform these steps on individual client workstations

Advanced users only!

By default, the Host-based Intrusion Prevention System (HIPS) is pre-configured to ensure maximum protection of your system. While the creation of a HIPS rule may be needed to resolve an issue in certain infrequent cases, the manipulation of HIPS rules requires advanced knowledge of applications and operating systems and is not recommended.

  1. Open ESET Remote Administrator Web Console (ERA Web Console) in your web browser and log in. Open ERA Web Console

  2. Click AdminPolicies, click the gear icon next to the policy you want to modify, and then select Edit from the context menu.

    Figure 1-1
    Click the image to view larger in new window

  3. Expand Settings, click Antivirus → HIPS, and then click Edit next to Rules.

    Figure 1-2
    Click the image to view larger in new window

  4. Click Add.

    Figure 1-3

  5. Configure your rule. In the example, operations affecting registry entries are blocked, and the end user will be notified when this action is performed by the HIPS module. When you are finished, click Next.

    Figure 1-4

  6. In the Source applications window, select your desired option from the drop-down menu. In this example, the HIPS rule will block any application that attempts to modify registry values. Click Next

    Figure 1-5

  7. In the Registry operations window, specify which operations will trigger this rule. In this example, Delete from registry is selected. Click Next

    Figure 1-6

  8. In the Registry entries window, select your desired option from the drop-down menu. In this example, we are blocking the deletion of any registry entries. Click Finish

    Figure 1-7

  9. Click OK to save the rule.

    Figure 1-8

  10. Click Finish. Computers assigned to the policy you modified will receive this new HIPS rule the next time they check into ESET Remote Administrator Server (ERA Server).  

    Previously defined HIPS rules

    Any previously defined HIPS rules on the assigned computers will be replaced with the HIPS rules defined by this policy. 

    Figure 1-9