[KB6119] Configure HIPS rules in ESET business applications or via ESET PROTECT or ESET PRTOECT On-Prem

Issue

Click an image to open the ESET Knowledgebase article for anti-ransomware best practices and additional application configurations:

Details

Click to expand


ESET's Host-based Intrusion Prevention System (HIPS) is included in ESET Endpoint Security, ESET Endpoint Antivirus, ESET Mail Security for Microsoft Exchange Server, and ESET Server Security for Microsoft Windows Server. HIPS monitors system activity and uses a pre-defined set of rules to recognize suspicious system behavior.

When this type of activity is identified, the HIPS self-defense mechanism stops the offending program or process from carrying out a potentially harmful activity. By prohibiting the standard execution of JavaScript and other scripts, ransomware cannot download or execute. To further help prevent ransomware malware on your Windows systems, create the following rules in the latest ESET business applications with HIPS, or create and apply an ESET PROTECT or ESET PROTECT On-Prem Policy.

Solution

Do not adjust settings on production systems

The following settings are additional configurations, and the specific settings needed for your security environment may vary. We recommend that you test the settings for each implementation in a test environment before using them in a production environment.

Manually create an ESET PROTECT or ESET PROTECT On-Prem Policy / configure the settings in ESET business applications

  1. Open the HIPS rules editor in the policy wizard or ESET application configuration:

    ESET PROTECT or ESET PROTECT On-Prem Policy

    2. Create a policy in ESET PROTECT or ESET PROTECT On-Prem.

    3. In the Settings section, select ESET Endpoint for Windows from the drop-down menu. Click HIPS and click Edit next to Rules.

    ESET application

    1. Open the main program window of your ESET Windows endpoint application.

    2. Press the F5 key to access Advanced setup.

    3. Click HIPS and click Edit next to Rules.

  2. Click the option (I. to VII.) to expand each section below to create all additional HIPS rules.


    I. Deny processes from script executables

    1. In the HIPS rules window, click Add.

    2. Type Deny child processes from script executables into the Rule name field. From the Action drop-down menu, select Block. Click the toggle next to Applications, Enabled, and Notify user to enable these settings. From the Logging severity drop-down menu, select Warning and click Next.

    3. In the Source applications window, click Add and type in the following names, clicking OK Add after each one:

      • C:\Windows\System32\wscript.exe
      • C:\Windows\System32\cscript.exe
      • C:\Windows\SysWOW64\wscript.exe
      • C:\Windows\SysWOW64\cscript.exe
      • C:\Windows\System32\ntvdm.exe

      Click Next.

    4. In the Application operations window, click the toggle next to Start new application to enable it and click Next.

    5. Select All applications from the drop-down menu and click Finish.

    6. Leave the HIPS rules window open and continue to the next section.


    II. Deny script processes started by explorer

    1. In the HIPS rules window, click Add.

    2. Type Deny script processes started by explorer into the Rule name field.

      From the Action drop-down menu, select Block.

      Enable the toggle next to Applications.

      From the Logging severity drop-down menu, select Warning and click Next.

    3. In the Source applications window click Add, type C:\Windows\explorer.exe into the Specify file path field, and click OK Next.

    4. In the Application operations window, click the toggle next to Start new application to enable it and click Next.

    5. In the Applications window, click Add and type in the following names, clicking OK Add after each one:

      • C:\Windows\System32\wscript.exe
      • C:\Windows\System32\cscript.exe
      • C:\Windows\SysWOW64\wscript.exe
      • C:\Windows\SysWOW64\cscript.exe

      Click Finish.

    6. Leave the HIPS rules window open and continue to the next section.


    III. Deny child processes from Office 2024 processes

    1. In the HIPS rules window, click Add.

    2. Type Deny child processes from Office 2024 processes into the Rule name field. From the Action drop-down menu, select Block. Click the toggle next to Applications, Enabled, and Notify user to enable these settings. From the Logging severity drop-down menu, select Warning and click Next.

    3. In the Source applications window, click Add and type in the following names, clicking OK Add after each one:

      • C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      • C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
      • C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
      • C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
      • C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
      • C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      • C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
      • C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE

      Click Next.

    4. In the Application operations window, click the toggle next to Start new application to enable it and click Next.

    5. In the Applications window, click Add and type in the following names, clicking OK Add after each one:

      • C:\Windows\System32\cmd.exe
      • C:\Windows\SysWOW64\cmd.exe
      • C:\Windows\System32\wscript.exe
      • C:\Windows\SysWOW64\wscript.exe
      • C:\Windows\System32\cscript.exe
      • C:\Windows\SysWOW64\cscript.exe
      • C:\Windows\System32\ntvdm.exe
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      • C:\Windows\System32\regsvr32.exe
      • C:\Windows\SysWOW64\regsvr32.exe
      • C:\Windows\System32\rundll32.exe
      • C:\Windows\SysWOW64\rundll32.exe

      Click Finish.

    6. Add additional Office versions as needed, repeating the same instructions as above.

      • 2013 = Office15 (C:\Program Files (x86)\Microsoft Office\Office15\...)
      • 2010 = Office14

    7. Leave the HIPS rules window open and continue to the next section.


    IV. Deny child processes for regsrv32.exe

    1. In the HIPS rules window, click Add.

    2. Type Deny child processes for regsrv32.exe into the Rule name field.

      From the Action drop-down menu, select Block.

      Click the toggle next to the following settings to enable them:

      • Applications
      • Enabled
      • Notify user

      From the Logging severity drop-down menu, select Warning and click Next.

    3. In the Source applications window, click Add and type in the following names, clicking OK Add after each one:

      • C:\Windows\System32\regsvr32.exe
      • C:\Windows\SysWOW64\regsvr32.exe

      Click Next.

    4. In the Application operations window, click the toggle next to Start new application to enable it and click Next.

    5. In the Applications window, click Add and type in the following names, clicking OK Add after each one:

      • C:\Windows\System32\cmd.exe
      • C:\Windows\SysWOW64\cmd.exe
      • C:\Windows\System32\wscript.exe
      • C:\Windows\SysWOW64\wscript.exe
      • C:\Windows\System32\cscript.exe
      • C:\Windows\SysWOW64\cscript.exe
      • C:\Windows\System32\ntvdm.exe
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

      Click Finish.

    6. Leave the HIPS rules window open and continue to the next section.


    V. Deny child processes for mshta.exe

    1. In the HIPS rules window, click Add.

    2. Type Deny child processes for mshta.exe into the Rule name field.

      From the Action drop-down menu, select Block.

      Click the toggle next to the following settings to enable them:

      • Applications
      • Enabled
      • Notify user

      From the Logging severity drop-down menu, select Warning and click Next.

    3. In the Source applications window, click Add and type in the following names, clicking OK Add after each one:

      • C:\Windows\System32\mshta.exe
      • C:\Windows\SysWOW64\mshta.exe

      Click Next.

    4. In the Application operations window, click the toggle next to Start new application to enable it and click Next.

    5. Select All applications from the drop-down menu and click Finish.

    6. Leave the HIPS rules window open and continue to the next section.


    VI. Deny child processes for rundll32.exe

    1. In the HIPS rules window, click Add.

    2. Type Deny child processes for rundll32.exe into the Rule name field.

      From the Action drop-down menu, select Block.

      Click the toggle next to the following settings to enable them:

      • Applications
      • Enabled
      • Notify user

      From the Logging severity drop-down menu, select Warning and click Next.

    3. In the Source applications window, click Add, type C:\Windows\System32\rundll32.exe into the Specify file path field, and then click OK Next.

    4. In the Application operations window, click the toggle next to Start new application to enable it and click Next.

    5. In the Applications window, click Add and type in the following names, clicking OK Add after each one:

      • C:\Windows\System32\cmd.exe
      • C:\Windows\SysWOW64\cmd.exe
      • C:\Windows\System32\wscript.exe
      • C:\Windows\SysWOW64\wscript.exe
      • C:\Windows\System32\cscript.exe
      • C:\Windows\SysWOW64\cscript.exe
      • C:\Windows\System32\ntvdm.exe
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

      Click Finish.

    6. Leave the HIPS rules window open and continue to the next section.


    VII. Deny child processes for powershell.exe

    1. In the HIPS rules window, click Add.

    2. Type Deny child processes for powershell.exe into the Rule name field.

      From the Action drop-down menu, select Block.

      Click the toggle next to the following settings to enable them:

      • Applications
      • Enabled
      • Notify user

      From the Logging severity drop-down menu, select Warning and click Next.

    3. In the Source applications window, click Add and type in the following names, clicking OK Add after each one:

      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

      Click Next.

    4. In the Application operations window, click the toggle next to Start new application to enable it and click Next.

    5. Select All applications from the drop-down menu and click Finish.

  3. If you are creating a policy, in the HIPS rules window, click OK and finish the policy wizard.

    If you are configuring an ESET business application, click OKOK.

Download and import the ESET PROTECT or ESET PROTECT On-Prem Policy

The ESET PROTECT or ESET PROTECT On-Prem Policy for ESET business applications with additional HIPS settings to protect against ransomware malware (filecoder) can be downloaded from the links below. Policies are available only for the latest version of ESET applications. Compatibility with earlier versions cannot be guaranteed.

  1. Download the Additional HIPS Protection ESET PROTECT or ESET PROTECT On-Prem Policy for:

  3. Open policy import window:

    ESET PROTECT

    Click ConfigurationAdvanced setupActionsImport.

    ESET PROTECT On-Prem

    Click PoliciesActionsImport.

  4. Click Choose file to upload, select the downloaded policy, and click Import.

  5. Assign the policy to a client or assign the policy to a group.

Last Updated: Apr 17, 2026

Additional resources

User guides

ESET Forum

YouTube videos
ESET Support News ESET Customer Advisories ESET Status Portal ESET Technical Support

Existing customer?