[KB6119] Configure HIPS rules for ESET business products to protect against ransomware
Issue
You want to configure additional HIPS rules in the following ESET business products for Windows or create a policy in ESET PROTECT or ESET PROTECT On-Prem with additional HIPS settings to protect against ransomware malware (filecoder)
Click an image to open the ESET Knowledgebase article for anti-ransomware best practices and additional product configurations:
Details
Click to expand
ESET's Host-based Intrusion Prevention System (HIPS) is included in ESET Endpoint Security, ESET Endpoint Antivirus, ESET Mail Security for Microsoft Exchange Server, and ESET File Security for Microsoft Windows Server. HIPS monitors system activity and uses a pre-defined set of rules to recognize suspicious system behavior.
When this type of activity is identified, the HIPS self-defense mechanism stops the offending program or process from carrying out a potentially harmful activity. By prohibiting the standard execution of JavaScript and other scripts, ransomware cannot download or execute. To further help prevent ransomware malware on your Windows systems, create the following rules in the latest ESET business products with HIPS, or create and apply an ESET PROTECT Policy.
Solution
Do not adjust settings on production systems
The following settings are additional configurations, and the specific settings needed for your security environment may vary. We recommend that you test the settings for each implementation in a test environment before using them in a production environment.
Manually create an ESET PROTECT Policy/configure the settings in ESET business products
Click Settings, and in the Select product... drop-down menu, select one of the following ESET business products with HIPS:
ESET Endpoint for Windows.
ESET File Security for Windows Server (V6+).
ESET Mail Security for Microsoft Exchange (V6+).
Figure 1-1 Click the image to view larger in the new window
Click Detection Engine (Computer in ESET Mail Security for Microsoft Exchange Server) → HIPS. Click Edit next to Rules.
Figure 1-2 Click the image to view larger in the new window
Click the option (I. to VII.) to expand each section below to create the HIPS rules for the suggested processes.
I. Deny processes from script executables
In the HIPS rules window, click Add.
Figure 2-1
Type Deny child processes from script executables into the Rule name field. From the Action drop-down menu, select Block. Click the toggle next to Applications, Enabled, and Notify user to enable these settings. From the Logging severity drop-down menu, select Warning and click Next.
Figure 2-2
In the Source applications window, click Add and type in the following names, clicking OK→ Add after each one:
C:\Windows\System32\wscript.exe
C:\Windows\System32\cscript.exe
C:\Windows\SysWOW64\wscript.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\System32\ntvdm.exe
Click Next.
Figure 2-3
In the Application operations window, click the toggle next to Start new application to enable it and click Next.
Figure 2-4
Select All applications from the drop-down menu and click Finish.
Figure 2-5
Leave the HIPS rules window open and continue to the next section.
II. Deny script processes started by explorer
In the HIPS rules window, click Add.
Type Deny script processes started by explorer into the Rule name field.
From the Action drop-down menu, select Block.
Click the toggle next to:
From the Logging severity drop-down menu, select Warning and click Next.
Figure 3-1
In the Source applications window click Add, type C:\Windows\explorer.exe into the Specify file path field, and then click OK→ Next.
Figure 3-2
In the Application operations window, click the toggle next to Start new application to enable it and click Next.
Figure 3-3
In the Applications window, click Add and type in the following names, clicking OK→ Add after each one:
C:\Windows\System32\wscript.exe
C:\Windows\System32\cscript.exe
C:\Windows\SysWOW64\wscript.exe
C:\Windows\SysWOW64\cscript.exe
Click Finish.
Figure 3-4
Leave the HIPS rules window open and continue to the next section.
III. Deny child processes from Office 2013/2016 processes
In the HIPS rules window, click Add.
Type Deny child processes from Office 2013 processes into the Rule name field. From the Action drop-down menu, select Block. Click the toggle next to Applications, Enabled, and Notify user to enable these settings. From the Logging severity drop-down menu, select Warning and click Next.
Figure 4-1
In the Source applications window, click Add and type in the following names, clicking OK→ Add after each one:
In the Application operations window, click the toggle next to Start new application to enable it and click Next.
Figure 8-3
Select All applications from the drop-down menu and click Finish.
In the HIPS rules window, click OK. Expand Assign to assign the policy to a client or group; otherwise, click Finish in the New Policy – Settings screen. If assigned, your policy settings will be applied to the target groups or client computers once they check in to ESET PROTECT or ESET PROTECT On-Prem.
If you are using an ESET business product without remote management, Click OK twice.
Download and import the ESET PROTECT Policy
The ESET PROTECT Policy for ESET business products with additional HIPS settings to protect against ransomware malware (filecoder) can be downloaded and imported from the links below. The ESET PROTECT Policy is available only for the latest version of ESET products. Compatibility with earlier versions cannot be guaranteed.
Download the Additional HIPS Protection ESET PROTECT Policy for: