[KB7249] Create a HIPS rule and enforce it on a client workstation in ESET Endpoint products (7.x)

Details

ESET's Host-based Intrusion Prevention System (HIPS) is included in ESET Endpoint Security, ESET Endpoint Antivirus, ESET Mail Security for Microsoft Exchange, and ESET File Security for Microsoft Windows Server. HIPS monitors system activity and uses a set of pre-defined rules to recognize suspicious system behavior. When this type of activity is identified, the HIPS self-defense mechanism stops the offending program or process from carrying out a potentially harmful activity. Changes to the Enable HIPS and Enable Self-defense settings to take effect after the Windows operating system is restarted.

Solution

 ESET Security Management Center (ESMC) users: Perform these steps in ESMC

Advanced users only!

By default, the Host-based Intrusion Prevention System (HIPS) is pre-configured to ensure maximum protection of your system. While the creation of a HIPS rule may be needed to resolve an issue in certain infrequent cases, the manipulation of HIPS rules requires advanced knowledge of applications and operating systems and is not recommended.

  1. Open the main program window of your Windows ESET product.

  2. Press the F5 key to access Advanced setup.
     
  3. Click Detection Engine → HIPS and then click Edit next to Rules.

    Figure 1-1
     

  4. Click Add.

    Figure 1-2
     

  5. Configure your rule. In this example, we are blocking operations affecting applications and the user will be notified of the action. Click Next.

    Figure 1-3
     

  1. In the Source applications window, select your desired option from the drop-down menu. In this example, the HIPS rule will block any application that attempts to modify registry values. Click Next

    Figure 1-4
     

  2. In the Application operation window, click the slider bar next to the operation(s) you want to block. In this example, the HIPS rule will block any application that attempts to debug another application. Click Next.

    Figure 1-5

  3. In the Applications window, select your desired option from the drop-down menu. In this example, the rule will apply to all applications. Click Finish.

    Figure 1-6

  4. Click OK to save the new HIPS rule and then click OK again to exit Advanced setup. Changes will take effect after the Windows operating system is restarted.

    If assigned an ESMC policy

    If this computer is assigned an ESMC policy that defines a set of HIPS rules, that policy will overwrite any rules you define on the individual computer.

    Figure 1-7