[KB7249] Create a HIPS rule and enforce it on a client workstation in ESET endpoint products (7.3 – 9.x)

Details

The Host-based Intrusion Prevention System (HIPS) monitors events inside the operating system and reacts accordingly based on a set of pre-defined rules to recognize suspicious system behavior. When this type of activity is identified, the HIPS self-defense mechanism stops the offending program or process from carrying out a potentially harmful activity. Additional HIPS rules can be defined manually by the user.

Solution

ESET PROTECT users: Perform these steps in ESET PROTECT

Advanced users only!

By default, the Host-based Intrusion Prevention System (HIPS) is pre-configured to ensure maximum protection of your system. While the creation of a HIPS rule may be needed to resolve an issue in certain infrequent cases, the manipulation of HIPS rules requires advanced knowledge of applications and operating systems and is not recommended.

  1. Open the main program window of your Windows ESET product.

  2. Press the F5 key to access Advanced setup.

  3. Click Detection Engine → HIPS and then click Edit next to Rules.
Figure 1-1
  1. Click Add.
Figure 1-2
  1. Configure your rule. In this example, we are blocking operations affecting applications and the user will be notified of the action. Click Next.
Figure 1-3
  1. In the Source applications window, select your desired option from the drop-down menu. In this example, the HIPS rule will block any application that attempts to modify registry values. Click Next.
Figure 1-4
  1. In the Application operation window, click the slider bar next to the operation(s) you want to block. In this example, the HIPS rule will block any application that attempts to debug another application. Click Next.
Figure 1-5
  1. In the Applications window, select your desired option from the drop-down menu. In this example, the rule will apply to all applications. Click Finish.
Figure 1-6
  1. Click OKOK. Restart your Windows operating system for the changes to take effect.

If assigned an ESET PROTECT/ESMC policy

If this computer is assigned an ESET PROTECT/ESMC policy that defines a set of HIPS rules, that policy will overwrite any rules you define on the individual computer.

Figure 1-7