[KB8018] Create a HIPS rule and enforce it on a client workstation using ESET PROTECT On-Prem

Details

Required user permissions

This article assumes that you have the appropriate access rights and permissions to perform the tasks below.

If you use the default Administrator user or are unable to perform the tasks below (the option is unavailable), create a second administrator user with all access rights.

ESET's Host-based Intrusion Prevention System (HIPS) is included in ESET Endpoint Security, ESET Endpoint Antivirus, ESET Mail Security for Microsoft Exchange, and ESET File Security for Microsoft Windows Server.

HIPS monitors system activity and uses a set of pre-defined rules to recognize suspicious system behavior. When this type of activity is identified, the HIPS self-defense mechanism stops the offending program or process from carrying out the potentially harmful activity. Changes to the Enable HIPS and Enable Self-defense settings take effect after the Windows operating system is restarted.

Solution

 Endpoint users: Perform these steps on individual client workstations

Manipulation of HIPS rules

By default, HIPS is pre-configured to ensure maximum protection of your system. While the creation of a HIPS rule might be necessary to resolve an issue in certain infrequent cases, the manipulation of HIPS rules requires advanced knowledge of applications and operating systems and is not recommended.

  1. Open ESET PROTECT On-Prem in your web browser and log in.

  2. Click Policies and select the Built-in policy that you want to modify. Select the check box next to the default policy for clients and click Actions → Edit.
Figure 1-1
Click the image to view larger in new window
  1. Click Settings, expand Detection Engine, click HIPS, and then click Edit next to Rules.
Figure 1-2
Click the image to view larger in new window
  1. Click Add. In the dialog window, configure your rule. In this example, operations affecting registry entries are blocked, and the end-user will be notified when this action is performed by the HIPS module. Click Next when you are finished configuring the rule.
Figure 1-3
Click the image to view larger in new window
  1. In the Source applications window, select your desired option from the drop-down menu. In this example, All applications option is selected, so the HIPS rule will block any application that attempts to modify registry values. Click Next.
Figure 1-4
Click the image to view larger in new window  
  1. In the Registry operations window, specify which operations will trigger this rule. In this example, Delete from registry is selected. Click Next.
Figure 1-5
Click the image to view larger in new window
  1. In the Registry entries window, select your desired option from the drop-down menu. In this example, All entries is selected, so the rule blocks the deletion of any registry entries. Click Finish.
Figure 1-6
Click the image to view larger in new window
  1. Click OK to save the rule.
Figure 1-7
Click the image to view larger in new window
  1. Click the drop-down menu next to Edit and select how HIPS rules defined by this policy will interact with previously defined HIPS rules on the assigned computers. In this example, Replace is selected for both options. Click Finish.
Figure 1-8
Click the image to view larger in new window

Computers assigned to the policy that you have modified will receive this new HIPS rule the next time they check into ESET PROTECT Server.