[KB8018] Create a HIPS rule and enforce it on a client workstation using ESET PROTECT On-Prem

ESET's Host-based Intrusion Prevention System (HIPS) is included in ESET Endpoint Security, ESET Endpoint Antivirus, ESET Mail Security for Microsoft Exchange, and ESET File Security for Microsoft Windows Server.

HIPS monitors system activity and uses a set of pre-defined rules to recognize suspicious system behavior. When this type of activity is identified, the HIPS self-defense mechanism stops the offending program or process from carrying out the potentially harmful activity. Changes to the Enable HIPS and Enable Self-defense settings take effect after the Windows operating system is restarted.

 Endpoint users: Perform these steps on individual client workstations

1. Open the ESET PROTECT Web Console.

2. Click Policies and select the Built-in policy that you want to modify. Select the check box next to the default policy for clients and click Actions → Edit.

3. Click Settings, expand Detection Engine, click HIPS, and then click Edit next to Rules.

4. Click Add. In the dialog window, configure your rule. In this example, operations affecting registry entries are blocked, and the end-user will be notified when this action is performed by the HIPS module. Click Next when you are finished configuring the rule.

5. In the Source applications window, select your desired option from the drop-down menu. In this example, All applications option is selected, so the HIPS rule will block any application that attempts to modify registry values. Click Next.

6. In the Registry operations window, specify which operations will trigger this rule. In this example, Delete from registry is selected. Click Next.

7. In the Registry entries window, select your desired option from the drop-down menu. In this example, All entries is selected, so the rule blocks the deletion of any registry entries. Click Finish.

8. Click OK to save the rule.

9. Click the drop-down menu next to Edit and select how HIPS rules defined by this policy will interact with previously defined HIPS rules on the assigned computers. In this example, Replace is selected for both options. Click Finish.