Eset - Configure the HIPS (Intrusion Prevention System)

December 2016


In this tip, you will learn how to configure the HIPS feature of Eset NOD 32 Antivirus, for better security.

What is HIPS?


The Intrusion Prevention System (IPS) is an advanced tool for information systems security, similar to the IDS, which aims to reduce the impact of an attack. It is an active IDS (intrusion detection system) which detects automated scanning of ports and block them if needed. IPS can therefore counter the known and unknown attacks.

How to access this feature?


The HIPS was integrated into ESET (antivirus Smart Security) since version 5 and can be configure to meet your custom security requirements:
To access it:
  • Open Eset (double-click on the system tray icon).
  • Press F5 to access Eset advanced settings.

The different modes


Eset HIPS has several modes of operation:

Automatic mode with rules

  • This is the default setting:
  • Order of evaluation: rules, authorization
  • This means that if no rule exists for the current action, then it is allowed.
  • Example: You install a program (with the option to be launched at startup), it will write instruction in the registry.
  • Now if you create a rule that requires an authorization to modify the registry, then the HIPS feature will prompt you with a small notification, during the installation of the program.

Interactive Mode

  • Evaluation order: rules,ask, allow on failure
  • It takes advantage of the first mode. If an action is triggered and there are no related rules for it, then the user will be prompted to accept or reject (temporarily or permanently) the action.

Policy-based mode

  • Evaluation order: rules, block
  • This mode is useful for a system administrator, who can create autorization rules.

Learning Mode

  • Evaluation order: rules, creating allowing rule
  • This mode is special, for a defined number of days you can ask the software to create authorization rules are for actions performed on your System. It will then switch in Policy-based mode.
  • However, it must be used with caution and on a healthy machine!

Creating custom rules


As you have seen above, there are different modes of operation.We will keep the default mode (Automatic mode), which allow everything except the actions defined in rules, where it will ask permission.

Here below, some basic rules to secure your system:

Rule 1: Ask for permission to start software at Windows Startup!

  • Click on "Configure rules":
  • A rule is already present (registry and drivers), dont't touch it. Click New ... bottom left
  • Give a name to the rule (Startup) and go to the "Target regsitry" tab:
  • Check "Modify startup settings" and click on OK to validate.
  • For all operations (create, modify, delete ...) made to the registry key related to system startup, an authorization request will be made.

Rule 2: Deny access to the Hosts file

  • Read this before proceeding: Edit the hosts file
  • We will therefore block access to this file, to prevent infection.
  • Click on "Configure rules":
  • Give a name to the rule (Hosts) and go to the "Target files" tab:
  • Check "Write to file" and in the adjacent field, enter the path to the host file:
  • Save your settings.

Original document published on CommentcaMarche.net.

Related :

This document entitled « Eset - Configure the HIPS (Intrusion Prevention System) » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.