Eset - Configure the HIPS (Intrusion

Prevention System)
June 2014

Eset - Configure the HIPS

(Intrusion Prevention System)
In this tip, you will learn how to configure the HIPS feature of Eset NOD 32 Antivirus, for better
security.

What is HIPS?
The Intrusion Prevention System (IPS) is an advanced tool for information systems security,
similar to the IDS, which aims to reduce the impact of an attack. It is an active IDS (intrusion
detection system) which detects automated scanning of ports and block them if needed. IPS can
therefore counter the known and unknown attacks.

How to access this feature?

The HIPS was integrated into ESET (antivirus Smart Security) since version 5 and can be
configure to meet your custom security requirements: To access it:
Open Eset (double-click on the system tray icon).
Press F5 to access Eset advanced settings.

The different modes

Eset HIPS has several modes of operation:

Automatic mode with rules

This is the default setting:

Order of evaluation: rules, authorization
This means that if no rule exists for the current action, then it is allowed.
Example: You install a program (with the option to be launched at startup), it will write
instruction in the registry.
Now if you create a rule that requires an authorization to modify the registry, then the HIPS
feature will prompt you with a small notification, during the installation of the program.

Interactive Mode

Evaluation order: rules,ask, allow on failure

It takes advantage of the first mode. If an action is triggered and there are no related rules
for it, then the user will be prompted to accept or reject (temporarily or permanently) the
action.

Policy-based mode

Evaluation order: rules, block

This mode is useful for a system administrator, who can create autorization rules.

Learning Mode

Evaluation order: rules, creating allowing rule

This mode is special, for a defined number of days you can ask the software to create
authorization rules are for actions performed on your System. It will then switch in Policybased mode.
However, it must be used with caution and on a healthy machine!

Creating custom rules

As you have seen above, there are different modes of operation.We will keep the default mode
(Automatic mode), which allow everything except the actions defined in rules, where it will ask
permission. Here below, some basic rules to secure your system:

Rule 1: Ask for permission to start software at Windows Startup!

Click on "Configure rules":

A rule is already present (registry and drivers), dont't touch it. Click New ... bottom left

Give a name to the rule (Startup) and go to the "Target regsitry" tab:
Check "Modify startup settings" and click on OK to validate.

For all operations (create, modify, delete ...) made to the registry key related to system
startup, an authorization request will be made.

Rule 2: Deny access to the Hosts file

Read this before proceeding: Edit the hosts file
We will therefore block access to this file, to prevent infection.
Click on "Configure rules":
Give a name to the rule (Hosts) and go to the "Target files" tab:
Check "Write to file" and in the adjacent field, enter the path to the host file:

Save your settings.

Original document published on CommentcaMarche.net.

This document entitled Eset - Configure the HIPS (Intrusion Prevention System) from Kioskea (en.kioskea.net) is
made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions
stipulated by the license, as this note appears clearly.