HIPS help
Use this dialog box to create and edit a HIPS setting (configuration file). When creating HIPS settings, you first define the general requirements and actions, and then add specific file certifications. You can create as many HIPS settings as you like and edit them at any time.
If you want to modify the device default HIPS settings without reinstalling the HIPS agent or redeploying a full agent configuration, make your changes to any of the options on the HIPS settings dialog box, assign the new settings to a change settings task, and then deploy the change settings task to targeted devices.
This dialog box contains the following pages:
- About the HIPS: General settings page
- About the HIPS: Mode configuration page
- About the HIPS: File protection rules page
- About the HIPS: Configure file protection rule dialog box
About the HIPS: General settings page
Use this page to configure the general protection settings and actions for HIPS.
This page contains the following options:
- Name: Identifies the HIPS settings with a unique name. This name appears in the HIPS settings list on an install or update security components task dialog box.
- Protection settings: There are two types of protection: HIPS and whitelist. You can select one or both. Both protection types use the same operating mode, which is selected on the Mode configuration page. (NOTE: There is one exception to this general protection enforcement. If you specify the Learn protection mode and have the Whitelist only learning option selected, whitelist applications only are learned and HIPS protection is set to the automatic blocking mode.)
- Enable host intrusion prevention: Turns on HIPS protection. This allows all programs to run (except when the program operation threatens system security) as defined by predefined protection rules. You can grant special rights to program files via trusted file lists by configuring custom file certifications. HIPS protection observes application behavior (whether the application is allowed to modify another executable, modify the registry, and so on) and enforces security rules.
- Use Buffer Overflow Protection: Protects devices from system memory exploits that take advantage of a program or process that is waiting on user input.
NOTE: Buffer Overflow Protection (BOP) can be enabled on a 32-bit Windows device regardless of whether the processor has NX/XD (No eXecute / eXecute Disable) support. If the processor doesn't have NX/XD support, it is emulated. However, if the processor has NX/XD support but it's turned off in either the BIOS or boot configuration, BOP can't be enabled. Note that the Endpoint Security client displays whether BOP is enabled or disabled on the end user device. BOP is not supported on 64-bit Windows devices because the Kernel Patch Protection (KPP) feature prevents patching the kernel.
IMPORTANT: We strongly recommend that you first test Buffer Overflow Protection (BOP) on your specific hardware configurations before doing a wide-scale deployment to the managed devices on your network. Some configurations of older processors (prior to Pentium 4 with HT or HyperThreading) running certain Windows OS versions may not fully support Buffer Overflow Protection.
- Use Buffer Overflow Protection: Protects devices from system memory exploits that take advantage of a program or process that is waiting on user input.
- Enable whitelist protection:When selected, only those applications that are in a trusted file list, and whose file certification has the allow execution option enabled, are allowed to run.
- Prevent Windows Explorer from modifying or deleting executable files: Enable this option if you don't want Windows to be able to modify or delete any executable files.
- Enable host intrusion prevention: Turns on HIPS protection. This allows all programs to run (except when the program operation threatens system security) as defined by predefined protection rules. You can grant special rights to program files via trusted file lists by configuring custom file certifications. HIPS protection observes application behavior (whether the application is allowed to modify another executable, modify the registry, and so on) and enforces security rules.
- Action to take: Determines the action taken when a program is added to the device's Startup folder. This option provides a second line of defense for authorizing processes in the system startup folder. HIPS monitors the contents of startup and if it finds a new process, it performs the action you select (Alert and prompt for action; Always allow the program to run; or Remove the program from the Startup without alerting).
- Set as default: Assigns this setting as the default setting for tasks that use HIPS settings.
- ID: Identifies this particular setting. This information is stored in the database and can be used to keep track of each setting.
- Save: Saves your changes and closes the dialog box.
- Cancel: Closes the dialog box without saving your changes.
About the HIPS: Mode configuration page
Use this page to configure the operating mode of HIPS protection.
This page contains the following options:
- Host intrusion prevention mode: Specifies protection behavior when HIPS protection is enabled. When HIPS mode is enabled, you can choose from one of the following operating methods.
- Blocking: Security violations are blocked, and ARE recorded in an action history file on the core server.
- Learning: All application security violations are allowed, but application behavior is observed (or learned) and that information is sent back to the core database in a Trusted File List. Use this mode of operation to discover application behavior on a specific device or set of devices, and then use that information to customize your HIPS policies before deploying them and enforcing HIPS protection throughout the network.
- Log only: Security violations are allowed, and ARE recorded in an action history file on the core server.
- Silent: Security violations are blocked, and are NOT recorded in an action history file on the core server.
- Whitelist mode: Specifies protection behavior when allow list protection is enabled. Whitelist protection means that only applications in a Trusted File List, and with the whitelist designation (applications whose file certification has the allow execution option enabled), are allowed to run and are learned. When Whitelist mode is enabled, you can choose from one of the following operating methods.
- Blocking: Security violations are blocked, and ARE recorded in an action history file on the core server.
- Learning: All application security violations are allowed, but application behavior is observed (or learned) and that information is sent back to the core database in a Trusted File List. Use this mode of operation to discover application behavior on a specific device or set of devices, and then use that information to customize your HIPS policies before deploying them and enforcing HIPS protection throughout the network.
- Log only: Security violations are allowed, and ARE recorded in an action history file on the core server.
- Silent: Security violations are blocked, and are NOT recorded in an action history file on the core server.
About the HIPS: File protection rules page
Use this page to view, manage, and prioritize file protection rules. File protection rules are a set of restrictions that prevent specified executable programs from performing certain actions on specified files. With file protection rules, you can allow or deny access, modification, creation, and execution by any program on any file.
This dialog box contains the following options:
- Protection rules: Lists all of the predefined (default) file protection rules provided by LANDesk, as well as all of the file protection rules that you've created.
- Rule name: Identifies the file protection rule.
- Restrictions: Displays the specific actions by programs on files that are restricted by the file protection rule.
- Programs: Displays the executable programs that are protected by the protection rule.
- Move Up \ Down: Determines the priority of the file protection rule. A file protection rule higher in the list takes precedence over a rule that is lower in the list. For example, you could create a rule that restricts a program from accessing and modifying a certain file or file type, but then create another rule that allows an exception to that restriction for one or more named programs. As long as the second rule is higher in the list of rules, it will take affect.
- Reset: Restores the predefined (default) file protection rules that are provided by LANDESK.
- Add: Opens the Configure file protection rule dialog box where you can add and remove programs and files and specify the restrictions.
- Edit: Opens the Configure file protection rule dialog box where you can edit an existing file protection rule.
- Delete: Removes the file protection rule from the database.
NOTE: File protection rules are stored in the FILEWALL.XML file, located in: ProgramFiles\Landesk\ManagementSuite\ldlogon\AgentBehaviors\Hips_Behavior.ZIP
About the HIPS: Configure file protection rule dialog box
Use this page to configure file protection rules.
This dialog box contains the following options:
- Rule name: Identifies the file protection rule with a descriptive name.
- Monitored programs
- All programs: Specifies that all executable programs are restricted from performing the actions selected below on the files specified below.
- Programs named: Specifies that only the executable programs in the list have the restrictions selected below applied to them.
- Add: Lets you choose which programs are restricted by the file protection rule. You can use filenames and wildcards.
- Edit: Lets you modify the program name.
- Delete: Removes the program from the list.
- Exceptions
- Allow exceptions for certified programs: Allows any of the executable programs that currently belong to your list of certified files to bypass the restrictions associated with this file protection rule.
- Protect files
- Any file: Specifies that all files are protected from the programs specified above according to their restrictions.
- Files named: Specifies that only the files in the list are protected.
- Add: Lets you choose which file or files are protected by the rule. You can use filenames or wildcards.
- Edit: Lets you modify the file name.
- Delete: Removes the file from the list.
- Apply to sub-directories too: Enforces the file protection rules to any subdirectories of a named directory.
- Restricted actions on protected files
- Read access: Prevents the programs specified above from accessing the protected files.
- Modification: Prevents the programs specified above from making any changes to the protected files.
- Creation: Prevents the programs specified above from creating the files.
- Execution: Prevents the programs specified above from running the protected files.