4 Replies Latest reply on Jan 18, 2014 10:05 AM by petersimmons

    VSE and HIPS 8 Access protection

    Attila Polinger

      Hello all,

       

      I am wondering if it is explicitly recommended to sync Access Protection rules settings in VSE and HIPS 8 (for redundancy or just for security best practice) ? For example if VSE has "Prevent programs registering to autorun" rule with "block and report", then is it recommended to have also the same rule enabled in HIPS 8?

       

      My second question is that if these rules are synchronised, which product's rule will first be triggered? 

       

      Thanks:

      Attila

        • 1. Re: VSE and HIPS 8 Access protection
          Kary Tankink

          I don't believe this functionality was intended to overlap between products.  If you have both VSE and HIPS, use the rules from only one of the products. 

           

          If you only have one of the products (and use a different product for the other software functionality), then enable the rules for that product you have.

          1 of 1 people found this helpful
          • 2. Re: VSE and HIPS 8 Access protection
            shakira

            I've heard HIPS was the better of the two because of more options. Is this correct? Anything one offers over the other? I've also heard these products will be combined in the next big release anyways.

            • 3. Re: VSE and HIPS 8 Access protection
              greatscott

              HIPS would be via a signature, and VSE would be via a checkbox in the VSE Access Protection policies. If you are taking the VSE and HIPS events one for one, you would be able to create a more precise HIPS Exception, than you would for VSE.

              • 4. Re: VSE and HIPS 8 Access protection
                petersimmons

                In the near future this duplication will probably fade away. Obviously I can't promise a thing but the idea is that you won't have duplications like this among products.

                 

                In the short term, let me give this advice in the strongest possible way: You should ALWAYS leave the self-protetion rules for VSE enabled 100% of the time regardless of other settings. If you turn these off you are allowing the worst malware to infect your systesms. This was guaranteed even with ancient 2008-era things like Conficker. Self-protection is roughly six check boxes within the AP rules. It isn't the whole thing.

                 

                In five years, I have not run across a single business case ever to disable the self-protection rules. It just doesn't exist. The rest of the rules are irrelevant most of the time. The self-protection ones for VSE are absolutely crucial. Hopefully those will also be pulled out of the AP rules section and made impossible to turn off in the near term, too. It would save my customers a lot headaches and break precisely nothing.