By default HIPS is disabled, why is that? Is it because CIS is in BETA or is it intended (as in don’t use HIPS and BB together)?
hips is not disabled, it is still working but applying itself to only unknown files. It was hard for us to understand that also when we first got it.
By “Disabled” I meant this (see screenshot). Is the tickbox supposed to be unchecked? And if so when or why do we need to check it?
[attachment deleted by admin]
I was lobbying that the GUI needs to make it very clear why the HIPS is disabled by default for just this very reason…
As Languy mentioned, you’re actually still protected by the HIPS when CIS encounters an unrecognized file. Disabling it doesn’t fully turn it off the way it did in previous versions of CIS. The only reason to enable the HIPS would be if you’re not using the BB/Sandbox.
The BB, and upgraded version of the autosandbox, is I think
a) an entirely independent set of HIPS rules that use the old HIPS routines
b) a set of OS restrictions (as before)
c) some more complex rules that would be difficult to write just using the HIPS rules format
Think two independent rule sets, one with a somewhat richer syntax, one rules execution engine.
So using the BB you don’t use installer/updater any more (use BB exemptions I think), don’t need to answer COM or Hook alerts (they are intelligently blocked or allowed).
BB exemptions may operate less swingeingly that installer updater, which, applied wrongly, was a security risk. Need to work that out.