Nono

Members
  • Content count

    4
  • Joined

  • Last visited

  1. Yeah, that's right. Actually, on endpoint, on the log files "Event" section, I was able to see that's the error are coming from the HIPS rules (I wasn't even sure, as the popup didn't specify it).
  2. Description : Having more detail about the "invalid data" Detail: Currently, when we apply some "invalid" rules, despite working partially (I guess to "good rules" are working, but not the "invalid" one), we get the notification popup "User rules file contains invalid data". It's not really helpful to locate which entry may be faulty and which one are not. Would that be possible to get a log files stating which rules (name?) is faulty and even better : why ? It would also help to locate which "data" it's referring to. For instance, "User rules" could lead to several subsection into the rules admin panel (Antivirus, Update, Firewall, etc ...)
  3. Thanks Marcos, I manage to make it works ... somehow ... and without having the issue, but it's not really nice, especially for a multi-language computer park. (for instance, C:\Users\ can become C:\Utilisateurs\ or C:\Benutzer\ depending of the system language.) I used this format : C:\Users\\AppData\Local\Apps.exe => Notice the \\ after Users\ (I basically just removed the *) But as "%LOCALAPPDATA%" is indeed a system variable do you know why it doesn't work at all ? (the rules isn't triggered AND there is no error). Same question, why the 1st rule doesn't work as it included both variable avail. on https://help.eset.com/ees/6.6/en-US/index.html?idh_exclude_format.htm ? As you may understand, wildcard is very common for files as well as registry. Do you know when it would works or how to check if a system variable will work on eset or not (the %localappdata% would be very much appreciate).
  4. Dear Community, I can't find anywhere a clear explanation about the Environment Variables we may use for HIPS rules to specify the path of an application. According to https://help.eset.com/ees/6.6/en-US/index.html?idh_exclude_format.htm it seems that this list of var. should work: %ALLUSERSPROFILE% %COMMONPROGRAMFILES% %COMMONPROGRAMFILES(X86)% %COMSPEC% %HOMEDRIVE% %HOMEPATH% %PROGRAMFILES% %PROGRAMFILES(X86)% %SystemDrive% %SystemRoot% %WINDIR% %PUBLIC% Then, according to https://help.eset.com/ees/6.6/en-US/index.html?idh_hips_editor_single_rule.htm it seems that we should be able to use the wildcard like this: For example HKEY_USERS\*\software can mean HKEY_USER\.default\software <= I guess the missing "S" in KHEY_USERS is a typo ? but not HKEY_USERS\S-1-2-21-2928335913-73762274-491795397-7895\.default\software. What I want to achieve is to specify this application path (knowing that the username may change among my devices) : C:\Users\user22\AppData\Local\Apps.exe Here are the generic path I tried to use (but doesn't work, and give me the warning "User rules file contains invalid data" without any deeper explanation ) : %HOMEDRIVE%%HOMEPATH%\AppData\Local\Apps.exe C:%HOMEPATH%\AppData\Local\Apps.exe C:\Users\*\AppData\Local\Apps.exe Ideally, I would like to be able to use (any) environment (user OR system) variables like : %LOCALAPPDATA% but it also failed. Any suggestion would be very much appreciated ! Thanks in advance for your time.