Jump to content

Nono

Members
  • Content Count

    40
  • Joined

Posts posted by Nono


  1. 56 minutes ago, itman said:

    To begin with, Eset HIPS doesn't official support "\\" notation in a path name. If it works, it would only apply to the immediate path specified. In other words in your example for the C:\Users directory, but not for any subordinate directories specified within the C:\Users directory.

    I'm not sure I fully understand, but I have a working rule which is like :

    C:\Users\\AppData\Local\Temp\\soft.exe (aka with 2 \\) and still work like a charm.

     

    So, I agree this is maybe not "officially" supported, but why it works on SOME machines, but not the others ? Is there a way to check this ?


  2. 1 hour ago, Marcos said:

    I would say that rules with "*" to substitute a folder name should never work since wildcards are supported only in registry paths.

    Hi MArcos, I'm aware that we can't use "*" but "nothing" works on the majority of our endpoint !

    Only some aren't working anymore (they use to work before agent/security upgrade).


  3. Hi there,

    I'm using ESMC / Eset endpoint security version:

    ESET Security Management Center (Server), Version 7.0 (7.0.451.0)
    ESET Security Management Center (Web Console), Version 7.0 (7.0.413.0)
    ESET Management Agent 7.0.577.0
    ESET Endpoint Security 7.1.2045.5

    When I configure some HIPS rules, I've a strange behavior depending of the endpoint (on same version of either ESET and Windows 10) :

    Some "generic" rules like C:\Users\\AppData\app.exe works on majority of computer (note the empty folder to replace any users)

    But some doesn't and need to enter the specific user account (eg. C:\Users\dummyUser\AppData\app.exe)

    Is there a way to debug/understand why such behavior ?

     


  4. 2 hours ago, MichalJ said:

    @Nono  I assume you are talking about rules for HIPS eventually Firewall. This is not that much a functionality of ERA, than a functionality of Endpoint.  I will discuss it with Endpoint team, whether some "rule syntax verification" won´t be added in the future. 

    Yeah, that's right. Actually, on endpoint, on the log files "Event" section, I was able to see that's the error are coming from the HIPS rules (I wasn't even sure, as the popup didn't specify it).


  5. Description : Having more detail about the "invalid data"

    Detail: Currently, when we apply some "invalid" rules, despite working partially (I guess to "good rules" are working, but not the "invalid" one), we get the notification popup "User rules file contains invalid data". It's not really helpful to locate which entry may be faulty and which one are not. Would that be possible to get a log files stating which rules (name?) is faulty and even better : why ?

    It would also help to locate which "data" it's referring to. For instance, "User rules" could lead to several subsection into the rules admin panel (Antivirus, Update, Firewall, etc ...)

×
×
  • Create New...