Jump to content

toxinon12345

ESET Insiders
  • Posts

    165
  • Joined

  • Last visited

  • Days Won

    5

Posts posted by toxinon12345

  1. What I understood is that folders are just some type of Null-zero-byte files. So, only the First level would be affected.

    Speaking about registry access, keys and values are treated by different functions

    https://msdn.microsoft.com/en-us/library/windows/desktop/ms724875(v=vs.85).aspx

    Edit: another one undocumented: leaving the list for source apps in blank, and then switch between ["Specific applications" | "All applications"] makes a difference for triggering, related to overriding.

  2. The same applies as Toxinon12345 noted; coding C:\ \ doesn't restrict alerts only to the C:\ root directory but includes all subordinate directories.

    To avoid ambiguities, I set the double backslash because I dont want recursivity (I want only the First nested level to trigger).

    But that '\\' dont work for the root dir in the volume.

    On the other hand, I triggered a rule when c:\windows\explorer.exe was trying to delete the file in the c:\windows directory; just using the c:\windows\\ notation. So is working as expected, exception is the root volume.

  3. Drivers could also be loaded at any time after boot, it should makes sense when switched to interactive or policy based mode.

    I, for one, cannot see any important bug in the HIPS.

    Also, Smart rules seem to be dynamic for each HIPS update, maybe adapting to current threat landscape.

    Sometimes I see some notifications stating the HIPS user rule file was sent for analysis, which suggests a community ruleset.

  4.  I just noticed Smart mode rules cannot be overriden also, a good thing in my opinion: I dont imagine to click Allow in a dialog just to notice after it was logged as Blocked by a explicit user rule. It would lead to confusion.

    EDIT: Smart mode rules can be overriden, too. I noticed that when enabled the rule notify/logging.

    Allowed drivers can be overriden, is explicitly written in documentation.
    Also some system processes are allowed access by default. (Regedit to registry keys, Explorer to write Thumbnails etc) they can be overriden also.
     

    the block rule is really an ask rule with alert and logging enabled.

    This particular sentence... an ask rule is just that: an interactive rule, but if you manage to disable globally the GUI alerts, that would be just a matter of a !¿temporal hook.?!!!
    Just trying in Advanced setup > User Interface > Alerts and notifications

  5. Yes, I know what you are refering to. Self-defense predefined rules are default deny rules, and they work no matter under what filtering mode you are running. They cannot be overriden (for example create a rule based on self-defense and change to default allow; it will be blocked anyway)

    You should understand each filtering mode as doing what they are intended to do, and rules as exceptions of what that filtering mode do.

    Now, between user rules the precedence is first the Block rules and just then the Allow rules

    I think Smart mode rules and Allowed drivers rule cannot be overriden, it is something I will evaluate.

×
×
  • Create New...