ERA 6.4 | HIPS - blocking multiple apps as policy

[avielc 48]

Hi everyone

tried to do some digging here, and found some old article about ESET HIPS on version 5.x which isn't really helping on 6.4 version.

 

I'd like to know if i can use a wildcard \ block an entire folder that has a few running executable files (e.g. Hola vpn app, they run 3 files: svc,hola.exe and hola updater)

another option is to define the applicaiton name alone to be able and block the app no matter where it was installed.

are any of these possible?

Thank you for all your help.

Aviel 

[avielc 48]

*bump*

anyone?

Can we block apps properly on ERA6.3+? HIPS doesn't block Hola (for example from starting up)

they have 4 executable files which are getting installed

hola_svc.exe

hola.exe

hola_updater.exe

hola_setup.exe

 

Would like anyone's help on the matter.

[MichalJ 430]

Hello avielc,

You can either block the entire folder, by typing C:\Folder\* and everything that executes from the folder will be blocked. Other solution would be to block each of the files individually. Other forms of wildcards are not supported.

Hope that this helps.

[avielc 48]

Thank you Michal, 

I have tried both ways as you said, but for some reason Hola still runs. Am I choosing the options wrong?

the procedure is adding the folder to block under "source applications" 

but what do i add\choose\configure under "files\applications\registry key" options?

 

Thank you for helping, really appreciate it.

[Marcos 4,720]

If you want to block a specific application so that it cannot be run, it must be added as a target application. In your case you've created a rule that will prevent "Hola" from running other applications.

[avielc 48]

Sorry Marcos,

could you put it in the actual terms in the era console?

there are source application, files, registry files and applications. I assume I should put the  path in source, 

but what do I have to select to make sure this app doesn't open at all. Nor any of its other apps like service/updater/setup

[MichalJ 430]

From ERA:

In first window choose Applications (01)

In second Source applications choose All applications  this will ensure that it won’t matter from Hola is started it will be blocked (02)

In Application operations window choose either All application operations or only start new application (I would choose All application operations) (03)

In Applications choose Specific application and add path to Hola e.g. C:\Hola\* and save (04)

Now if rule is saved and applied on client nothing from Hola folder will run

01:

02:

03:

04:

 

 

Edited February 28, 2017 by MichalJ

[avielc 48]

I was doing it the opposite

and the first time i tried it, I actually got the entire computer stuck being unable to load anything (had to cancel the policy through another computer.)

[avielc 48]

One more question

Could I add a specific name of the app i'd like to block? 

aka "hola-setup.exe" just so if anyone tries to install it, it'll get blocked as well? (with no path)

[MichalJ 430]

Hello, as of now it not possible to set rule just for the executable name, without the path.

Edited March 1, 2017 by MichalJ

[avielc 48]

Thanks for the clarification Michal, appreciate it.

I'll give what you said a test, to see if it works well.

[avielc 48]

Thank you Michal, tested and checked, it works perfectly.

I do however have an issue with applications installed under appdata

How can I specify the appdata folder for multiple users?

Thank you.

*update*

example for this matter: utorrent - common torrent download application, i'd like to make sure no one runs it on company owned computers.

Edited March 1, 2017 by avielc
adding example of an application under %appdata%

[avielc 48]

*bump*

any update please?

[Marcos 4,720]

Currently wildcards are not supported in HIPS rules so substituting a folder name with * is not currently possible.

[avielc 48]

Thanks Marcos, any idea if it will be implanted or a solution for such case would be available in the near future(perhaps era 6.5?)

[avielc 48]

*bump*
any comment?

[MichalJ 430]

We are planning bigger changes related to use of wildcards to Endpoint 7 / ERA 7 (Q4/2017). But I can really confirm, that it will be done the way you have requested for HIPS. But no change planned for ERA 6.5 / Endpoint 6.5 

[avielc 48]

Thanks Michal, 

appreciate it.