avielc 52 Posted February 27, 2017 Share Posted February 27, 2017 Hi everyone tried to do some digging here, and found some old article about ESET HIPS on version 5.x which isn't really helping on 6.4 version. I'd like to know if i can use a wildcard \ block an entire folder that has a few running executable files (e.g. Hola vpn app, they run 3 files: svc,hola.exe and hola updater) another option is to define the applicaiton name alone to be able and block the app no matter where it was installed. are any of these possible? Thank you for all your help. Aviel Link to comment Share on other sites More sharing options...
avielc 52 Posted February 28, 2017 Author Share Posted February 28, 2017 *bump* anyone? Can we block apps properly on ERA6.3+? HIPS doesn't block Hola (for example from starting up) they have 4 executable files which are getting installed hola_svc.exe hola.exe hola_updater.exe hola_setup.exe Would like anyone's help on the matter. Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 430 Posted February 28, 2017 ESET Staff Share Posted February 28, 2017 Hello avielc, You can either block the entire folder, by typing C:\Folder\* and everything that executes from the folder will be blocked. Other solution would be to block each of the files individually. Other forms of wildcards are not supported. Hope that this helps. Link to comment Share on other sites More sharing options...
avielc 52 Posted February 28, 2017 Author Share Posted February 28, 2017 Thank you Michal, I have tried both ways as you said, but for some reason Hola still runs. Am I choosing the options wrong? the procedure is adding the folder to block under "source applications" but what do i add\choose\configure under "files\applications\registry key" options? Thank you for helping, really appreciate it. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,931 Posted February 28, 2017 Administrators Share Posted February 28, 2017 If you want to block a specific application so that it cannot be run, it must be added as a target application. In your case you've created a rule that will prevent "Hola" from running other applications. Link to comment Share on other sites More sharing options...
avielc 52 Posted February 28, 2017 Author Share Posted February 28, 2017 Sorry Marcos, could you put it in the actual terms in the era console? there are source application, files, registry files and applications. I assume I should put the path in source, but what do I have to select to make sure this app doesn't open at all. Nor any of its other apps like service/updater/setup Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 430 Posted February 28, 2017 ESET Staff Share Posted February 28, 2017 (edited) From ERA: In first window choose Applications (01) In second Source applications choose All applications this will ensure that it won’t matter from Hola is started it will be blocked (02) In Application operations window choose either All application operations or only start new application (I would choose All application operations) (03) In Applications choose Specific application and add path to Hola e.g. C:\Hola\* and save (04) Now if rule is saved and applied on client nothing from Hola folder will run 01: 02: 03: 04: Edited February 28, 2017 by MichalJ Link to comment Share on other sites More sharing options...
avielc 52 Posted February 28, 2017 Author Share Posted February 28, 2017 I was doing it the opposite and the first time i tried it, I actually got the entire computer stuck being unable to load anything (had to cancel the policy through another computer.) Link to comment Share on other sites More sharing options...
avielc 52 Posted February 28, 2017 Author Share Posted February 28, 2017 One more question Could I add a specific name of the app i'd like to block? aka "hola-setup.exe" just so if anyone tries to install it, it'll get blocked as well? (with no path) Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 430 Posted March 1, 2017 ESET Staff Share Posted March 1, 2017 (edited) Hello, as of now it not possible to set rule just for the executable name, without the path. Edited March 1, 2017 by MichalJ Link to comment Share on other sites More sharing options...
avielc 52 Posted March 1, 2017 Author Share Posted March 1, 2017 Thanks for the clarification Michal, appreciate it. I'll give what you said a test, to see if it works well. Link to comment Share on other sites More sharing options...
avielc 52 Posted March 1, 2017 Author Share Posted March 1, 2017 (edited) Thank you Michal, tested and checked, it works perfectly. I do however have an issue with applications installed under appdata How can I specify the appdata folder for multiple users? Thank you. *update* example for this matter: utorrent - common torrent download application, i'd like to make sure no one runs it on company owned computers. Edited March 1, 2017 by avielc adding example of an application under %appdata% Link to comment Share on other sites More sharing options...
avielc 52 Posted March 5, 2017 Author Share Posted March 5, 2017 *bump* any update please? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,931 Posted March 5, 2017 Administrators Share Posted March 5, 2017 Currently wildcards are not supported in HIPS rules so substituting a folder name with * is not currently possible. Link to comment Share on other sites More sharing options...
avielc 52 Posted March 5, 2017 Author Share Posted March 5, 2017 Thanks Marcos, any idea if it will be implanted or a solution for such case would be available in the near future(perhaps era 6.5?) Link to comment Share on other sites More sharing options...
avielc 52 Posted March 9, 2017 Author Share Posted March 9, 2017 *bump* any comment? Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 430 Posted March 9, 2017 ESET Staff Share Posted March 9, 2017 We are planning bigger changes related to use of wildcards to Endpoint 7 / ERA 7 (Q4/2017). But I can really confirm, that it will be done the way you have requested for HIPS. But no change planned for ERA 6.5 / Endpoint 6.5 Link to comment Share on other sites More sharing options...
avielc 52 Posted March 9, 2017 Author Share Posted March 9, 2017 Thanks Michal, appreciate it. Link to comment Share on other sites More sharing options...
Recommended Posts