avielc 56 Posted February 27, 2017 Posted February 27, 2017 Hi everyone tried to do some digging here, and found some old article about ESET HIPS on version 5.x which isn't really helping on 6.4 version. I'd like to know if i can use a wildcard \ block an entire folder that has a few running executable files (e.g. Hola vpn app, they run 3 files: svc,hola.exe and hola updater) another option is to define the applicaiton name alone to be able and block the app no matter where it was installed. are any of these possible? Thank you for all your help. Aviel
avielc 56 Posted February 28, 2017 Author Posted February 28, 2017 *bump* anyone? Can we block apps properly on ERA6.3+? HIPS doesn't block Hola (for example from starting up) they have 4 executable files which are getting installed hola_svc.exe hola.exe hola_updater.exe hola_setup.exe Would like anyone's help on the matter.
ESET Staff MichalJ 434 Posted February 28, 2017 ESET Staff Posted February 28, 2017 Hello avielc, You can either block the entire folder, by typing C:\Folder\* and everything that executes from the folder will be blocked. Other solution would be to block each of the files individually. Other forms of wildcards are not supported. Hope that this helps.
avielc 56 Posted February 28, 2017 Author Posted February 28, 2017 Thank you Michal, I have tried both ways as you said, but for some reason Hola still runs. Am I choosing the options wrong? the procedure is adding the folder to block under "source applications" but what do i add\choose\configure under "files\applications\registry key" options? Thank you for helping, really appreciate it.
Administrators Marcos 5,451 Posted February 28, 2017 Administrators Posted February 28, 2017 If you want to block a specific application so that it cannot be run, it must be added as a target application. In your case you've created a rule that will prevent "Hola" from running other applications.
avielc 56 Posted February 28, 2017 Author Posted February 28, 2017 Sorry Marcos, could you put it in the actual terms in the era console? there are source application, files, registry files and applications. I assume I should put the path in source, but what do I have to select to make sure this app doesn't open at all. Nor any of its other apps like service/updater/setup
ESET Staff MichalJ 434 Posted February 28, 2017 ESET Staff Posted February 28, 2017 (edited) From ERA: In first window choose Applications (01) In second Source applications choose All applications this will ensure that it won’t matter from Hola is started it will be blocked (02) In Application operations window choose either All application operations or only start new application (I would choose All application operations) (03) In Applications choose Specific application and add path to Hola e.g. C:\Hola\* and save (04) Now if rule is saved and applied on client nothing from Hola folder will run 01: 02: 03: 04: Edited February 28, 2017 by MichalJ
avielc 56 Posted February 28, 2017 Author Posted February 28, 2017 I was doing it the opposite and the first time i tried it, I actually got the entire computer stuck being unable to load anything (had to cancel the policy through another computer.)
avielc 56 Posted February 28, 2017 Author Posted February 28, 2017 One more question Could I add a specific name of the app i'd like to block? aka "hola-setup.exe" just so if anyone tries to install it, it'll get blocked as well? (with no path)
ESET Staff MichalJ 434 Posted March 1, 2017 ESET Staff Posted March 1, 2017 (edited) Hello, as of now it not possible to set rule just for the executable name, without the path. Edited March 1, 2017 by MichalJ
avielc 56 Posted March 1, 2017 Author Posted March 1, 2017 Thanks for the clarification Michal, appreciate it. I'll give what you said a test, to see if it works well.
avielc 56 Posted March 1, 2017 Author Posted March 1, 2017 (edited) Thank you Michal, tested and checked, it works perfectly. I do however have an issue with applications installed under appdata How can I specify the appdata folder for multiple users? Thank you. *update* example for this matter: utorrent - common torrent download application, i'd like to make sure no one runs it on company owned computers. Edited March 1, 2017 by avielc adding example of an application under %appdata%
Administrators Marcos 5,451 Posted March 5, 2017 Administrators Posted March 5, 2017 Currently wildcards are not supported in HIPS rules so substituting a folder name with * is not currently possible.
avielc 56 Posted March 5, 2017 Author Posted March 5, 2017 Thanks Marcos, any idea if it will be implanted or a solution for such case would be available in the near future(perhaps era 6.5?)
ESET Staff MichalJ 434 Posted March 9, 2017 ESET Staff Posted March 9, 2017 We are planning bigger changes related to use of wildcards to Endpoint 7 / ERA 7 (Q4/2017). But I can really confirm, that it will be done the way you have requested for HIPS. But no change planned for ERA 6.5 / Endpoint 6.5
Recommended Posts