Jump to content

ERA 6.4 | HIPS - blocking multiple apps as policy


avielc
 Share

Recommended Posts

Hi everyone

tried to do some digging here, and found some old article about ESET HIPS on version 5.x which isn't really helping on 6.4 version.

 

I'd like to know if i can use a wildcard \ block an entire folder that has a few running executable files (e.g. Hola vpn app, they run 3 files: svc,hola.exe and hola updater)

another option is to define the applicaiton name alone to be able and block the app no matter where it was installed.

are any of these possible?

Thank you for all your help.

Aviel 

Link to comment
Share on other sites

*bump*

anyone?

Can we block apps properly on ERA6.3+? HIPS doesn't block Hola (for example from starting up)

they have 4 executable files which are getting installed

hola_svc.exe

hola.exe

hola_updater.exe

hola_setup.exe

 

Would like anyone's help on the matter.

Link to comment
Share on other sites

  • ESET Staff

Hello avielc,

You can either block the entire folder, by typing C:\Folder\* and everything that executes from the folder will be blocked. Other solution would be to block each of the files individually. Other forms of wildcards are not supported.

Hope that this helps.

Link to comment
Share on other sites

Thank you Michal, 

I have tried both ways as you said, but for some reason Hola still runs. Am I choosing the options wrong?

the procedure is adding the folder to block under "source applications" 

but what do i add\choose\configure under "files\applications\registry key" options?

 

Thank you for helping, really appreciate it.

Link to comment
Share on other sites

  • Administrators

If you want to block a specific application so that it cannot be run, it must be added as a target application. In your case you've created a rule that will prevent "Hola" from running other applications.

Link to comment
Share on other sites

Sorry Marcos,

could you put it in the actual terms in the era console?

there are source application, files, registry files and applications. I assume I should put the  path in source, 

but what do I have to select to make sure this app doesn't open at all. Nor any of its other apps like service/updater/setup

Link to comment
Share on other sites

  • ESET Staff

From ERA:

In first window choose Applications (01)

In second Source applications choose All applications  this will ensure that it won’t matter from Hola is started it will be blocked (02)

In Application operations window choose either All application operations or only start new application (I would choose All application operations) (03)

In Applications choose Specific application and add path to Hola e.g. C:\Hola\* and save (04)

Now if rule is saved and applied on client nothing from Hola folder will run

01:

01.jpg

02:

02.png

03:

03.png

04:

04.png

 

 

Edited by MichalJ
Link to comment
Share on other sites

I was doing it the opposite

and the first time i tried it, I actually got the entire computer stuck being unable to load anything (had to cancel the policy through another computer.)

Link to comment
Share on other sites

One more question

Could I add a specific name of the app i'd like to block? 

aka "hola-setup.exe" just so if anyone tries to install it, it'll get blocked as well? (with no path)

Link to comment
Share on other sites

  • ESET Staff

Hello, as of now it not possible to set rule just for the executable name, without the path.

Edited by MichalJ
Link to comment
Share on other sites

Thanks for the clarification Michal, appreciate it.

I'll give what you said a test, to see if it works well.

Link to comment
Share on other sites

Thank you Michal, tested and checked, it works perfectly.

I do however have an issue with applications installed under appdata

How can I specify the appdata folder for multiple users?

Thank you.

*update*

example for this matter: utorrent - common torrent download application, i'd like to make sure no one runs it on company owned computers.

Edited by avielc
adding example of an application under %appdata%
Link to comment
Share on other sites

  • Administrators

Currently wildcards are not supported in HIPS rules so substituting a folder name with * is not currently possible.

Link to comment
Share on other sites

Thanks Marcos, any idea if it will be implanted or a solution for such case would be available in the near future(perhaps era 6.5?)

Link to comment
Share on other sites

  • ESET Staff

We are planning bigger changes related to use of wildcards to Endpoint 7 / ERA 7 (Q4/2017). But I can really confirm, that it will be done the way you have requested for HIPS. But no change planned for ERA 6.5 / Endpoint 6.5 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...