itman 1,807 Posted November 6, 2017 Posted November 6, 2017 (edited) This question is a bit of a "brain twister" so please bear with me. I have a vendor app provided .bat scripts that can be run at boot time. The scripts are for app recovery purposes and are triggered by previously setting a registry key which in turn runs a service that starts the script via cmd.exe. I have a HIPS rule that monitors cmd.exe startup. I have created a HIPS exception rule to allow cmd.exe to run these scripts. This works fine. The .bat scripts in turn run net.exe and regedit.exe. My specific question is if I have HIPS rules that also monitor net.exe and regedit.exe startup, would these processes run unimpeded within the scripts by virtue of the previous HIPS rule that allowed cmd.exe to run the batch scripts? In other words by allowing the scripts to run, are any separately HIPS monitored processes within automatically allowed to run? -EDIT- A bit more info. The HIPS in ver. 11 will by default block any user "ask" HIPS rules that are triggered at boot time. This is as it should be since the Eset GUI startup is delayed in ver. 11 under Win 10 1703+. Anything else would probably "bork" the boot process. Hence my concern since the above noted regedit.exe and net.exe startup rules are "ask." Edited November 6, 2017 by itman
itman 1,807 Posted November 7, 2017 Author Posted November 7, 2017 (edited) I think I reasoned this one by myself. Since explicit permission was given to the HIPS rule to allow the instance of cmd.exe to run the script, the same applies to any child processes spawned by the cmd.exe instance for anything run from the script. In other words, this activity will override any existing ask rules for the child processes? Edited November 7, 2017 by itman
itman 1,807 Posted November 7, 2017 Author Posted November 7, 2017 (edited) I should add that running the HIPS in Interactive mode will cause problems in this .bat scenario. The script is only run in instance of a failure situation. Assuming these are infrequent, it is also assumed that the script has not been run as the result of a previous HIPS training session. So when a failure situation occurs and the script runs at boot time, it will be blocked from executing. Edited November 7, 2017 by itman
Recommended Posts