HIPS and Win 2K3: User rules file contains invalid data

[Lockbits 10]

Hello guys,

We've a customer that have some servers running Windows 2003. They have EFS 6.5 installed and until yesterday they had HIPS in learning mode. Due to this problem we asked them to change back filtering mode to automatic however problem still persists. 

In logs there're many entries related to the HIPS and errors about "User rules files contains invalid data". Indeed the error and its alerts are persistent through the time. We had searched forum for the same problem but none of the threads helped us.

Customer is not sure but on those servers remote communications sometimes are blocked and they think it could be related to HIPS.

What can be? Restarting OS doesn't solve this problem nor automatic or learning filtering mode.

I'm attaching some screenshots and also ELC from one of those systems.

Thank you.

 

efsw_logs (Indexa).zip

[Marcos 4,935]

Please check process exclusions. The full path to executables must be entered, not just process names, otherwise HIPS won't be able to process the exclusions.

[Lockbits 10]

17 minutes ago, Marcos said:

Please check process exclusions. The full path to executables must be entered, not just process names, otherwise HIPS won't be able to process the exclusions.

I Marcos,

Thanks once more for the help. So process exclusion works only if you specify the complete path? I thought it excluded any process whose process name were X.

Tahnk you.

[Marcos 4,935]

Yes. Exclusions without a path just based on the process name would be dangerous. We will be improving the value validator which will prevent invalid values from being entered in the process exclusion list.