Jump to content

Archived

This topic is now archived and is closed to further replies.

Lockbits

HIPS and Win 2K3: User rules file contains invalid data

Recommended Posts

Hello guys,

We've a customer that have some servers running Windows 2003. They have EFS 6.5 installed and until yesterday they had HIPS in learning mode. Due to this problem we asked them to change back filtering mode to automatic however problem still persists. 

In logs there're many entries related to the HIPS and errors about "User rules files contains invalid data". Indeed the error and its alerts are persistent through the time. We had searched forum for the same problem but none of the threads helped us.

Customer is not sure but on those servers remote communications sometimes are blocked and they think it could be related to HIPS.

What can be? Restarting OS doesn't solve this problem nor automatic or learning filtering mode.

I'm attaching some screenshots and also ELC from one of those systems.

Thank you.

 

efsw_logs (Indexa).zip

EFS Settings.png

Errors.png

Share this post


Link to post
Share on other sites

Please check process exclusions. The full path to executables must be entered, not just process names, otherwise HIPS won't be able to process the exclusions.

Share this post


Link to post
Share on other sites
17 minutes ago, Marcos said:

Please check process exclusions. The full path to executables must be entered, not just process names, otherwise HIPS won't be able to process the exclusions.

I Marcos,

Thanks once more for the help. So process exclusion works only if you specify the complete path? I thought it excluded any process whose process name were X.

Tahnk you.

Share this post


Link to post
Share on other sites

Yes. Exclusions without a path just based on the process name would be dangerous. We will be improving the value validator which will prevent invalid values from being entered in the process exclusion list.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...