Nono 3 Posted June 11, 2018 Share Posted June 11, 2018 (edited) Dear Community, I can't find anywhere a clear explanation about the Environment Variables we may use for HIPS rules to specify the path of an application. According to https://help.eset.com/ees/6.6/en-US/index.html?idh_exclude_format.htm it seems that this list of var. should work: %ALLUSERSPROFILE% %COMMONPROGRAMFILES% %COMMONPROGRAMFILES(X86)% %COMSPEC% %HOMEDRIVE% %HOMEPATH% %PROGRAMFILES% %PROGRAMFILES(X86)% %SystemDrive% %SystemRoot% %WINDIR% %PUBLIC% Then, according to https://help.eset.com/ees/6.6/en-US/index.html?idh_hips_editor_single_rule.htm it seems that we should be able to use the wildcard like this: For example HKEY_USERS\*\software can mean HKEY_USER\.default\software <= I guess the missing "S" in KHEY_USERS is a typo ? but not HKEY_USERS\S-1-2-21-2928335913-73762274-491795397-7895\.default\software. What I want to achieve is to specify this application path (knowing that the username may change among my devices) : C:\Users\user22\AppData\Local\Apps.exe Here are the generic path I tried to use (but doesn't work, and give me the warning "User rules file contains invalid data" without any deeper explanation ) : %HOMEDRIVE%%HOMEPATH%\AppData\Local\Apps.exe C:%HOMEPATH%\AppData\Local\Apps.exe C:\Users\*\AppData\Local\Apps.exe Ideally, I would like to be able to use (any) environment (user OR system) variables like : %LOCALAPPDATA% but it also failed. Any suggestion would be very much appreciated ! Thanks in advance for your time. Edited June 11, 2018 by Nono Link to comment Share on other sites More sharing options...
Administrators Marcos 5,090 Posted June 11, 2018 Administrators Share Posted June 11, 2018 Thanks for the heads-up. I assume the author of the help meant "HKEY_CURRENT_USER" instead of "HKEY_USER". We'll rewrite that part of the help. Currently wildcards (asterisk) can only be used in registry paths, e.g. HKEY_USERS\*\Software\Policies. As for using variables, only system variables will work since ekrn.exe runs in the local system account and therefore has no visibility into user variables. Link to comment Share on other sites More sharing options...
Nono 3 Posted June 12, 2018 Author Share Posted June 12, 2018 Thanks Marcos, I manage to make it works ... somehow ... and without having the issue, but it's not really nice, especially for a multi-language computer park. (for instance, C:\Users\ can become C:\Utilisateurs\ or C:\Benutzer\ depending of the system language.) I used this format : C:\Users\\AppData\Local\Apps.exe => Notice the \\ after Users\ (I basically just removed the *) But as "%LOCALAPPDATA%" is indeed a system variable do you know why it doesn't work at all ? (the rules isn't triggered AND there is no error). Same question, why the 1st rule doesn't work as it included both variable avail. on https://help.eset.com/ees/6.6/en-US/index.html?idh_exclude_format.htm ? As you may understand, wildcard is very common for files as well as registry. Do you know when it would works or how to check if a system variable will work on eset or not (the %localappdata% would be very much appreciate). Link to comment Share on other sites More sharing options...
Recommended Posts