Jump to content

Archived

This topic is now archived and is closed to further replies.

Nono

Environment variables for HIPS Rules

Recommended Posts

Dear Community,

I can't find anywhere a clear explanation about the Environment Variables we may use for HIPS rules to specify the path of an application.

According to https://help.eset.com/ees/6.6/en-US/index.html?idh_exclude_format.htm it seems that this list of var. should work:

%ALLUSERSPROFILE%
%COMMONPROGRAMFILES%
%COMMONPROGRAMFILES(X86)%
%COMSPEC%
%HOMEDRIVE%
%HOMEPATH%
%PROGRAMFILES%
%PROGRAMFILES(X86)%
%SystemDrive%
%SystemRoot%
%WINDIR%
%PUBLIC%

Then, according to https://help.eset.com/ees/6.6/en-US/index.html?idh_hips_editor_single_rule.htm it seems that we should be able to use the wildcard like this:

For example HKEY_USERS\*\software can mean 
HKEY_USER\.default\software <= I guess the missing "S" in KHEY_USERS is a typo ?
but not HKEY_USERS\S-1-2-21-2928335913-73762274-491795397-7895\.default\software. 

What I want to achieve is to specify this application path (knowing that the username may change among my devices) :

C:\Users\user22\AppData\Local\Apps.exe

Here are the generic path I tried to use (but doesn't work, and give me the warning "User rules file contains invalid data" without any deeper explanation ) :

  1. %HOMEDRIVE%%HOMEPATH%\AppData\Local\Apps.exe
  2. C:%HOMEPATH%\AppData\Local\Apps.exe
  3. C:\Users\*\AppData\Local\Apps.exe 

Ideally, I would like to be able to use (any) environment (user OR system) variables like : %LOCALAPPDATA% but it also failed.

Any suggestion would be very much appreciated !

Thanks in advance for your time.

Share this post


Link to post
Share on other sites

Thanks for the heads-up. I assume the author of the help meant "HKEY_CURRENT_USER" instead of "HKEY_USER". We'll rewrite that part of the help.

Currently wildcards (asterisk) can only be used in registry paths, e.g. HKEY_USERS\*\Software\Policies. As for using variables, only system variables will work since ekrn.exe runs in the local system account and therefore has no visibility into user variables.

 

Share this post


Link to post
Share on other sites

Thanks Marcos,

I manage to make it works ... somehow ... and without having the issue, but it's not really nice, especially for a multi-language computer park. (for instance, C:\Users\ can become C:\Utilisateurs\ or C:\Benutzer\ depending of the system language.)

I used this format : C:\Users\\AppData\Local\Apps.exe => Notice the \\ after Users\ (I basically just removed the *)

But as "%LOCALAPPDATA%" is indeed a system variable do you know why it doesn't work at all ? (the rules isn't triggered AND there is no error).

Same question, why the 1st rule doesn't work as it included both variable avail. on https://help.eset.com/ees/6.6/en-US/index.html?idh_exclude_format.htm ?

 

As you may understand, wildcard is very common for files as well as registry. Do you know when it would works or how to check if a system variable will work on eset or not (the %localappdata% would be very much appreciate).

 

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×