Jump to content

Recommended Posts

Internet Security 12.0.27

First up is the block action as it pertains to monitoring of registry key changes. An Eset alert is generated to block or allow even if the Notify User option is disabled . In other words, the block action behaves identical to an ask action with the exemption that thankfully, the action will be blocked after the alert display times out. Such is not the case if the monitoring action is for an application. This works as expected with no Eset alert generated.

Next is the HIPS action pertaining to Debug another application. I assumed this rule would monitor the following type of activity:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe
"debugger"="c:\windows\system32\cmd.exe"

That is when sethc.exe is started, what actually runs is cmd.exe. I created a HIPS rule with cmd.exe as the source application, the action Debug another application, and the target application as sethc.exe and the activity was not detected by the HIPS.

Edited by itman
Link to comment
Share on other sites

  • Administrators

Your assumption is wrong. It's not sethc.exe which starts cmd.exe.

In the example below I launched notepad.exe from the start menu, ie. from explorer.exe process:

image.png

image.png

 

As for the first reported issue, please use Problem Steps Recorder (psr.exe) to generate a package with a mht and other files that will show what you exactly did step by step.

Link to comment
Share on other sites

44 minutes ago, Marcos said:

In the example below I launched notepad.exe from the start menu, ie. from explorer.exe process

Yes, I knew that. The question is just what does the Debug another application monitor for? Most likely windbg.exe use I assume.

44 minutes ago, Marcos said:

As for the first reported issue, please use Problem Steps Recorder (psr.exe) to generate a package with a mht and other files that will show what you exactly did step by step.

Too much work. Below are screen shots of the rule in question:

Eset_Rule_1.png.3d889606f1bb625114eae73aa56042ab.png

Eset_Rule_2.png.9dd626302ae13a299a35961c28e03af1.png

Eset_Rule_3.png.034f61768bba6d7d77a9408829cbeec3.png

Eset_Rule_4.png.d8c27b69929c3997a5a2d97bfbdca261.png

Link to comment
Share on other sites

@Marcos , chaulk this up to "sometimes you post dumb things."

What I was using for testing via admin level command window was:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v debugger /d "c:\windows\system32\cmd.exe"

The alert I was getting was from reg.exe trying to start. I monitor all reg.exe execution with an Ask HIPS rule.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...