Jump to content
Martin Ba

Oh my, I nearly bricked my laptop with a HIPS rule.

Recommended Posts

I am writing this mainly in the hopes it may be useful info/warning for others. (after all these forums seem to be Google indexed). Also questions at the end.

I was looking into Windows Controlled Folder Access on my Windows 10 Home laptop, and found a thread https://forum.eset.com/topic/13514-controlled-access-folders-with-defender-in-1709/ that mentioned that there are HIPS rules/filters "ask" where I can protect access to certain folders.

Well. I tried. I created a rule "for all apps" with "file operations" and at the end specified a specific folder containing some PDFs.

It seems I did something wrong: ESET started blocking *every* file access by *every* program on the system, essentially making the system unusable, and essentially making me unable to revert the changes, as even the ESET Gui wasn't reacting properly anymore. I could continue to click some operations, but was unable to make any changes persist in ESET, and after a while the system would basically hang in a "Please wait ..." windows screen.

After fiddling around, I managed to get into a recovery console of Win10 (*a) and was able to rename the ESET program folder from "ESET" to "ESET_disabled" thereby preventing the ESET service from starting on next reboot.

I took a quick peek into the registry to see if the options would be changeable there, but no luck so far. Too much, too cryptic in regedit.

Anyways, I will now try to remove ESET and probably reinstall it, keeping my fingers away from these stupid HIPS rules.

A few questions though:

* Is there any supported way to change ESET settings via registry keys (or maybe via the command line) while the ESET service is stopped?
* Something like having the ESET service start fully disabled next time it's started, so that it cannot interfere and I can revert messed up settings.

Fun. Fun. Fun. :-(

(*a): The Windows Login Screen isn't affected by the ask rules, so I was able to reboot, press SHIFT+reboot there and go into the recovery console and rename the folder from the command line there.

Share this post


Link to post
Share on other sites

"The moral of this story" is if you don't understand how something works, you run the risk of severe damage if you fool around with it.

As a rule, I don't create block rules with the HIPS but only ask rules. Also one should experiment with a few non-critical files/directories/etc. prior to attempting restrictive activities against critical system and an app executables and files.

Also, Eset did not create the HIPS for user interaction with it.  Its primary purpose is self-protection use and protection for a few critical system and registry areas. As such, you will not receive any official guidance in the creation of HIPS rules other than a few Eset KB articles on ransomware rules directed to users of the Endpoint product. 

Share this post


Link to post
Share on other sites

@itman - well yeah, I was a bit careless. I will note a few things however:

* I DID specify an "ask" rule, but in such a catch all scenario it really stops mattering.

* I wanted to experiment with a non-critical folder - in fact the setting only contained such a non-critical folder -- or so it seemed to me at the time of creation.

If I had been more cautions and restricted the affected applications to, say, Firefox, then maybe I would have noticed in a non-fatal way that something didn't work with the directories I specified.

 

Share this post


Link to post
Share on other sites

Let me give you an example of the problems one can run into if they don't have in depth OS operational knowledge.

There are hidden OS used files in AppData directories. Desktop.ini is an example of one and it is constantly being updated. So as far as doing monitoring of controlled folders goes if you would have stuck to My Documents, Downloads, Photos, etc. folders, you probably wouldn't have run into issues.

Share this post


Link to post
Share on other sites

Ask rules have a fail-safe mechanism; there is a timeout after which the operation will be allowed. This is exactly to prevent the system from freezing when you are prompted for an action but gui is not running yet or cannot pop up.

Share this post


Link to post
Share on other sites

This publication: https://euroscug.org/wp-content/uploads/2017/11/Windows-10-Controlled-Folder-Access_1_3.pdf is worth a read in noting that WD's Controlled Folders feature is far from without out issues. These range from minimally missing desktop icons upon program installation processing completion to apps not being able to run subsequently.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×