red pill 0 Posted January 26, 2019 Share Posted January 26, 2019 (edited) I get notification from eset that ask me if to allow or deny cleanmgr from starting DismHost.exe and I keep allow and save as a rule permanently but i keep getting those notifications and got like 5 or six of them by now. I see in the HIPS rules 4 rules with cleanmgr(which is in the system32 directory) and allow applications and I see in the details things like "applications: C:\Users\ZX\AppData\Local\Temp\19AC00DD-0460-4E2C-9551-807A069672A2\dismhost.exe" and "applications: C:\Users\ZX\AppData\Local\Temp\879EF6C8-A4F7-4250-B29E-4054B20FE451\dismhost.exe". there is something wrong here? or its just an inevitable outcome of using the "interactive mode" in the filtering mode? Edited January 26, 2019 by red pill Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted January 26, 2019 Administrators Share Posted January 26, 2019 Interactive mode is not suitable for normal use since it will prompt you for an action very frequently. In your case you probably create a rule for a file with the full path but the path was different next time so the previous rule wasn't applied. I'd recommend using smart mode with custom rules, if needed. Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 26, 2019 Share Posted January 26, 2019 Create a HIPS rule to allow cleanmgr.exe to write to and delete files in C:\Users\xxxxxx\AppData\Local\Temp\*. It worked for me in allowing DISM to run w/o issue since I also monitor any process startup activity in AppData directories. Link to comment Share on other sites More sharing options...
red pill 0 Posted January 26, 2019 Author Share Posted January 26, 2019 1 hour ago, itman said: Create a HIPS rule to allow cleanmgr.exe to write to and delete files in C:\Users\xxxxxx\AppData\Local\Temp\*. It worked for me in allowing DISM to run w/o issue since I also monitor any process startup activity in AppData directories. so in the HIPS rules i should make a rule with files enabled at the "operations affecting" section, then at the "source application" section adding "C:\Windows\System32\cleanmgr.exe", and then at the "file operations" section enabling "delete file" and "write to file", and then at the "files" section choosing specific file and then adding "C:\Users\ZX\AppData\Local\Temp\*" ? . the * in the "C:\Users\ZX\AppData\Local\Temp\*" will mean that the rule will affect any file at the C:\Users\ZX\AppData\Local\Temp\ directory?. Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 26, 2019 Share Posted January 26, 2019 4 minutes ago, red pill said: so in the HIPS rules i should make a rule with files enabled at the "operations affecting" section, then at the "source application" section adding "C:\Windows\System32\cleanmgr.exe", and then at the "file operations" section enabling "delete file" and "write to file", and then at the "files" section choosing specific file and then adding "C:\Users\ZX\AppData\Local\Temp\*" ? . the * in the "C:\Users\ZX\AppData\Local\Temp\*" will mean that the rule will affect any file at the C:\Users\ZX\AppData\Local\Temp\ directory?. Yes. Link to comment Share on other sites More sharing options...
red pill 0 Posted January 27, 2019 Author Share Posted January 27, 2019 On 1/26/2019 at 4:57 PM, itman said: Create a HIPS rule to allow cleanmgr.exe to write to and delete files in C:\Users\xxxxxx\AppData\Local\Temp\*. It worked for me in allowing DISM to run w/o issue since I also monitor any process startup activity in AppData directories. the cleanmgr also want to start applications in that directory, is this normal?, should I create a similar rule about starting application from this directory? Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 27, 2019 Share Posted January 27, 2019 (edited) 22 hours ago, red pill said: the cleanmgr also want to start applications in that directory, is this normal?, should I create a similar rule about starting application from this directory? Correct. Forgot to mention that. For example, it starts DISMhost.exe. Edited January 28, 2019 by itman Link to comment Share on other sites More sharing options...
red pill 0 Posted January 28, 2019 Author Share Posted January 28, 2019 (edited) On 1/26/2019 at 4:57 PM, itman said: Create a HIPS rule to allow cleanmgr.exe to write to and delete files in C:\Users\xxxxxx\AppData\Local\Temp\*. It worked for me in allowing DISM to run w/o issue since I also monitor any process startup activity in AppData directories. I also started to get some notifications from ESET about the dismhost.exe . i clicked allow and the rule have "write to file" and "files: all files" and there are two rules like this now with different sources in the " C:\Users\ZX\AppData\Local\Temp\" directory. what should i do? create a rule for " C:\Users\ZX\AppData\Local\Temp\* " in the source application and enable "files" and "write to file" and then choosing "all files" in the "file" section?. I done it and i get notification about a rule with invalid data.. I can't put "C:\Users\ZX\AppData\Local\Temp\* " in the source application section?. Edited January 28, 2019 by red pill Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 28, 2019 Share Posted January 28, 2019 (edited) I have a HIPS rule that monitors all process startups in %Appdata% directories. The only process that I allow via specific HIPS rule to do so is cleanmgr.exe. Windows has a scheduled task that runs cleanmgr.exe periodically; i.e. SilentCleanup. Cleanmgr.exe in turn runs dismhost.exe. I have no specific HIPS rules for dismhost.exe. To my best knowledge, the HIPS by default allows all child processes if the parent process is allowed. If you are receiving alerts on dismhost.exe, you must have created a HIPS rule previously to do so. Note that if you are going to create user HIPS rules, it is up to you to monitor that they are being correctly applied and functioning as you expect. Eset doesn't encourage users to create HIPS rules. As such, you will only receive minimal support in this regard from Eset. -EDIT- If you see dismhost.exe running frequently, it is indicative of possible Win OS issues. You can Google on "dismhost.exe" about this. Edited January 29, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 29, 2019 Share Posted January 29, 2019 My "memory returned" in regards to cleamgr.exe use of dismhost.exe. As I recollect, cleanmger.exe actual runs dismhost.exe as a shell process from dism.exe. It is therefore imperative when creating user HIPS rules to pay attention to what is shown on the command line shown in the Eset alert. As I stated previous, I don't have any rules created specifically for dismhost.exe. Additionally it can be run under certain situations in regards to "sfc.exe /scannow" command line and compattelrunner.exe execution to name a few legit Windows processes. Unfortunately dismhost.exe running in the context of cleanmgr.exe has been used maliciously in the past: https://threatpost.com/windows-uac-bypass-leaves-systems-open-to-malicious-dlls/119468/ and https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/ . The same is true for other legit Windows processes. It is therefore imperative that one always runs UAC at its highest level which will thwart most of these UAC bypasses. Unfortunately, this dismhost.exe UAC bypass was not one them. Link to comment Share on other sites More sharing options...
Recommended Posts