Jump to content
Nono

HIPS Rules - Generic path doesn't always work

Recommended Posts

Hi there,

I'm using ESMC / Eset endpoint security version:

ESET Security Management Center (Server), Version 7.0 (7.0.451.0)
ESET Security Management Center (Web Console), Version 7.0 (7.0.413.0)
ESET Management Agent 7.0.577.0
ESET Endpoint Security 7.1.2045.5

When I configure some HIPS rules, I've a strange behavior depending of the endpoint (on same version of either ESET and Windows 10) :

Some "generic" rules like C:\Users\\AppData\app.exe works on majority of computer (note the empty folder to replace any users)

But some doesn't and need to enter the specific user account (eg. C:\Users\dummyUser\AppData\app.exe)

Is there a way to debug/understand why such behavior ?

 

Share this post


Link to post
Share on other sites

I would say that rules with "*" to substitute a folder name should never work since wildcards are supported only in registry paths.

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

I would say that rules with "*" to substitute a folder name should never work since wildcards are supported only in registry paths.

Hi MArcos, I'm aware that we can't use "*" but "nothing" works on the majority of our endpoint !

Only some aren't working anymore (they use to work before agent/security upgrade).

Share this post


Link to post
Share on other sites
Posted (edited)
3 hours ago, Nono said:

Some "generic" rules like C:\Users\\AppData\app.exe works on majority of computer (note the empty folder to replace any users)

But some doesn't and need to enter the specific user account (eg. C:\Users\dummyUser\AppData\app.exe)

To begin with, Eset HIPS doesn't official support "\\" notation in a path name. If it works, it would only apply to the immediate path specified. In other words in your example for the C:\Users directory, but not for any subordinate directories specified within the C:\Users directory.

Edited by itman

Share this post


Link to post
Share on other sites
56 minutes ago, itman said:

To begin with, Eset HIPS doesn't official support "\\" notation in a path name. If it works, it would only apply to the immediate path specified. In other words in your example for the C:\Users directory, but not for any subordinate directories specified within the C:\Users directory.

I'm not sure I fully understand, but I have a working rule which is like :

C:\Users\\AppData\Local\Temp\\soft.exe (aka with 2 \\) and still work like a charm.

 

So, I agree this is maybe not "officially" supported, but why it works on SOME machines, but not the others ? Is there a way to check this ?

Share this post


Link to post
Share on other sites

Is there an "officially supported" way to do this for HIPS rules ?

Share this post


Link to post
Share on other sites

It's not officially supported but it works, however.

Share this post


Link to post
Share on other sites

Thanks Marcos,

So, going back to my original question : What could make it works on one computer and not another ?

Share this post


Link to post
Share on other sites
Posted (edited)
On 6/7/2019 at 6:47 AM, Nono said:

Some "generic" rules like C:\Users\\AppData\app.exe works on majority of computer (note the empty folder to replace any users)

But some doesn't and need to enter the specific user account (eg. C:\Users\dummyUser\AppData\app.exe)

It might have something to do with the status of the specific user account.

For example, the "All Users" account is considered an operating system directory and is not shown by default in Windows Explorer. I suspect that "\\" use as far as the Eset HIPS goes might only work for directories that are not hidden by default.

It also might not work based on user account status. For example if the user logs in as standard user, versus a local admin.

Edited by itman

Share this post


Link to post
Share on other sites
10 hours ago, Nono said:

So, going back to my original question : What could make it works on one computer and not another ?

You can provide me with ELC logs from the machine where it doesn't work and describe what you would like to achieve.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...