Jump to content

HIPS Deny Child Processes from Office...

SimonC

By SimonC
in ESET Endpoint Products

 Share

Recommended Posts

SimonC

SimonC 2

Posted
Posted

Hi we have implemented the policy recommended here to block child processes from Office processes.  We are running Endpoint Antivirus 7.1.2053.0

https://support.eset.com/kb6119/

We are finding mixed results across our windows machines, we have only one policy with the setting as described but some devices are being blocked from opening jpg files but others are not. We have changed the default jpg viewer without success.  We have tested on various versions of Office and Windows 10 and can find nothing in common in devices which fail to open jpgs.  PDFS are not blocked on any device which I would expect to be. 

Does anyone else have experience of this issue?  Any solutions?

Thanks

Simon

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,070

Posted
  • Administrators
Posted

You can temporarily enable logging of blocked operations in the advanced HIPS setup and reproduce the issue. Then disable logging, check the HIPS log for details about blocked operations and adjust the blocking HIPS rule accordingly or create a new permissive rule.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)
2 hours ago, SimonC said:

https://support.eset.com/kb6119/

By default, this policy only monitors the following child processes:

  • C:\Windows\System32\cmd.exe
  • C:\Windows\SysWOW64\cmd.exe
  • C:\Windows\System32\wscript.exe
  • C:\Windows\SysWOW64\wscript.exe
  • C:\Windows\System32\cscript.exe
  • C:\Windows\SysWOW64\cscript.exe
  • C:\Windows\System32\ntvdm.exe
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  • C:\Windows\System32\regsvr32.exe
  • C:\Windows\SysWOW64\regsvr32.exe
  • C:\Windows\System32\rundll32.exe
  • C:\Windows\SysWOW64\rundll32.exe

In Win 10, the default opening app for .jpg files is the Windows Photos app; i.e.C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.17920.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe. Note that the name of this app changes with every update to it.

If the .jpg file is embedded in an Office file, the above app will open it by default.

Edited by itman
Link to comment
Share on other sites
SimonC

SimonC 2

Posted
  • Author
Posted
12 hours ago, itman said:

By default, this policy only monitors the following child processes:

  • C:\Windows\System32\cmd.exe
  • C:\Windows\SysWOW64\cmd.exe
  • C:\Windows\System32\wscript.exe
  • C:\Windows\SysWOW64\wscript.exe
  • C:\Windows\System32\cscript.exe
  • C:\Windows\SysWOW64\cscript.exe
  • C:\Windows\System32\ntvdm.exe
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  • C:\Windows\System32\regsvr32.exe
  • C:\Windows\SysWOW64\regsvr32.exe
  • C:\Windows\System32\rundll32.exe
  • C:\Windows\SysWOW64\rundll32.exe

In Win 10, the default opening app for .jpg files is the Windows Photos app; i.e.C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.17920.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe. Note that the name of this app changes with every update to it.

If the .jpg file is embedded in an Office file, the above app will open it by default.

Thanks, that explains it.

Simon

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...