Jump to content

HIPS Deny Child Processes from Office...


SimonC
 Share

Recommended Posts

Hi we have implemented the policy recommended here to block child processes from Office processes.  We are running Endpoint Antivirus 7.1.2053.0

https://support.eset.com/kb6119/

We are finding mixed results across our windows machines, we have only one policy with the setting as described but some devices are being blocked from opening jpg files but others are not. We have changed the default jpg viewer without success.  We have tested on various versions of Office and Windows 10 and can find nothing in common in devices which fail to open jpgs.  PDFS are not blocked on any device which I would expect to be. 

Does anyone else have experience of this issue?  Any solutions?

Thanks

Simon

Link to comment
Share on other sites

  • Administrators

You can temporarily enable logging of blocked operations in the advanced HIPS setup and reproduce the issue. Then disable logging, check the HIPS log for details about blocked operations and adjust the blocking HIPS rule accordingly or create a new permissive rule.

Link to comment
Share on other sites

2 hours ago, SimonC said:

By default, this policy only monitors the following child processes:

  • C:\Windows\System32\cmd.exe
  • C:\Windows\SysWOW64\cmd.exe
  • C:\Windows\System32\wscript.exe
  • C:\Windows\SysWOW64\wscript.exe
  • C:\Windows\System32\cscript.exe
  • C:\Windows\SysWOW64\cscript.exe
  • C:\Windows\System32\ntvdm.exe
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  • C:\Windows\System32\regsvr32.exe
  • C:\Windows\SysWOW64\regsvr32.exe
  • C:\Windows\System32\rundll32.exe
  • C:\Windows\SysWOW64\rundll32.exe

In Win 10, the default opening app for .jpg files is the Windows Photos app; i.e.C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.17920.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe. Note that the name of this app changes with every update to it.

If the .jpg file is embedded in an Office file, the above app will open it by default.

Edited by itman
Link to comment
Share on other sites

12 hours ago, itman said:

By default, this policy only monitors the following child processes:

  • C:\Windows\System32\cmd.exe
  • C:\Windows\SysWOW64\cmd.exe
  • C:\Windows\System32\wscript.exe
  • C:\Windows\SysWOW64\wscript.exe
  • C:\Windows\System32\cscript.exe
  • C:\Windows\SysWOW64\cscript.exe
  • C:\Windows\System32\ntvdm.exe
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  • C:\Windows\System32\regsvr32.exe
  • C:\Windows\SysWOW64\regsvr32.exe
  • C:\Windows\System32\rundll32.exe
  • C:\Windows\SysWOW64\rundll32.exe

In Win 10, the default opening app for .jpg files is the Windows Photos app; i.e.C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.17920.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe. Note that the name of this app changes with every update to it.

If the .jpg file is embedded in an Office file, the above app will open it by default.

Thanks, that explains it.

Simon

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...