SimonC 2 Posted November 4, 2019 Share Posted November 4, 2019 Hi we have implemented the policy recommended here to block child processes from Office processes. We are running Endpoint Antivirus 7.1.2053.0 https://support.eset.com/kb6119/ We are finding mixed results across our windows machines, we have only one policy with the setting as described but some devices are being blocked from opening jpg files but others are not. We have changed the default jpg viewer without success. We have tested on various versions of Office and Windows 10 and can find nothing in common in devices which fail to open jpgs. PDFS are not blocked on any device which I would expect to be. Does anyone else have experience of this issue? Any solutions? Thanks Simon Link to comment Share on other sites More sharing options...
Administrators Marcos 5,235 Posted November 4, 2019 Administrators Share Posted November 4, 2019 You can temporarily enable logging of blocked operations in the advanced HIPS setup and reproduce the issue. Then disable logging, check the HIPS log for details about blocked operations and adjust the blocking HIPS rule accordingly or create a new permissive rule. Link to comment Share on other sites More sharing options...
itman 1,742 Posted November 4, 2019 Share Posted November 4, 2019 (edited) 2 hours ago, SimonC said: https://support.eset.com/kb6119/ By default, this policy only monitors the following child processes: C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\wscript.exe C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\cscript.exe C:\Windows\SysWOW64\cscript.exe C:\Windows\System32\ntvdm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe In Win 10, the default opening app for .jpg files is the Windows Photos app; i.e.C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.17920.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe. Note that the name of this app changes with every update to it. If the .jpg file is embedded in an Office file, the above app will open it by default. Edited November 4, 2019 by itman Link to comment Share on other sites More sharing options...
SimonC 2 Posted November 5, 2019 Author Share Posted November 5, 2019 12 hours ago, itman said: By default, this policy only monitors the following child processes: C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\wscript.exe C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\cscript.exe C:\Windows\SysWOW64\cscript.exe C:\Windows\System32\ntvdm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe In Win 10, the default opening app for .jpg files is the Windows Photos app; i.e.C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.17920.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe. Note that the name of this app changes with every update to it. If the .jpg file is embedded in an Office file, the above app will open it by default. Thanks, that explains it. Simon Link to comment Share on other sites More sharing options...
Recommended Posts