Jump to content
SimonC

HIPS Deny Child Processes from Office...

Recommended Posts

Hi we have implemented the policy recommended here to block child processes from Office processes.  We are running Endpoint Antivirus 7.1.2053.0

https://support.eset.com/kb6119/

We are finding mixed results across our windows machines, we have only one policy with the setting as described but some devices are being blocked from opening jpg files but others are not. We have changed the default jpg viewer without success.  We have tested on various versions of Office and Windows 10 and can find nothing in common in devices which fail to open jpgs.  PDFS are not blocked on any device which I would expect to be. 

Does anyone else have experience of this issue?  Any solutions?

Thanks

Simon

Share this post


Link to post
Share on other sites

You can temporarily enable logging of blocked operations in the advanced HIPS setup and reproduce the issue. Then disable logging, check the HIPS log for details about blocked operations and adjust the blocking HIPS rule accordingly or create a new permissive rule.

Share this post


Link to post
Share on other sites
2 hours ago, SimonC said:

By default, this policy only monitors the following child processes:

  • C:\Windows\System32\cmd.exe
  • C:\Windows\SysWOW64\cmd.exe
  • C:\Windows\System32\wscript.exe
  • C:\Windows\SysWOW64\wscript.exe
  • C:\Windows\System32\cscript.exe
  • C:\Windows\SysWOW64\cscript.exe
  • C:\Windows\System32\ntvdm.exe
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  • C:\Windows\System32\regsvr32.exe
  • C:\Windows\SysWOW64\regsvr32.exe
  • C:\Windows\System32\rundll32.exe
  • C:\Windows\SysWOW64\rundll32.exe

In Win 10, the default opening app for .jpg files is the Windows Photos app; i.e.C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.17920.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe. Note that the name of this app changes with every update to it.

If the .jpg file is embedded in an Office file, the above app will open it by default.

Edited by itman

Share this post


Link to post
Share on other sites
12 hours ago, itman said:

By default, this policy only monitors the following child processes:

  • C:\Windows\System32\cmd.exe
  • C:\Windows\SysWOW64\cmd.exe
  • C:\Windows\System32\wscript.exe
  • C:\Windows\SysWOW64\wscript.exe
  • C:\Windows\System32\cscript.exe
  • C:\Windows\SysWOW64\cscript.exe
  • C:\Windows\System32\ntvdm.exe
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  • C:\Windows\System32\regsvr32.exe
  • C:\Windows\SysWOW64\regsvr32.exe
  • C:\Windows\System32\rundll32.exe
  • C:\Windows\SysWOW64\rundll32.exe

In Win 10, the default opening app for .jpg files is the Windows Photos app; i.e.C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.17920.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe. Note that the name of this app changes with every update to it.

If the .jpg file is embedded in an Office file, the above app will open it by default.

Thanks, that explains it.

Simon

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...