Jump to content

HIPS problem


BALTAGY
 Share

Recommended Posts

  • ESET Insiders

Hi,

I tried to prevent any program from editing files on desktop as a test, so created HIPS rule to prevent any app to write or delete files on desktop location

I get the warning and i choose block but still the file get renamed and i can edit it and save it even if i tell HIPS to auto block any changes

Not sure if it's HIPS problem or something i did wrong ? i did test it in Vmware as a clean install

Thanks

Snap1.png

Snap2.png

Snap3.png

Snap5.png

Link to comment
Share on other sites

Appears you are not aware that not all shortcuts; i.e. .lnk files, are stored in the user\desktop directory. Most program installers will create their associated desktop .lnk file in this directory, C:\Users\Public\Desktop, in Win 10.

Link to comment
Share on other sites

  • ESET Insiders

Tested it in E drive it's working when i add E:\*.* or choosing the file

But using E:\ only don't work even ESET say it's blocked but it's not same on Desktop

That was the problem, using ESET to choose a drive or folder don't add *.* and you will be asked or you will see in logs that it's auto blocked but it's not

Link to comment
Share on other sites

  • ESET Insiders

Also it will be great to have an option to add a folder that contain exe files

For example i like to add all exe files in temp folder and prevent it from writing to files in other drives, i think it can be a good protection for Ransomware ?

Link to comment
Share on other sites

46 minutes ago, BALTAGY said:

But using E:\ only don't work even ESET say it's blocked but it's not same on Desktop

Yeah, it's a bit "flaky" what Eset is doing. Whereas modification to the directory is blocked, modification to anything within the directory is not. I have always made it a point to code *.* to cover anything within the directory:

Eset_Blocked.thumb.png.c8c5ce673210f297ed1f11765f052fce.png

Link to comment
Share on other sites

  • ESET Insiders
6 hours ago, itman said:

Yeah, it's a bit "flaky" what Eset is doing. Whereas modification to the directory is blocked, modification to anything within the directory is not. I have always made it a point to code *.* to cover anything within the directory:

Eset_Blocked.thumb.png.c8c5ce673210f297ed1f11765f052fce.png

While choosing a folder with ESET it should add *.* by default

Also if they added ability to choose a folder that contain some exe files to be used in HIPS like if i add temp folder and any exe will be created inside can't do any changes to files, that will be great to stop ransomware

Link to comment
Share on other sites

40 minutes ago, BALTAGY said:

Also if they added ability to choose a folder that contain some exe files to be used in HIPS like if i add temp folder and any exe will be created inside can't do any changes to files, that will be great to stop ransomware

I already coded such a HIPS rule. That is to detect any program startup in Users\XXXX\AppData\*.*. Note that you will receive alerts for legit processes such as installers that love to run temp files from there and Win system processes like DISM. So you have to have the "smarts" to differentiate legit from malicious activity.

Link to comment
Share on other sites

  • ESET Insiders
4 minutes ago, itman said:

I already coded such a HIPS rule. That is to detect any program startup in Users\XXXX\AppData\*.*. Note that you will receive alerts for legit processes such as installers that love to run temp files from there and Win system processes like DISM. So you have to have the "smarts" to differentiate legit from malicious activity.

Can you let me know how this rule can be created, i tried to use Users\XXXX\AppData\*.* but i got error since i must choose an app exe or all applications

Link to comment
Share on other sites

13 hours ago, BALTAGY said:

i tried to use Users\XXXX\AppData\*.*

Use Users\XXXX\AppData\* instead. That is how I coded my rule. Also the Applications section specification must indicate "Specific Applications."

Edited by itman
Link to comment
Share on other sites

  • ESET Insiders

Using Users\XXXX\AppData\* or Users\XXXX\\AppData\* gives error "User rules file contains invalid data"

 

Link to comment
Share on other sites

  • ESET Insiders
3 minutes ago, Marcos said:

For me this worked:

image.png

This one means any exe in appdata in all users ?

Edit got the same error

I think you did understand us wrong, i want ESET to detect any exe in a location like appdata folder then prevent them from editing any files in other drives

Edited by BALTAGY
Link to comment
Share on other sites

7 minutes ago, BALTAGY said:

gives error "User rules file contains invalid data"

Ignore that message and just cancel out of whatever you are doing. I have been receiving it lately in other Eset GUI areas also. The change is saved in any case. Must be a new Eset bug.

Link to comment
Share on other sites

  • ESET Insiders
1 minute ago, itman said:

Ignore that message and just cancel out of whatever you are doing. I have been receiving it lately in other Eset GUI areas also. The change is saved in any case. Must be a new Eset bug.

I think this message is right since i must choose an app exe, i just tested and i can run an app from appdata and edit files in other drives

Link to comment
Share on other sites

  • Administrators
7 minutes ago, BALTAGY said:

This one means any exe in appdata in all users ?

It means any file in appdata in all users. Only "\*" and "\*.*" is supported; it's not currently possible to use "\*.exe" to restrict the rule to exe files only.

Link to comment
Share on other sites

  • ESET Insiders
Just now, itman said:

On the first HIPS rules screen, did you specify "Applications" and not "Files?"

I did choose the files since i want to protect other files in other drives

Link to comment
Share on other sites

  • ESET Insiders

Here's what i want to do in the pic's, i want ESET to detect any exe in appdata and any folder inside for example then prevent them from writing to any files in other drives

Snap2.jpg

Snap3.jpg

Snap4.jpg

Snap5.jpg

Link to comment
Share on other sites

Just now, BALTAGY said:

I did choose the files since i want to protect other files in other drives

It doesn't work that way. To monitor program startup you must specify "Applications."

You can additional specify "Files" is you want to monitor file modification activities. I do not not recommend this for user AppData directories other than My Documents, etc. since files are constantly being created in the Temp directory for example by legit apps.

Link to comment
Share on other sites

1 minute ago, BALTAGY said:

Here's what i want to do in the pic's, i want ESET to detect any exe in appdata and any folder inside for example then prevent them from writing to any files in other drives

Eset doesn't support wildcards in file names. Hence "*.exe" is the source of your issue.

Link to comment
Share on other sites

  • ESET Insiders
Just now, itman said:

Eset doesn't support wildcards in file names. Hence "*.exe" is the source of your issue.

Well that's what i'm asking why HIPS don't allow me to make a rule for any exe in a location like appdata ? i will never know the ransomware name but if i can choose any exe in TEMP folder for example i can get a warning to accept or deny the changes

Link to comment
Share on other sites

1 minute ago, BALTAGY said:

Well that's what i'm asking why HIPS don't allow me to make a rule for any exe in a location like appdata ?

Join the club. I and many others have been asking for file wildcard capability for years.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...