ESET Insiders BALTAGY 32 Posted November 10, 2019 ESET Insiders Share Posted November 10, 2019 Hi, I tried to prevent any program from editing files on desktop as a test, so created HIPS rule to prevent any app to write or delete files on desktop location I get the warning and i choose block but still the file get renamed and i can edit it and save it even if i tell HIPS to auto block any changes Not sure if it's HIPS problem or something i did wrong ? i did test it in Vmware as a clean install Thanks Link to comment Share on other sites More sharing options...
ESET Insiders stackz 115 Posted November 10, 2019 ESET Insiders Share Posted November 10, 2019 It should work if you change your specific files path to C:\Users\BALTAGY\Desktop\*.* BALTAGY 1 Link to comment Share on other sites More sharing options...
itman 1,746 Posted November 10, 2019 Share Posted November 10, 2019 Appears you are not aware that not all shortcuts; i.e. .lnk files, are stored in the user\desktop directory. Most program installers will create their associated desktop .lnk file in this directory, C:\Users\Public\Desktop, in Win 10. Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted November 10, 2019 Author ESET Insiders Share Posted November 10, 2019 Tested it in E drive it's working when i add E:\*.* or choosing the file But using E:\ only don't work even ESET say it's blocked but it's not same on Desktop That was the problem, using ESET to choose a drive or folder don't add *.* and you will be asked or you will see in logs that it's auto blocked but it's not Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted November 10, 2019 Author ESET Insiders Share Posted November 10, 2019 Also it will be great to have an option to add a folder that contain exe files For example i like to add all exe files in temp folder and prevent it from writing to files in other drives, i think it can be a good protection for Ransomware ? Link to comment Share on other sites More sharing options...
itman 1,746 Posted November 10, 2019 Share Posted November 10, 2019 46 minutes ago, BALTAGY said: But using E:\ only don't work even ESET say it's blocked but it's not same on Desktop Yeah, it's a bit "flaky" what Eset is doing. Whereas modification to the directory is blocked, modification to anything within the directory is not. I have always made it a point to code *.* to cover anything within the directory: Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted November 10, 2019 Author ESET Insiders Share Posted November 10, 2019 6 hours ago, itman said: Yeah, it's a bit "flaky" what Eset is doing. Whereas modification to the directory is blocked, modification to anything within the directory is not. I have always made it a point to code *.* to cover anything within the directory: While choosing a folder with ESET it should add *.* by default Also if they added ability to choose a folder that contain some exe files to be used in HIPS like if i add temp folder and any exe will be created inside can't do any changes to files, that will be great to stop ransomware Link to comment Share on other sites More sharing options...
itman 1,746 Posted November 11, 2019 Share Posted November 11, 2019 40 minutes ago, BALTAGY said: Also if they added ability to choose a folder that contain some exe files to be used in HIPS like if i add temp folder and any exe will be created inside can't do any changes to files, that will be great to stop ransomware I already coded such a HIPS rule. That is to detect any program startup in Users\XXXX\AppData\*.*. Note that you will receive alerts for legit processes such as installers that love to run temp files from there and Win system processes like DISM. So you have to have the "smarts" to differentiate legit from malicious activity. Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted November 11, 2019 Author ESET Insiders Share Posted November 11, 2019 4 minutes ago, itman said: I already coded such a HIPS rule. That is to detect any program startup in Users\XXXX\AppData\*.*. Note that you will receive alerts for legit processes such as installers that love to run temp files from there and Win system processes like DISM. So you have to have the "smarts" to differentiate legit from malicious activity. Can you let me know how this rule can be created, i tried to use Users\XXXX\AppData\*.* but i got error since i must choose an app exe or all applications Link to comment Share on other sites More sharing options...
itman 1,746 Posted November 11, 2019 Share Posted November 11, 2019 (edited) 13 hours ago, BALTAGY said: i tried to use Users\XXXX\AppData\*.* Use Users\XXXX\AppData\* instead. That is how I coded my rule. Also the Applications section specification must indicate "Specific Applications." Edited November 11, 2019 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted November 11, 2019 Administrators Share Posted November 11, 2019 You can use double backslashes to substitute any folder in the users folder:, ie c:\Users\\AppData\* Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted November 11, 2019 Author ESET Insiders Share Posted November 11, 2019 Using Users\XXXX\AppData\* or Users\XXXX\\AppData\* gives error "User rules file contains invalid data" Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted November 11, 2019 Administrators Share Posted November 11, 2019 For me this worked: Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted November 11, 2019 Author ESET Insiders Share Posted November 11, 2019 (edited) 3 minutes ago, Marcos said: For me this worked: This one means any exe in appdata in all users ? Edit got the same error I think you did understand us wrong, i want ESET to detect any exe in a location like appdata folder then prevent them from editing any files in other drives Edited November 11, 2019 by BALTAGY Link to comment Share on other sites More sharing options...
itman 1,746 Posted November 11, 2019 Share Posted November 11, 2019 7 minutes ago, BALTAGY said: gives error "User rules file contains invalid data" Ignore that message and just cancel out of whatever you are doing. I have been receiving it lately in other Eset GUI areas also. The change is saved in any case. Must be a new Eset bug. Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted November 11, 2019 Author ESET Insiders Share Posted November 11, 2019 1 minute ago, itman said: Ignore that message and just cancel out of whatever you are doing. I have been receiving it lately in other Eset GUI areas also. The change is saved in any case. Must be a new Eset bug. I think this message is right since i must choose an app exe, i just tested and i can run an app from appdata and edit files in other drives Link to comment Share on other sites More sharing options...
itman 1,746 Posted November 11, 2019 Share Posted November 11, 2019 On the first HIPS rules screen, did you specify "Applications" and not "Files?" Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted November 11, 2019 Administrators Share Posted November 11, 2019 7 minutes ago, BALTAGY said: This one means any exe in appdata in all users ? It means any file in appdata in all users. Only "\*" and "\*.*" is supported; it's not currently possible to use "\*.exe" to restrict the rule to exe files only. Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted November 11, 2019 Author ESET Insiders Share Posted November 11, 2019 Just now, itman said: On the first HIPS rules screen, did you specify "Applications" and not "Files?" I did choose the files since i want to protect other files in other drives Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted November 11, 2019 Author ESET Insiders Share Posted November 11, 2019 Here's what i want to do in the pic's, i want ESET to detect any exe in appdata and any folder inside for example then prevent them from writing to any files in other drives Link to comment Share on other sites More sharing options...
itman 1,746 Posted November 11, 2019 Share Posted November 11, 2019 Just now, BALTAGY said: I did choose the files since i want to protect other files in other drives It doesn't work that way. To monitor program startup you must specify "Applications." You can additional specify "Files" is you want to monitor file modification activities. I do not not recommend this for user AppData directories other than My Documents, etc. since files are constantly being created in the Temp directory for example by legit apps. Link to comment Share on other sites More sharing options...
itman 1,746 Posted November 11, 2019 Share Posted November 11, 2019 1 minute ago, BALTAGY said: Here's what i want to do in the pic's, i want ESET to detect any exe in appdata and any folder inside for example then prevent them from writing to any files in other drives Eset doesn't support wildcards in file names. Hence "*.exe" is the source of your issue. Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted November 11, 2019 Author ESET Insiders Share Posted November 11, 2019 Just now, itman said: Eset doesn't support wildcards in file names. Hence "*.exe" is the source of your issue. Well that's what i'm asking why HIPS don't allow me to make a rule for any exe in a location like appdata ? i will never know the ransomware name but if i can choose any exe in TEMP folder for example i can get a warning to accept or deny the changes Link to comment Share on other sites More sharing options...
itman 1,746 Posted November 11, 2019 Share Posted November 11, 2019 Also "Source Applications" must be a specific program name reference although mutliple names can be entered. Link to comment Share on other sites More sharing options...
itman 1,746 Posted November 11, 2019 Share Posted November 11, 2019 1 minute ago, BALTAGY said: Well that's what i'm asking why HIPS don't allow me to make a rule for any exe in a location like appdata ? Join the club. I and many others have been asking for file wildcard capability for years. BALTAGY 1 Link to comment Share on other sites More sharing options...
Recommended Posts