HIPS problem

[BALTAGY 32]

Hi,

I tried to prevent any program from editing files on desktop as a test, so created HIPS rule to prevent any app to write or delete files on desktop location

I get the warning and i choose block but still the file get renamed and i can edit it and save it even if i tell HIPS to auto block any changes

Not sure if it's HIPS problem or something i did wrong ? i did test it in Vmware as a clean install

Thanks

[stackz 112]

It should work if you change your specific files path to C:\Users\BALTAGY\Desktop\*.*

[itman 1,659]

Appears you are not aware that not all shortcuts; i.e. .lnk files, are stored in the user\desktop directory. Most program installers will create their associated desktop .lnk file in this directory, C:\Users\Public\Desktop, in Win 10.

[BALTAGY 32]

Tested it in E drive it's working when i add E:\*.* or choosing the file

But using E:\ only don't work even ESET say it's blocked but it's not same on Desktop

That was the problem, using ESET to choose a drive or folder don't add *.* and you will be asked or you will see in logs that it's auto blocked but it's not

[BALTAGY 32]

Also it will be great to have an option to add a folder that contain exe files

For example i like to add all exe files in temp folder and prevent it from writing to files in other drives, i think it can be a good protection for Ransomware ?

[itman 1,659]

46 minutes ago, BALTAGY said:

But using E:\ only don't work even ESET say it's blocked but it's not same on Desktop

Yeah, it's a bit "flaky" what Eset is doing. Whereas modification to the directory is blocked, modification to anything within the directory is not. I have always made it a point to code *.* to cover anything within the directory:

[BALTAGY 32]

6 hours ago, itman said:

Yeah, it's a bit "flaky" what Eset is doing. Whereas modification to the directory is blocked, modification to anything within the directory is not. I have always made it a point to code *.* to cover anything within the directory:

While choosing a folder with ESET it should add *.* by default

Also if they added ability to choose a folder that contain some exe files to be used in HIPS like if i add temp folder and any exe will be created inside can't do any changes to files, that will be great to stop ransomware

[itman 1,659]

40 minutes ago, BALTAGY said:

Also if they added ability to choose a folder that contain some exe files to be used in HIPS like if i add temp folder and any exe will be created inside can't do any changes to files, that will be great to stop ransomware

I already coded such a HIPS rule. That is to detect any program startup in Users\XXXX\AppData\*.*. Note that you will receive alerts for legit processes such as installers that love to run temp files from there and Win system processes like DISM. So you have to have the "smarts" to differentiate legit from malicious activity.

[BALTAGY 32]

4 minutes ago, itman said:

I already coded such a HIPS rule. That is to detect any program startup in Users\XXXX\AppData\*.*. Note that you will receive alerts for legit processes such as installers that love to run temp files from there and Win system processes like DISM. So you have to have the "smarts" to differentiate legit from malicious activity.

Can you let me know how this rule can be created, i tried to use Users\XXXX\AppData\*.* but i got error since i must choose an app exe or all applications

[itman 1,659]

13 hours ago, BALTAGY said:

i tried to use Users\XXXX\AppData\*.*

Use Users\XXXX\AppData\* instead. That is how I coded my rule. Also the Applications section specification must indicate "Specific Applications."

Edited November 11, 2019 by itman

[Marcos 5,070]

You can use double backslashes to substitute any folder in the users folder:, ie c:\Users\\AppData\*

[BALTAGY 32]

Using Users\XXXX\AppData\* or Users\XXXX\\AppData\* gives error "User rules file contains invalid data"

 

[Marcos 5,070]

For me this worked:

[BALTAGY 32]

3 minutes ago, Marcos said:

For me this worked:

This one means any exe in appdata in all users ?

Edit got the same error

I think you did understand us wrong, i want ESET to detect any exe in a location like appdata folder then prevent them from editing any files in other drives

Edited November 11, 2019 by BALTAGY

[itman 1,659]

7 minutes ago, BALTAGY said:

gives error "User rules file contains invalid data"

Ignore that message and just cancel out of whatever you are doing. I have been receiving it lately in other Eset GUI areas also. The change is saved in any case. Must be a new Eset bug.

[BALTAGY 32]

1 minute ago, itman said:

Ignore that message and just cancel out of whatever you are doing. I have been receiving it lately in other Eset GUI areas also. The change is saved in any case. Must be a new Eset bug.

I think this message is right since i must choose an app exe, i just tested and i can run an app from appdata and edit files in other drives

[itman 1,659]

On the first HIPS rules screen, did you specify "Applications" and not "Files?"

[Marcos 5,070]

7 minutes ago, BALTAGY said:

This one means any exe in appdata in all users ?

It means any file in appdata in all users. Only "\*" and "\*.*" is supported; it's not currently possible to use "\*.exe" to restrict the rule to exe files only.

[BALTAGY 32]

Just now, itman said:

On the first HIPS rules screen, did you specify "Applications" and not "Files?"

I did choose the files since i want to protect other files in other drives

[BALTAGY 32]

Here's what i want to do in the pic's, i want ESET to detect any exe in appdata and any folder inside for example then prevent them from writing to any files in other drives

[itman 1,659]

Just now, BALTAGY said:

I did choose the files since i want to protect other files in other drives

It doesn't work that way. To monitor program startup you must specify "Applications."

You can additional specify "Files" is you want to monitor file modification activities. I do not not recommend this for user AppData directories other than My Documents, etc. since files are constantly being created in the Temp directory for example by legit apps.

[itman 1,659]

1 minute ago, BALTAGY said:

Here's what i want to do in the pic's, i want ESET to detect any exe in appdata and any folder inside for example then prevent them from writing to any files in other drives

Eset doesn't support wildcards in file names. Hence "*.exe" is the source of your issue.

[BALTAGY 32]

Just now, itman said:

Eset doesn't support wildcards in file names. Hence "*.exe" is the source of your issue.

Well that's what i'm asking why HIPS don't allow me to make a rule for any exe in a location like appdata ? i will never know the ransomware name but if i can choose any exe in TEMP folder for example i can get a warning to accept or deny the changes

[itman 1,659]

Also "Source Applications" must be a specific program name reference although mutliple names can be entered.

[itman 1,659]

1 minute ago, BALTAGY said:

Well that's what i'm asking why HIPS don't allow me to make a rule for any exe in a location like appdata ?

Join the club. I and many others have been asking for file wildcard capability for years.