Jump to content
BALTAGY

HIPS problem

Recommended Posts

Hi,

I tried to prevent any program from editing files on desktop as a test, so created HIPS rule to prevent any app to write or delete files on desktop location

I get the warning and i choose block but still the file get renamed and i can edit it and save it even if i tell HIPS to auto block any changes

Not sure if it's HIPS problem or something i did wrong ? i did test it in Vmware as a clean install

Thanks

Snap1.png

Snap2.png

Snap3.png

Snap5.png

Share this post


Link to post
Share on other sites

Appears you are not aware that not all shortcuts; i.e. .lnk files, are stored in the user\desktop directory. Most program installers will create their associated desktop .lnk file in this directory, C:\Users\Public\Desktop, in Win 10.

Share this post


Link to post
Share on other sites

Tested it in E drive it's working when i add E:\*.* or choosing the file

But using E:\ only don't work even ESET say it's blocked but it's not same on Desktop

That was the problem, using ESET to choose a drive or folder don't add *.* and you will be asked or you will see in logs that it's auto blocked but it's not

Share this post


Link to post
Share on other sites

Also it will be great to have an option to add a folder that contain exe files

For example i like to add all exe files in temp folder and prevent it from writing to files in other drives, i think it can be a good protection for Ransomware ?

Share this post


Link to post
Share on other sites
46 minutes ago, BALTAGY said:

But using E:\ only don't work even ESET say it's blocked but it's not same on Desktop

Yeah, it's a bit "flaky" what Eset is doing. Whereas modification to the directory is blocked, modification to anything within the directory is not. I have always made it a point to code *.* to cover anything within the directory:

Eset_Blocked.thumb.png.c8c5ce673210f297ed1f11765f052fce.png

Share this post


Link to post
Share on other sites
6 hours ago, itman said:

Yeah, it's a bit "flaky" what Eset is doing. Whereas modification to the directory is blocked, modification to anything within the directory is not. I have always made it a point to code *.* to cover anything within the directory:

Eset_Blocked.thumb.png.c8c5ce673210f297ed1f11765f052fce.png

While choosing a folder with ESET it should add *.* by default

Also if they added ability to choose a folder that contain some exe files to be used in HIPS like if i add temp folder and any exe will be created inside can't do any changes to files, that will be great to stop ransomware

Share this post


Link to post
Share on other sites
40 minutes ago, BALTAGY said:

Also if they added ability to choose a folder that contain some exe files to be used in HIPS like if i add temp folder and any exe will be created inside can't do any changes to files, that will be great to stop ransomware

I already coded such a HIPS rule. That is to detect any program startup in Users\XXXX\AppData\*.*. Note that you will receive alerts for legit processes such as installers that love to run temp files from there and Win system processes like DISM. So you have to have the "smarts" to differentiate legit from malicious activity.

Share this post


Link to post
Share on other sites
4 minutes ago, itman said:

I already coded such a HIPS rule. That is to detect any program startup in Users\XXXX\AppData\*.*. Note that you will receive alerts for legit processes such as installers that love to run temp files from there and Win system processes like DISM. So you have to have the "smarts" to differentiate legit from malicious activity.

Can you let me know how this rule can be created, i tried to use Users\XXXX\AppData\*.* but i got error since i must choose an app exe or all applications

Share this post


Link to post
Share on other sites
13 hours ago, BALTAGY said:

i tried to use Users\XXXX\AppData\*.*

Use Users\XXXX\AppData\* instead. That is how I coded my rule. Also the Applications section specification must indicate "Specific Applications."

Edited by itman

Share this post


Link to post
Share on other sites

You can use double backslashes to substitute any folder in the users folder:, ie c:\Users\\AppData\*

Share this post


Link to post
Share on other sites

Using Users\XXXX\AppData\* or Users\XXXX\\AppData\* gives error "User rules file contains invalid data"

 

Share this post


Link to post
Share on other sites
3 minutes ago, Marcos said:

For me this worked:

image.png

This one means any exe in appdata in all users ?

Edit got the same error

I think you did understand us wrong, i want ESET to detect any exe in a location like appdata folder then prevent them from editing any files in other drives

Edited by BALTAGY

Share this post


Link to post
Share on other sites
7 minutes ago, BALTAGY said:

gives error "User rules file contains invalid data"

Ignore that message and just cancel out of whatever you are doing. I have been receiving it lately in other Eset GUI areas also. The change is saved in any case. Must be a new Eset bug.

Share this post


Link to post
Share on other sites
1 minute ago, itman said:

Ignore that message and just cancel out of whatever you are doing. I have been receiving it lately in other Eset GUI areas also. The change is saved in any case. Must be a new Eset bug.

I think this message is right since i must choose an app exe, i just tested and i can run an app from appdata and edit files in other drives

Share this post


Link to post
Share on other sites

On the first HIPS rules screen, did you specify "Applications" and not "Files?"

Share this post


Link to post
Share on other sites
7 minutes ago, BALTAGY said:

This one means any exe in appdata in all users ?

It means any file in appdata in all users. Only "\*" and "\*.*" is supported; it's not currently possible to use "\*.exe" to restrict the rule to exe files only.

Share this post


Link to post
Share on other sites
Just now, itman said:

On the first HIPS rules screen, did you specify "Applications" and not "Files?"

I did choose the files since i want to protect other files in other drives

Share this post


Link to post
Share on other sites

Here's what i want to do in the pic's, i want ESET to detect any exe in appdata and any folder inside for example then prevent them from writing to any files in other drives

Snap2.jpg

Snap3.jpg

Snap4.jpg

Snap5.jpg

Share this post


Link to post
Share on other sites
Just now, BALTAGY said:

I did choose the files since i want to protect other files in other drives

It doesn't work that way. To monitor program startup you must specify "Applications."

You can additional specify "Files" is you want to monitor file modification activities. I do not not recommend this for user AppData directories other than My Documents, etc. since files are constantly being created in the Temp directory for example by legit apps.

Share this post


Link to post
Share on other sites
1 minute ago, BALTAGY said:

Here's what i want to do in the pic's, i want ESET to detect any exe in appdata and any folder inside for example then prevent them from writing to any files in other drives

Eset doesn't support wildcards in file names. Hence "*.exe" is the source of your issue.

Share this post


Link to post
Share on other sites
Just now, itman said:

Eset doesn't support wildcards in file names. Hence "*.exe" is the source of your issue.

Well that's what i'm asking why HIPS don't allow me to make a rule for any exe in a location like appdata ? i will never know the ransomware name but if i can choose any exe in TEMP folder for example i can get a warning to accept or deny the changes

Share this post


Link to post
Share on other sites

Also "Source Applications" must be a specific program name reference although mutliple names can be entered.

Share this post


Link to post
Share on other sites
1 minute ago, BALTAGY said:

Well that's what i'm asking why HIPS don't allow me to make a rule for any exe in a location like appdata ?

Join the club. I and many others have been asking for file wildcard capability for years.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...