Jump to content
Sign in to follow this  
Cody

ESET Endpoint Security 7.1 locking folder and preventing changes

Recommended Posts

Good afternoon,

 

We're having a problem here at our office where ESET is preventing a folder from being deleted or otherwise modified, with no logging or alerting that we're aware of. We're deploying alpha versions of some internal software to certain users in our office for testing, but the folder which contains the alpha executables is being locked from modification by ekrn.exe.

 

This folder which we automatically delete and re-create is C:\Program Files (x86)\CompanyName\SoftwareAlpha. We have Real-Time File System Protection enabled, with the following paths excluded from our ESET Security Management Center's settings in Detection Engine > Performance Exclusions: C:\Program Files (x86)\CompanyName\SoftwareAlpha\*.*, C:\Program Files (x86)\CompanyName\SoftwareAlpha\*, C:\Program Files (x86)\CompanyName\*.*, and C:\Program Files (x86)\CompanyName*

 

When I completely disable HIPs for these users, this automated alpha software deployment works fine. Is it HIPS that is locking this folder from being modified? How do I make sure that HIPS is not locking this folder?

 

I've attached a screenshot from the program Process Explorer. When I search for "SoftwareAlpha" (the name of the folder which we want to delete), it shows that the process ekrn.exe is currently using this folder and keeping it from being modified.

ekrn.png

Edited by Cody

Share this post


Link to post
Share on other sites

Try adding the directories you want exclude using the path name only and also with the  \* option at the end of the path name to Deep Behavior Inspection exclusions section of the HIPS settings.

Edited by itman

Share this post


Link to post
Share on other sites

When I enable HIPS but have Deep Behavioral Inspection disabled, this issue still occurs.

Additionally, I've already added those exceptions there, in the same format as above (C:\Program Files (x86)\CompanyName\SoftwareAlpha\*.*, C:\Program Files (x86)\CompanyName\SoftwareAlpha\*, C:\Program Files (x86)\CompanyName\*.*, and C:\Program Files (x86)\CompanyName*)

Share this post


Link to post
Share on other sites

It appears Eset must have a default built-in HIPS rule to prevent modification of sub-directories in both of the Win program directories. Does make some sense since only trusted installers and the like should be creating/deleting directories there.

Have you tried creating CompanyName\SoftwareAlpha\ directory under the Win C:\ root directory? I have created and deleted directories from there w/o issue.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...