Cody 0 Posted December 11, 2019 Share Posted December 11, 2019 (edited) Good afternoon, We're having a problem here at our office where ESET is preventing a folder from being deleted or otherwise modified, with no logging or alerting that we're aware of. We're deploying alpha versions of some internal software to certain users in our office for testing, but the folder which contains the alpha executables is being locked from modification by ekrn.exe. This folder which we automatically delete and re-create is C:\Program Files (x86)\CompanyName\SoftwareAlpha. We have Real-Time File System Protection enabled, with the following paths excluded from our ESET Security Management Center's settings in Detection Engine > Performance Exclusions: C:\Program Files (x86)\CompanyName\SoftwareAlpha\*.*, C:\Program Files (x86)\CompanyName\SoftwareAlpha\*, C:\Program Files (x86)\CompanyName\*.*, and C:\Program Files (x86)\CompanyName* When I completely disable HIPs for these users, this automated alpha software deployment works fine. Is it HIPS that is locking this folder from being modified? How do I make sure that HIPS is not locking this folder? I've attached a screenshot from the program Process Explorer. When I search for "SoftwareAlpha" (the name of the folder which we want to delete), it shows that the process ekrn.exe is currently using this folder and keeping it from being modified. Edited December 11, 2019 by Cody Link to comment Share on other sites More sharing options...
itman 1,659 Posted December 11, 2019 Share Posted December 11, 2019 (edited) Try adding the directories you want exclude using the path name only and also with the \* option at the end of the path name to Deep Behavior Inspection exclusions section of the HIPS settings. Edited December 11, 2019 by itman Link to comment Share on other sites More sharing options...
Cody 0 Posted December 11, 2019 Author Share Posted December 11, 2019 When I enable HIPS but have Deep Behavioral Inspection disabled, this issue still occurs. Additionally, I've already added those exceptions there, in the same format as above (C:\Program Files (x86)\CompanyName\SoftwareAlpha\*.*, C:\Program Files (x86)\CompanyName\SoftwareAlpha\*, C:\Program Files (x86)\CompanyName\*.*, and C:\Program Files (x86)\CompanyName*) Link to comment Share on other sites More sharing options...
itman 1,659 Posted December 12, 2019 Share Posted December 12, 2019 It appears Eset must have a default built-in HIPS rule to prevent modification of sub-directories in both of the Win program directories. Does make some sense since only trusted installers and the like should be creating/deleting directories there. Have you tried creating CompanyName\SoftwareAlpha\ directory under the Win C:\ root directory? I have created and deleted directories from there w/o issue. Link to comment Share on other sites More sharing options...
Recommended Posts