Jump to content

Creating HIPS rules for Explorer.exe


Recommended Posts

Few month ago when I was last using HIPS in interactive mode I usually got a prompt when application was run for first time. If I used Learning mode appropriate rule was created automatically. Now things got changed.

If Explorer.exe runs an application I get no prompt. No rule is created in Learning mode also.

If I run new application from let's say Total Commander I get prompt and also rule is created if in Learning mode.

So my question is this: is this normal way how HIPS works now? Why is explorer.exe exempt from being monitored when executing other applications? If non-detected virus executable was run by Explorer.exe HIPS wouldn't ask for my permission and would let the virus run. Might be something wrong with my rules that would enable explorer.exe launching new apps without prompt?

 

My specs:

Windows Pro 8.1.u.1 x64

ESET Smart Security 7.0.302.26

HIPS module: 1124 (20140331)

Link to comment
Share on other sites

Hello,

 

I would delete all the rules you have applied for explorer or any other apps in question, then switch to learning and let the software re-create your rules again.

 

I have seen this occur with application modification detection of the firewall rules, unsure whether HIPS has the same, if so, it would be a good idea to set exclusions for application modification detection on the apps in question where the rules may get corrupt or not working appropriately.

Link to comment
Share on other sites

I already deleted all rules but it's still the same. I also checked HipsRules.xml and there is no explorer.exe entry in it. So I guess this is built-in rule that can't be changed. 

Link to comment
Share on other sites

If you are still having issues with the dialogue prompts or feel the rules are messed up, i would suggest a reinstall, it will clear it all out and allow you to jump back on track correctly.

Im not at home so i cant attest to the HIPS for home in regards to application modification and rules etc. I only have Endpoint at the office right now.

Will check at home and play around with it to see if i can reproduce.

Link to comment
Share on other sites

I don't think that my rules are messed. The "problem" started right after fresh install, when I enabled HIPS learning mode. I think that there is integrated (hidden) rule that allows explorer.exe launching other applications without a prompt. But that is just a guess and somebody from ESET has to confirm or deny it.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...