vs2018sv 0 Posted December 28, 2021 Share Posted December 28, 2021 Has anyone had success blocking OneDrive with ESET EES? Thanks Link to comment Share on other sites More sharing options...
itman 1,748 Posted December 28, 2021 Share Posted December 28, 2021 Just uninstall it: https://support.microsoft.com/en-us/office/turn-off-disable-or-uninstall-onedrive-f32a17ce-3336-40fe-9c38-6efb09f944b0?ui=en-us&rs=en-us&ad=us Link to comment Share on other sites More sharing options...
vs2018sv 0 Posted December 29, 2021 Author Share Posted December 29, 2021 Is it possible to use the application blocking to do this? If someone was to install onedrive at a later time, I would like to make sure it is blocked and they can not log in. Link to comment Share on other sites More sharing options...
ESET Insiders rekun 43 Posted December 29, 2021 ESET Insiders Share Posted December 29, 2021 I guess you can either create a hips rule blocking execution of the OneDrive application. otherwise you can create a dynamic group of computers with OneDrive installed, and simply send them an uninstall job a group join. This way OneDrive would be uninstalled automatically if someone reinstalled it. A third option would be to block network traffic to the domains/ips hosting the OneDrive services, however that may also block access to to other o365 services, so I would go with option one or two. the better option would to create a gpo to block the usage of OneDrive, however that requires a domain/Intune or other management system Link to comment Share on other sites More sharing options...
vs2018sv 0 Posted December 30, 2021 Author Share Posted December 30, 2021 Rekun, I appreciate your feedback! I created a HIPS rule that blocks C:\Users\*\AppData\Local\Microsoft\OneDrive.exe, but I was still able to open the program. I don't want to block the IP's for the reasons you indicated. I believe most of these IP's will be used by other MS service's. Link to comment Share on other sites More sharing options...
Ufoto 14 Posted December 31, 2021 Share Posted December 31, 2021 (edited) Could you share your rule? You should create a block HIPS rule which affects applications and under 'Source Applications' you should set 'All Applications'. Then for application actions you should enable 'Start new application' and on the next screen you should specify the application you would like to block. The field supports multiple entries so you can have all possible locations. As far as I am aware you are missing one folder from your path. The OneDrive folders should be: C:\Users\<USERNAME>\AppData\Local\Microsoft\OneDrive\OneDrive.exe or C:\Users\<USERNAME>\AppData\Local\OneDrive\bin\OneDrive.exe I hope this helps, let us know if you manage to sort it out. Edited December 31, 2021 by Ufoto Link to comment Share on other sites More sharing options...
vs2018sv 0 Posted January 11, 2022 Author Share Posted January 11, 2022 On 12/31/2021 at 10:39 AM, Ufoto said: Could you share your rule? You should create a block HIPS rule which affects applications and under 'Source Applications' you should set 'All Applications'. Then for application actions you should enable 'Start new application' and on the next screen you should specify the application you would like to block. The field supports multiple entries so you can have all possible locations. As far as I am aware you are missing one folder from your path. The OneDrive folders should be: C:\Users\<USERNAME>\AppData\Local\Microsoft\OneDrive\OneDrive.exe or C:\Users\<USERNAME>\AppData\Local\OneDrive\bin\OneDrive.exe I hope this helps, let us know if you manage to sort it out. Can I use a wildcard for the <USERNAME>? I want it to be blocked for all user's on a given machine? Thanks Link to comment Share on other sites More sharing options...
kapela86 11 Posted February 7, 2022 Share Posted February 7, 2022 Instead of "C:\Users\<USERNAME>\AppData\Local" can you try using "%localappdata%"? I don't know if this will work in eset, but it's a standard windows variable that points to user's appdata local. You can also use "%userprofile%" instead of "C:\Users\<USERNAME>" Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted February 7, 2022 Administrators Share Posted February 7, 2022 21 minutes ago, kapela86 said: Instead of "C:\Users\<USERNAME>\AppData\Local" can you try using "%localappdata%"? I don't know if this will work in eset, but it's a standard windows variable that points to user's appdata local. You can also use "%userprofile%" instead of "C:\Users\<USERNAME>" I don't think so since ekrn runs in the local system account and user variables do not resolve in the system account. Link to comment Share on other sites More sharing options...
Recommended Posts