Jump to content

Wildcards and paths


Go to solution Solved by itman,

Recommended Posts

Hello, are wildcards or paths allowed in rules or not? It seemed like they were in the past. If they aren't, why are they accepted as valid inputs? Thanks.

Link to comment
Share on other sites

Wildcards are allowed in HIPS rules with the following restrictions:

Eset_Registry_Wildcard.thumb.png.b4b672458b709a38a5690993b88583b1.png

Note that the last three above sentences are the only way a wildcard can be used within a file path specification.

Link to comment
Share on other sites

Is there a way to modify the OPP Protected processes rule? Like exclude msedge.exe as a protected process without having to disable the whole Self-Defense?

Link to comment
Share on other sites

  • Solution
2 minutes ago, j_mo said:

Is there a way to modify the OPP Protected processes rule?

Are you referring to Banking and Payment protection? It will use whatever the Win 10 default browser assignment is.

Link to comment
Share on other sites

10 minutes ago, itman said:

Are you referring to Banking and Payment protection? It will use whatever the Win 10 default browser assignment is.

No, when you look in the HIPS log you can see that Self-Defense protects other processes than just ESET's. Edge is one. It's under a separate rule called OPP Protected Process.

I'm trying to let some programs access Edge. Windows Error Reporting can't even get access for pete's sake:

Time;Application;Operation;Target;Action;Rule;Additional information
2022-01-29 9:00:09 PM;C:\Windows\System32\WerFault.exe;Get access to another application;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;Blocked;OPP protected process;Modify state of another application,Terminate/suspend another application

I have HIPS on Automatic currently. I only have two manual rules and they have nothing to do with this.
 

Link to comment
Share on other sites

27 minutes ago, itman said:

Wildcards are allowed in HIPS rules with the following restrictions:

Note that the last three above sentences are the only way a wildcard can be used within a file path specification.

So just to confirm, in all the rules of the entire application, the only one that accepts wildcards are registry HIPS rules? What about paths?

Link to comment
Share on other sites

I don't think it's very good behavior to have processes like Edge blocked from system applications by default. I don't see any way I can override that OPP protected process rule, it's a hidden rule basically. I will have to turn Self-Defense off which is a shame.

Link to comment
Share on other sites

Actually, I just had a thought that the Edge browser being set to secured may be causing that. Glad you mentioned the banking protection. I'll turn the always secure thing off and see if that helps.

Link to comment
Share on other sites

32 minutes ago, j_mo said:

What about paths?

Yes. But as I referenced previously on by path name\*; for example; C:\Users\XXXXX\AppData\Local\Temp\*.

Edited by itman
Link to comment
Share on other sites

6 minutes ago, j_mo said:

Actually, I just had a thought that the Edge browser being set to secured may be causing that. Glad you mentioned the banking protection. I'll turn the always secure thing off and see if that helps.

It's an internal Eset HIPS rule and cannot be disabled or modified.

Turning off self-protection setting in HIPS would enable a hacker to disable Eset at will. This is a no-no.

Link to comment
Share on other sites

1 minute ago, itman said:

Yes. But as I referenced previously on by path name /*; for example; C:\Users\XXXXX\AppData\Local\Temp\*.

Judging from the documentation it looks like some features require exact processes and some don't; I'm just having trouble figuring out which will allow paths. It looks like performance exclusions will, but HIPS Deep Behavioral Inspection only says "processes." It would be helpful to be able to make firewall rules with paths/wildcards as well but I don't see an answer for that.

Link to comment
Share on other sites

4 minutes ago, itman said:

It's an internal Eset HIPS rule and cannot be disabled or modified.

Turning off self-protection setting in HIPS would enable a hacker to disable Eset at will. This is a no-no.

I fixed that problem by turning off the secured browser. That's what was generating those blocks. They're gone now. I guess "OPP" is Online Payment Protection or something like that would be my guess,

Link to comment
Share on other sites

For example, Windows UWP apps change their paths every time they update. It would be very helpful to wildcard part of the path. It seemed to work in the past but I don't think my rules where I do that are working anymore.

Link to comment
Share on other sites

1 hour ago, j_mo said:

I fixed that problem by turning off the secured browser. That's what was generating those blocks. They're gone now. I guess "OPP" is Online Payment Protection or something like that would be my guess,

To allow use of Eset Banking and Payment Protection, you could try to disabled the below highlighted setting. Of course, this will also allow for malware to inject malicious code into a protected B&PP browser instance.

Eset_BPP.thumb.png.1bfef5c07e998f9ae43a030369976629.png

 

Link to comment
Share on other sites

1 hour ago, j_mo said:

It would be helpful to be able to make firewall rules with paths/wildcards as well but I don't see an answer for that.

Quote

For example, Windows UWP apps change their paths every time they update. It would be very helpful to wildcard part of the path. It seemed to work in the past but I don't think my rules where I do that are working anymore.

Discussed in another recently posted thread. Don't plan on seeing it implemented in the foreseeable future.

Edited by itman
Link to comment
Share on other sites

On 1/31/2022 at 12:06 AM, itman said:

Discussed in another recently posted thread. Don't plan on seeing it implemented in the foreseeable future.

Well, thanks for assisting me in locating the source of the issue. I do not use Edge except on very rare occasions where I need a Chromium browser and it's already there. My main browser is a Firefox fork so unfortunately not supported by ESET. I'll try to look into the technical workings of the secured browser to see what benefit if any it provides to what I already have.

Do you know if ESET plans to incorporate any virtualization technology into their software, akin to what Kaspersky and some others have now? That should essentially secure the memory, keyboard, etc. of many programs on the system, rather than only a few supported popular browsers. 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...