Nono 2 Posted September 22, 2022 Share Posted September 22, 2022 We're using HIPS Rules filtering since few years now and I'm facing a new challenge. I usually use the following for generic cases : Real path : C:\Users\Admin\AppData\Local\Temp\AeaeAE\setup.exe Filtered path (without "Admin" and "AeaeAE" to make it generic) : C:\Users\\AppData\Local\Temp\\setup.exe But what shall I do to replace a dynamic name (in bod) within the application like so : C:\Users\Admin\AppData\Local\Temp\vscode-update-user-x64\CodeSetup-stable-74b1f979648cc44d385a2286793c226e611f59e7.exe I think *.exe isn't valid, is there something else I can use ? Version: ESET PROTECT (Server), Version 9.0 (9.0.2141.0) ESET PROTECT (Web Console), Version 9.0 (9.0.138.0) Link to comment Share on other sites More sharing options...
Administrators Marcos 4,707 Posted September 22, 2022 Administrators Share Posted September 22, 2022 To my best knowledge you can specify only the exact file name at the end of the path for source application. As for target path, there is currently a bug which allows to enter a valid path only via import from file, otherwise redundant characters would be appended to the path. This will be fixed in the next version of the product. Link to comment Share on other sites More sharing options...
Nono 2 Posted September 22, 2022 Author Share Posted September 22, 2022 11 minutes ago, Marcos said: To my best knowledge you can specify only the exact file name at the end of the path for source application. As for target path, there is currently a bug which allows to enter a valid path only via import from file, otherwise redundant characters would be appended to the path. This will be fixed in the next version of the product. Thanks @Marcos, This seems quite unsecure especially for folder like "temp". Would it be possible to sugget a modification on this for future release ? It would be really nice to have something like : * (single wildcard) permits any sequence of characters between directory terminators. Single wildcards are NOT recursive. For example: c:\example\* allows anything to run in c:\example. c:\example*\temp.exe allows a file called temp.exe to run within in a single subdirectory of c:\example c:\example*\system*.exe allows any file with the extension .exe to run, within two subdirectories of c:\example (with the latter subdirectory called system) ** (double wildcard) permits any sequence of characters for the remainder of a path. Double wildcards ARE recursive. For example: c:\example** allows any file to run in c:\example and all subdirectories c:\example**.dll allows any file with the extension .dll to run in c:\example and all subdirectories ? (question mark) permits the replacement of a single character in a path. For example: c:\example\explore?.exe would allow c:\example\explorer.exe to run but not c:\example\explorer2.exe c:\??ample\explorer.??? would allow c:\example\explorer.exe, c:\example\explorer.dll and c:\trample\explorer.exe to run ?:\test.exe would allow the file test.exe to run on any drive letter. Link to comment Share on other sites More sharing options...
Nono 2 Posted October 5, 2022 Author Share Posted October 5, 2022 This is particularly annoying for VSCode with the Python Plugin. As we can't whitelist such file as they always have a new name. Or, is there a workaround that I can't think of ? Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 4,707 Posted October 5, 2022 Administrators Solution Share Posted October 5, 2022 1 minute ago, Nono said: Or, is there a workaround that I can't think of ? To my best knowledge there is currently no workaround. Link to comment Share on other sites More sharing options...
Recommended Posts