Jump to content

How to create generic HIPS Rules for application name

Nono
 Share
Go to solution Solved by Marcos,

Recommended Posts

Nono

Nono 3

Posted
Posted

We're using HIPS Rules filtering since few years now and I'm facing a new challenge.

I usually use the following for generic cases :

Real path : C:\Users\Admin\AppData\Local\Temp\AeaeAE\setup.exe

Filtered path (without "Admin" and "AeaeAE" to make it generic) C:\Users\\AppData\Local\Temp\\setup.exe

 

But what shall I do to replace a dynamic name (in bod) within the application like so

C:\Users\Admin\AppData\Local\Temp\vscode-update-user-x64\CodeSetup-stable-74b1f979648cc44d385a2286793c226e611f59e7.exe

I think *.exe isn't valid, is there something else I can use ?

Version:

ESET PROTECT (Server), Version 9.0 (9.0.2141.0)
ESET PROTECT (Web Console), Version 9.0 (9.0.138.0)

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted

To my best knowledge you can specify only the exact file name at the end of the path for source application. As for target path, there is currently a bug which allows to enter a valid path only via import from file, otherwise redundant characters would be appended to the path. This will be fixed in the next version of the product.

Link to comment
Share on other sites
Nono

Nono 3

Posted
  • Author
Posted
11 minutes ago, Marcos said:

To my best knowledge you can specify only the exact file name at the end of the path for source application. As for target path, there is currently a bug which allows to enter a valid path only via import from file, otherwise redundant characters would be appended to the path. This will be fixed in the next version of the product.

Thanks @Marcos,

This seems quite unsecure especially for folder like "temp".

Would it be possible to sugget a modification on this for future release ?

It would be really nice to have something like : 

* (single wildcard) permits any sequence of characters between directory terminators. Single wildcards are NOT recursive. For example:
c:\example\* allows anything to run in c:\example.
c:\example*\temp.exe allows a file called temp.exe to run within in a single subdirectory of c:\example
c:\example*\system*.exe allows any file with the extension .exe to run, within two subdirectories of c:\example (with the latter subdirectory called system)

** (double wildcard) permits any sequence of characters for the remainder of a path. Double wildcards ARE recursive. For example:
c:\example** allows any file to run in c:\example and all subdirectories
c:\example**.dll allows any file with the extension .dll to run in c:\example and all subdirectories

? (question mark) permits the replacement of a single character in a path. For example:
c:\example\explore?.exe would allow c:\example\explorer.exe to run but not c:\example\explorer2.exe
c:\??ample\explorer.??? would allow c:\example\explorer.exe, c:\example\explorer.dll and c:\trample\explorer.exe to run
?:\test.exe would allow the file test.exe to run on any drive letter.

 

Link to comment
Share on other sites
  • 2 weeks later...
Nono

Nono 3

Posted
  • Author
Posted

This is particularly annoying for VSCode with the Python Plugin. As we can't whitelist such file as they always have a new name.

Or, is there a workaround that I can't think of ?

Link to comment
Share on other sites
  • Administrators
  • Solution
Marcos

Marcos 5,074

Posted
  • Administrators
  • Solution
Posted
1 minute ago, Nono said:

Or, is there a workaround that I can't think of ?

To my best knowledge there is currently no workaround.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...