Jump to content

How to create generic HIPS Rules for application name


Nono
 Share

Recommended Posts

We're using HIPS Rules filtering since few years now and I'm facing a new challenge.

I usually use the following for generic cases :

Real path : C:\Users\Admin\AppData\Local\Temp\AeaeAE\setup.exe

Filtered path (without "Admin" and "AeaeAE" to make it generic) C:\Users\\AppData\Local\Temp\\setup.exe

 

But what shall I do to replace a dynamic name (in bod) within the application like so

C:\Users\Admin\AppData\Local\Temp\vscode-update-user-x64\CodeSetup-stable-74b1f979648cc44d385a2286793c226e611f59e7.exe

I think *.exe isn't valid, is there something else I can use ?

Version:

ESET PROTECT (Server), Version 9.0 (9.0.2141.0)
ESET PROTECT (Web Console), Version 9.0 (9.0.138.0)

Link to comment
Share on other sites

  • Administrators

To my best knowledge you can specify only the exact file name at the end of the path for source application. As for target path, there is currently a bug which allows to enter a valid path only via import from file, otherwise redundant characters would be appended to the path. This will be fixed in the next version of the product.

Link to comment
Share on other sites

11 minutes ago, Marcos said:

To my best knowledge you can specify only the exact file name at the end of the path for source application. As for target path, there is currently a bug which allows to enter a valid path only via import from file, otherwise redundant characters would be appended to the path. This will be fixed in the next version of the product.

Thanks @Marcos,

This seems quite unsecure especially for folder like "temp".

Would it be possible to sugget a modification on this for future release ?

It would be really nice to have something like :

* (single wildcard) permits any sequence of characters between directory terminators. Single wildcards are NOT recursive. For example:
c:\example\* allows anything to run in c:\example.
c:\example*\temp.exe allows a file called temp.exe to run within in a single subdirectory of c:\example
c:\example*\system*.exe allows any file with the extension .exe to run, within two subdirectories of c:\example (with the latter subdirectory called system)

** (double wildcard) permits any sequence of characters for the remainder of a path. Double wildcards ARE recursive. For example:
c:\example** allows any file to run in c:\example and all subdirectories
c:\example**.dll allows any file with the extension .dll to run in c:\example and all subdirectories

? (question mark) permits the replacement of a single character in a path. For example:
c:\example\explore?.exe would allow c:\example\explorer.exe to run but not c:\example\explorer2.exe
c:\??ample\explorer.??? would allow c:\example\explorer.exe, c:\example\explorer.dll and c:\trample\explorer.exe to run
?:\test.exe would allow the file test.exe to run on any drive letter.

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...