MrZork 0 Posted October 17 Share Posted October 17 Created HIPS rule to block all applications from all registry access to key HKEY_CURRENT_USER\SOFTWARE\7-Zip\FM Quote Registry operations: All registry operations Registry entries: HKEY_CURRENT_USER\SOFTWARE\7-Zip\FM And I also marked it for logging and notification. The rule doesn't work. 7zip is able to read and write that registry key. Tried it in both HIPS "automatic mode" and "interactive mode". Note that, in interactive mode I do see the rules created by interacting with the dialogs, below my hand-created rule. ESET Internet Security version 15.2.17.0 Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,486 Posted October 17 Administrators Share Posted October 17 You must use HKEY_USERS\%SID% instead of HKEY_CURRENT_USER where %SID% is the SID of the current user. Quote Link to comment Share on other sites More sharing options...
MrZork 0 Posted October 24 Author Share Posted October 24 That was not the only issue. It looks like ESET doesn't apply a rule to more deeply nested keys, unlike Kaspersky and a few other HIPS programs I've used. So I had to extend the registry path to the exact key under that path that I was trying to protect. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,486 Posted October 24 Administrators Share Posted October 24 Instead of HKEY_CURRENT_USER you must use the actual path HKEY_USERS\%SID%. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.