MrZork 3 Posted October 17, 2022 Posted October 17, 2022 Created HIPS rule to block all applications from all registry access to key HKEY_CURRENT_USER\SOFTWARE\7-Zip\FM Quote Registry operations: All registry operations Registry entries: HKEY_CURRENT_USER\SOFTWARE\7-Zip\FM And I also marked it for logging and notification. The rule doesn't work. 7zip is able to read and write that registry key. Tried it in both HIPS "automatic mode" and "interactive mode". Note that, in interactive mode I do see the rules created by interacting with the dialogs, below my hand-created rule. ESET Internet Security version 15.2.17.0
Administrators Marcos 5,733 Posted October 17, 2022 Administrators Posted October 17, 2022 You must use HKEY_USERS\%SID% instead of HKEY_CURRENT_USER where %SID% is the SID of the current user.
MrZork 3 Posted October 24, 2022 Author Posted October 24, 2022 That was not the only issue. It looks like ESET doesn't apply a rule to more deeply nested keys, unlike Kaspersky and a few other HIPS programs I've used. So I had to extend the registry path to the exact key under that path that I was trying to protect.
Administrators Marcos 5,733 Posted October 24, 2022 Administrators Posted October 24, 2022 Instead of HKEY_CURRENT_USER you must use the actual path HKEY_USERS\%SID%.
Recommended Posts