MrZork 3 Posted October 17, 2022 Share Posted October 17, 2022 Created HIPS rule to block all applications from all registry access to key HKEY_CURRENT_USER\SOFTWARE\7-Zip\FM Quote Registry operations: All registry operations Registry entries: HKEY_CURRENT_USER\SOFTWARE\7-Zip\FM And I also marked it for logging and notification. The rule doesn't work. 7zip is able to read and write that registry key. Tried it in both HIPS "automatic mode" and "interactive mode". Note that, in interactive mode I do see the rules created by interacting with the dialogs, below my hand-created rule. ESET Internet Security version 15.2.17.0 Link to comment Share on other sites More sharing options...
Administrators Marcos 4,909 Posted October 17, 2022 Administrators Share Posted October 17, 2022 You must use HKEY_USERS\%SID% instead of HKEY_CURRENT_USER where %SID% is the SID of the current user. Link to comment Share on other sites More sharing options...
MrZork 3 Posted October 24, 2022 Author Share Posted October 24, 2022 That was not the only issue. It looks like ESET doesn't apply a rule to more deeply nested keys, unlike Kaspersky and a few other HIPS programs I've used. So I had to extend the registry path to the exact key under that path that I was trying to protect. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,909 Posted October 24, 2022 Administrators Share Posted October 24, 2022 Instead of HKEY_CURRENT_USER you must use the actual path HKEY_USERS\%SID%. Link to comment Share on other sites More sharing options...
Recommended Posts