Jump to content

Can't create a HIPS Rule to deny to open an app


Recommended Posts

Hello,

I'm trying to create a HIPS rule to deny a few apps in some computers in my company, but i can't make it work.

Heres the settings:

 

Filtering mode: automatic

Inside the rule..
Action: Deny


image.png

Source application: mspaint.exe

image.png

 

Operations: All

image.png

 

Application: mspaint.exe

 image.png

 

I tried all the possible combinations:

Source application: Any and Application: mspaint.exe
Source application: mspaint.exe and Application: Any

Source application: mspaint.exe and Application: mspaint.exe

 

But i still cant make it work.

Any thoughts?

 

 

Link to comment
Share on other sites

HI @Marcos, thanks for your response.

 

I tried using the following settings:

 

image.pngimage.pngimage.pngimage.png

 

And it didnt work as well. I even tried to change the mode to "Iterative mode" to see if the rules is working, and immediately starting poping-up notifications to allow or deny the operations.


Is there something that i'm missing?

Link to comment
Share on other sites

  • Administrators

For me it works. Please export the configuration and search for the corresponding HIPS rule. It should look like that:

 

      <ITEM NAME="1">
       <NODE NAME="enabled" TYPE="number" VALUE="1" />
       <NODE NAME="name" TYPE="string" VALUE="Block notepad" />
       <NODE NAME="priority" TYPE="number" VALUE="80" />
       <NODE NAME="action" TYPE="number" VALUE="2" />
       <NODE NAME="notify" TYPE="number" VALUE="0" />
       <NODE NAME="allAppSources" TYPE="number" VALUE="1" />
       <ITEM NAME="appSources" DELETE="1" />
       <NODE NAME="hasFileTargets" TYPE="number" VALUE="0" />
       <NODE NAME="hasRegTargets" TYPE="number" VALUE="0" />
       <NODE NAME="hasPeTargets" TYPE="number" VALUE="1" />
       <ITEM NAME="fileOperations">
        <NODE NAME="File_AllOperations" TYPE="number" VALUE="0" />
        <NODE NAME="File_Delete" TYPE="number" VALUE="0" />
        <NODE NAME="File_Modify" TYPE="number" VALUE="0" />
        <NODE NAME="File_DirectDiskAccess" TYPE="number" VALUE="0" />
        <NODE NAME="Image_GlobalHook" TYPE="number" VALUE="0" />
        <NODE NAME="Image_LoadDriver" TYPE="number" VALUE="0" />
       </ITEM>
       <ITEM NAME="regOperations">
        <NODE NAME="Registry_AllOperations" TYPE="number" VALUE="0" />
        <NODE NAME="Registry_ModifyStartup" TYPE="number" VALUE="0" />
        <NODE NAME="Registry_Delete" TYPE="number" VALUE="0" />
        <NODE NAME="Registry_Rename" TYPE="number" VALUE="0" />
        <NODE NAME="Registry_Modify" TYPE="number" VALUE="0" />
       </ITEM>
       <ITEM NAME="peOperations">
        <NODE NAME="Process_AllOperations" TYPE="number" VALUE="0" />
        <NODE NAME="Application_Debug" TYPE="number" VALUE="0" />
        <NODE NAME="Application_Hook" TYPE="number" VALUE="0" />
        <NODE NAME="Application_Stop" TYPE="number" VALUE="0" />
        <NODE NAME="Application_Create" TYPE="number" VALUE="1" />
        <NODE NAME="Application_Modify" TYPE="number" VALUE="0" />
       </ITEM>
       <NODE NAME="allFileTargets" TYPE="number" VALUE="0" />
       <ITEM NAME="fileTargets" DELETE="1" />
       <NODE NAME="allRegTargets" TYPE="number" VALUE="0" />
       <ITEM NAME="regTargets" DELETE="1" />
       <NODE NAME="allPeTargets" TYPE="number" VALUE="0" />
       <ITEM NAME="peTargets" DELETE="1">
        <NODE NAME="1" TYPE="string" VALUE="C:\Windows\System32\notepad.exe" />
       </ITEM>
       <NODE NAME="severity" TYPE="number" VALUE="0" />
      </ITEM>

image.png

Link to comment
Share on other sites

Verify that no HIPS allow rules exist for the processes you are trying to block via HIPS rule. The Eset HIPS processes all allow rules prior to processing block rules.

Link to comment
Share on other sites

Hi!

I could make it work, thanks for your help. After waiting for a few hours, it works.

 

Now i'm triny got block Control Panel. Do you guys have any idea how? Using registry entries?

Link to comment
Share on other sites

1 hour ago, Mateus Gabriel said:

Now i'm triny got block Control Panel. Do you guys have any idea how? Using registry entries?

The executable file for the Control Panel is control.exe. Both in Windows 11 and Windows 10, you can find it in the Windows folder in the System32 subfolder.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...