Mateus Gabriel 0 Posted October 18, 2022 Share Posted October 18, 2022 Hello, I'm trying to create a HIPS rule to deny a few apps in some computers in my company, but i can't make it work. Heres the settings: Filtering mode: automatic Inside the rule..Action: Deny Source application: mspaint.exe Operations: All Application: mspaint.exe I tried all the possible combinations: Source application: Any and Application: mspaint.exeSource application: mspaint.exe and Application: Any Source application: mspaint.exe and Application: mspaint.exe But i still cant make it work. Any thoughts? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted October 18, 2022 Administrators Share Posted October 18, 2022 Selecting any application as the source app should do the trick. Link to comment Share on other sites More sharing options...
Mateus Gabriel 0 Posted October 18, 2022 Author Share Posted October 18, 2022 HI @Marcos, thanks for your response. I tried using the following settings: And it didnt work as well. I even tried to change the mode to "Iterative mode" to see if the rules is working, and immediately starting poping-up notifications to allow or deny the operations. Is there something that i'm missing? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted October 18, 2022 Administrators Share Posted October 18, 2022 For me it works. Please export the configuration and search for the corresponding HIPS rule. It should look like that: <ITEM NAME="1"> <NODE NAME="enabled" TYPE="number" VALUE="1" /> <NODE NAME="name" TYPE="string" VALUE="Block notepad" /> <NODE NAME="priority" TYPE="number" VALUE="80" /> <NODE NAME="action" TYPE="number" VALUE="2" /> <NODE NAME="notify" TYPE="number" VALUE="0" /> <NODE NAME="allAppSources" TYPE="number" VALUE="1" /> <ITEM NAME="appSources" DELETE="1" /> <NODE NAME="hasFileTargets" TYPE="number" VALUE="0" /> <NODE NAME="hasRegTargets" TYPE="number" VALUE="0" /> <NODE NAME="hasPeTargets" TYPE="number" VALUE="1" /> <ITEM NAME="fileOperations"> <NODE NAME="File_AllOperations" TYPE="number" VALUE="0" /> <NODE NAME="File_Delete" TYPE="number" VALUE="0" /> <NODE NAME="File_Modify" TYPE="number" VALUE="0" /> <NODE NAME="File_DirectDiskAccess" TYPE="number" VALUE="0" /> <NODE NAME="Image_GlobalHook" TYPE="number" VALUE="0" /> <NODE NAME="Image_LoadDriver" TYPE="number" VALUE="0" /> </ITEM> <ITEM NAME="regOperations"> <NODE NAME="Registry_AllOperations" TYPE="number" VALUE="0" /> <NODE NAME="Registry_ModifyStartup" TYPE="number" VALUE="0" /> <NODE NAME="Registry_Delete" TYPE="number" VALUE="0" /> <NODE NAME="Registry_Rename" TYPE="number" VALUE="0" /> <NODE NAME="Registry_Modify" TYPE="number" VALUE="0" /> </ITEM> <ITEM NAME="peOperations"> <NODE NAME="Process_AllOperations" TYPE="number" VALUE="0" /> <NODE NAME="Application_Debug" TYPE="number" VALUE="0" /> <NODE NAME="Application_Hook" TYPE="number" VALUE="0" /> <NODE NAME="Application_Stop" TYPE="number" VALUE="0" /> <NODE NAME="Application_Create" TYPE="number" VALUE="1" /> <NODE NAME="Application_Modify" TYPE="number" VALUE="0" /> </ITEM> <NODE NAME="allFileTargets" TYPE="number" VALUE="0" /> <ITEM NAME="fileTargets" DELETE="1" /> <NODE NAME="allRegTargets" TYPE="number" VALUE="0" /> <ITEM NAME="regTargets" DELETE="1" /> <NODE NAME="allPeTargets" TYPE="number" VALUE="0" /> <ITEM NAME="peTargets" DELETE="1"> <NODE NAME="1" TYPE="string" VALUE="C:\Windows\System32\notepad.exe" /> </ITEM> <NODE NAME="severity" TYPE="number" VALUE="0" /> </ITEM> Link to comment Share on other sites More sharing options...
itman 1,751 Posted October 18, 2022 Share Posted October 18, 2022 Verify that no HIPS allow rules exist for the processes you are trying to block via HIPS rule. The Eset HIPS processes all allow rules prior to processing block rules. Link to comment Share on other sites More sharing options...
Mateus Gabriel 0 Posted October 19, 2022 Author Share Posted October 19, 2022 Hi! I could make it work, thanks for your help. After waiting for a few hours, it works. Now i'm triny got block Control Panel. Do you guys have any idea how? Using registry entries? Link to comment Share on other sites More sharing options...
itman 1,751 Posted October 19, 2022 Share Posted October 19, 2022 1 hour ago, Mateus Gabriel said: Now i'm triny got block Control Panel. Do you guys have any idea how? Using registry entries? The executable file for the Control Panel is control.exe. Both in Windows 11 and Windows 10, you can find it in the Windows folder in the System32 subfolder. Link to comment Share on other sites More sharing options...
Recommended Posts