Can't create a HIPS Rule to deny to open an app

[Mateus Gabriel 0]

Hello,

I'm trying to create a HIPS rule to deny a few apps in some computers in my company, but i can't make it work.

Heres the settings:

 

Filtering mode: automatic

Inside the rule..
Action: Deny

Source application: mspaint.exe

 

Operations: All

 

Application: mspaint.exe

 

 

I tried all the possible combinations:

Source application: Any and Application: mspaint.exe
Source application: mspaint.exe and Application: Any

Source application: mspaint.exe and Application: mspaint.exe

 

But i still cant make it work.

Any thoughts?

 

 

[Marcos 5,074]

Selecting any application as the source app should do the trick.

[Mateus Gabriel 0]

HI @Marcos, thanks for your response.

 

I tried using the following settings:

 

 

And it didnt work as well. I even tried to change the mode to "Iterative mode" to see if the rules is working, and immediately starting poping-up notifications to allow or deny the operations.

Is there something that i'm missing?

[Marcos 5,074]

For me it works. Please export the configuration and search for the corresponding HIPS rule. It should look like that:

 

      <ITEM NAME="1">
       <NODE NAME="enabled" TYPE="number" VALUE="1" />
       <NODE NAME="name" TYPE="string" VALUE="Block notepad" />
       <NODE NAME="priority" TYPE="number" VALUE="80" />
       <NODE NAME="action" TYPE="number" VALUE="2" />
       <NODE NAME="notify" TYPE="number" VALUE="0" />
       <NODE NAME="allAppSources" TYPE="number" VALUE="1" />
       <ITEM NAME="appSources" DELETE="1" />
       <NODE NAME="hasFileTargets" TYPE="number" VALUE="0" />
       <NODE NAME="hasRegTargets" TYPE="number" VALUE="0" />
       <NODE NAME="hasPeTargets" TYPE="number" VALUE="1" />
       <ITEM NAME="fileOperations">
        <NODE NAME="File_AllOperations" TYPE="number" VALUE="0" />
        <NODE NAME="File_Delete" TYPE="number" VALUE="0" />
        <NODE NAME="File_Modify" TYPE="number" VALUE="0" />
        <NODE NAME="File_DirectDiskAccess" TYPE="number" VALUE="0" />
        <NODE NAME="Image_GlobalHook" TYPE="number" VALUE="0" />
        <NODE NAME="Image_LoadDriver" TYPE="number" VALUE="0" />
       </ITEM>
       <ITEM NAME="regOperations">
        <NODE NAME="Registry_AllOperations" TYPE="number" VALUE="0" />
        <NODE NAME="Registry_ModifyStartup" TYPE="number" VALUE="0" />
        <NODE NAME="Registry_Delete" TYPE="number" VALUE="0" />
        <NODE NAME="Registry_Rename" TYPE="number" VALUE="0" />
        <NODE NAME="Registry_Modify" TYPE="number" VALUE="0" />
       </ITEM>
       <ITEM NAME="peOperations">
        <NODE NAME="Process_AllOperations" TYPE="number" VALUE="0" />
        <NODE NAME="Application_Debug" TYPE="number" VALUE="0" />
        <NODE NAME="Application_Hook" TYPE="number" VALUE="0" />
        <NODE NAME="Application_Stop" TYPE="number" VALUE="0" />
        <NODE NAME="Application_Create" TYPE="number" VALUE="1" />
        <NODE NAME="Application_Modify" TYPE="number" VALUE="0" />
       </ITEM>
       <NODE NAME="allFileTargets" TYPE="number" VALUE="0" />
       <ITEM NAME="fileTargets" DELETE="1" />
       <NODE NAME="allRegTargets" TYPE="number" VALUE="0" />
       <ITEM NAME="regTargets" DELETE="1" />
       <NODE NAME="allPeTargets" TYPE="number" VALUE="0" />
       <ITEM NAME="peTargets" DELETE="1">
        <NODE NAME="1" TYPE="string" VALUE="C:\Windows\System32\notepad.exe" />
       </ITEM>
       <NODE NAME="severity" TYPE="number" VALUE="0" />
      </ITEM>

[itman 1,659]

Verify that no HIPS allow rules exist for the processes you are trying to block via HIPS rule. The Eset HIPS processes all allow rules prior to processing block rules.

[Mateus Gabriel 0]

Hi!

I could make it work, thanks for your help. After waiting for a few hours, it works.

 

Now i'm triny got block Control Panel. Do you guys have any idea how? Using registry entries?

[itman 1,659]

1 hour ago, Mateus Gabriel said:

Now i'm triny got block Control Panel. Do you guys have any idea how? Using registry entries?

The executable file for the Control Panel is control.exe. Both in Windows 11 and Windows 10, you can find it in the Windows folder in the System32 subfolder.