Dex98 0 Posted June 5 Share Posted June 5 Hello, Could you help me with enabling this feature in ESET PROTECT?Block Adobe Reader from creating child processes Quote Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 4,841 Posted June 5 Administrators Solution Share Posted June 5 You can create the appropriate HIPS rule by following the KB https://support.eset.com/en/kb6119, just replace the app with the path to Adobe reader's executable. Quote Link to comment Share on other sites More sharing options...
itman 1,595 Posted June 5 Share Posted June 5 (edited) Before creating a HIPS rule to block Adobe Reader from starting child processes, realize that it does spawn legit child processes including itself per the below Process Explorer screenshot: Edited June 5 by itman Dex98 and Aryeh Goretsky 2 Quote Link to comment Share on other sites More sharing options...
Dex98 0 Posted July 5 Author Share Posted July 5 Thank you for all the answers, but I have a problem. Namely, I have done everything according to the guidelines and I am accumulating a huge number of logs (currently 726017 records, in 7 days of inclusion). I've tried putting exclusions in HIPS itself and more generally, but it doesn't do anything. Could you help me? Quote Link to comment Share on other sites More sharing options...
Dex98 0 Posted July 10 Author Share Posted July 10 @Marcos @itman Could you please check this out? Quote Link to comment Share on other sites More sharing options...
itman 1,595 Posted July 10 Share Posted July 10 On 7/5/2023 at 9:21 AM, Dex98 said: Namely, I have done everything according to the guidelines and I am accumulating a huge number of logs (currently 726017 records, in 7 days of inclusion). What logs are you referring to? Do these logs originate from Acrobat.exe? Quote Link to comment Share on other sites More sharing options...
Dex98 0 Posted July 11 Author Share Posted July 11 @itman It's not just Acrobat.exe. I have all the rules set up. And unfortunately I can't exclude individual processes. The exclusions look like this, but it still doesn't work. The report continues to generate these logs despite the exclusion. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,841 Posted July 11 Administrators Share Posted July 11 Please provide ELC logs from the machine so that I can check your HIPS rules. Quote Link to comment Share on other sites More sharing options...
itman 1,595 Posted July 11 Share Posted July 11 1 hour ago, Marcos said: Please provide ELC logs from the machine so that I can check your HIPS rules. For starters, all his HIPS deny rules have a Action of Allow versus Ask or Deny. It appears these rules correspond to Eset's recommended anti-ransomware HIPS rules except for the Adobe rule. If this is the basis for these rules, the Action should be Deny. Quote Link to comment Share on other sites More sharing options...
ludolf 6 Posted August 9 Share Posted August 9 I found only one "Exclusions" box in the "HIPS\Deep behavioral Inspection" section. Staying with the above example, creating a HIPS rule, where the source app is the adobereader executable, and the child app is "All applications", the above excluded applications will be excluded? Or there is no way to apply a HIPS rule to all child processes with some exceptions? Quote Link to comment Share on other sites More sharing options...
ludolf 6 Posted August 9 Share Posted August 9 Just checked this: https://help.eset.com/ees/10.1/en-US/idh_hips_editor_main.html Maybe this works with 2 rules: 1. Allow rule, source: adobereader.exe, child: the allowed specific apps 2. Deny rule, source: adobereader.exe, child: all apps (lower priority, since this less specific) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.