Dex98 0 Posted June 5, 2023 Posted June 5, 2023 Hello, Could you help me with enabling this feature in ESET PROTECT?Block Adobe Reader from creating child processes
Administrators Solution Marcos 5,735 Posted June 5, 2023 Administrators Solution Posted June 5, 2023 You can create the appropriate HIPS rule by following the KB https://support.eset.com/en/kb6119, just replace the app with the path to Adobe reader's executable.
itman 1,922 Posted June 5, 2023 Posted June 5, 2023 (edited) Before creating a HIPS rule to block Adobe Reader from starting child processes, realize that it does spawn legit child processes including itself per the below Process Explorer screenshot: Edited June 5, 2023 by itman Dex98 and Aryeh Goretsky 2
Dex98 0 Posted July 5, 2023 Author Posted July 5, 2023 Thank you for all the answers, but I have a problem. Namely, I have done everything according to the guidelines and I am accumulating a huge number of logs (currently 726017 records, in 7 days of inclusion). I've tried putting exclusions in HIPS itself and more generally, but it doesn't do anything. Could you help me?
Dex98 0 Posted July 10, 2023 Author Posted July 10, 2023 @Marcos @itman Could you please check this out?
itman 1,922 Posted July 10, 2023 Posted July 10, 2023 On 7/5/2023 at 9:21 AM, Dex98 said: Namely, I have done everything according to the guidelines and I am accumulating a huge number of logs (currently 726017 records, in 7 days of inclusion). What logs are you referring to? Do these logs originate from Acrobat.exe?
Dex98 0 Posted July 11, 2023 Author Posted July 11, 2023 @itman It's not just Acrobat.exe. I have all the rules set up. And unfortunately I can't exclude individual processes. The exclusions look like this, but it still doesn't work. The report continues to generate these logs despite the exclusion.
Administrators Marcos 5,735 Posted July 11, 2023 Administrators Posted July 11, 2023 Please provide ELC logs from the machine so that I can check your HIPS rules.
itman 1,922 Posted July 11, 2023 Posted July 11, 2023 1 hour ago, Marcos said: Please provide ELC logs from the machine so that I can check your HIPS rules. For starters, all his HIPS deny rules have a Action of Allow versus Ask or Deny. It appears these rules correspond to Eset's recommended anti-ransomware HIPS rules except for the Adobe rule. If this is the basis for these rules, the Action should be Deny.
ludolf 6 Posted August 9, 2023 Posted August 9, 2023 I found only one "Exclusions" box in the "HIPS\Deep behavioral Inspection" section. Staying with the above example, creating a HIPS rule, where the source app is the adobereader executable, and the child app is "All applications", the above excluded applications will be excluded? Or there is no way to apply a HIPS rule to all child processes with some exceptions?
ludolf 6 Posted August 9, 2023 Posted August 9, 2023 Just checked this: https://help.eset.com/ees/10.1/en-US/idh_hips_editor_main.html Maybe this works with 2 rules: 1. Allow rule, source: adobereader.exe, child: the allowed specific apps 2. Deny rule, source: adobereader.exe, child: all apps (lower priority, since this less specific)
Recommended Posts