Jump to content

Block Adobe Reader from creating child processes - ESET PROTECT


Go to solution Solved by Marcos,

Recommended Posts

Posted

Hello,

Could you help me with enabling this feature in ESET PROTECT?
Block Adobe Reader from creating child processes

Posted (edited)

Before creating a HIPS rule to block Adobe Reader from starting child processes, realize that it does spawn legit child processes including itself per the below Process Explorer screenshot:

Eset_Adobe.thumb.png.101d212566cb64059130022280f4d21f.png

Edited by itman
  • 5 weeks later...
Posted

Thank you for all the answers, but I have a problem. Namely, I have done everything according to the guidelines and I am accumulating a huge number of logs (currently 726017 records, in 7 days of inclusion). I've tried putting exclusions in HIPS itself and more generally, but it doesn't do anything. Could you help me?

image.png

image.png

Posted
On 7/5/2023 at 9:21 AM, Dex98 said:

Namely, I have done everything according to the guidelines and I am accumulating a huge number of logs (currently 726017 records, in 7 days of inclusion).

What logs are you referring to? Do these logs originate from Acrobat.exe?

Posted

@itman It's not just Acrobat.exe. I have all the rules set up. And unfortunately I can't exclude individual processes.
image.thumb.png.7e8b0b1187148461a6ee8053ba614a09.png

The exclusions look like this, but it still doesn't work. The report continues to generate these logs despite the exclusion.
image.png.a01b6dd29e6e108f5272d87bdcfab3bf.png

  • Administrators
Posted

Please provide ELC logs from the machine so that I can check your HIPS rules.

Posted
1 hour ago, Marcos said:

Please provide ELC logs from the machine so that I can check your HIPS rules.

For starters, all his HIPS deny rules have a Action of Allow versus Ask or Deny.

It appears these rules correspond to Eset's recommended anti-ransomware HIPS rules except for the Adobe rule. If this is the basis for these rules, the Action should be Deny.

  • 5 weeks later...
Posted

I found only one "Exclusions" box in the  "HIPS\Deep behavioral Inspection" section.

Staying with the above example, creating a HIPS rule, where the source app is the adobereader executable, and the child app is "All applications", the above excluded applications will be excluded?

Or there is no way to apply a HIPS rule to all child processes with some exceptions?

 

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...