Dex98 0 Posted June 5, 2023 Share Posted June 5, 2023 Hello, Could you help me with enabling this feature in ESET PROTECT?Block Adobe Reader from creating child processes Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,044 Posted June 5, 2023 Administrators Solution Share Posted June 5, 2023 You can create the appropriate HIPS rule by following the KB https://support.eset.com/en/kb6119, just replace the app with the path to Adobe reader's executable. Link to comment Share on other sites More sharing options...
itman 1,654 Posted June 5, 2023 Share Posted June 5, 2023 (edited) Before creating a HIPS rule to block Adobe Reader from starting child processes, realize that it does spawn legit child processes including itself per the below Process Explorer screenshot: Edited June 5, 2023 by itman Dex98 and Aryeh Goretsky 2 Link to comment Share on other sites More sharing options...
Dex98 0 Posted July 5, 2023 Author Share Posted July 5, 2023 Thank you for all the answers, but I have a problem. Namely, I have done everything according to the guidelines and I am accumulating a huge number of logs (currently 726017 records, in 7 days of inclusion). I've tried putting exclusions in HIPS itself and more generally, but it doesn't do anything. Could you help me? Link to comment Share on other sites More sharing options...
Dex98 0 Posted July 10, 2023 Author Share Posted July 10, 2023 @Marcos @itman Could you please check this out? Link to comment Share on other sites More sharing options...
itman 1,654 Posted July 10, 2023 Share Posted July 10, 2023 On 7/5/2023 at 9:21 AM, Dex98 said: Namely, I have done everything according to the guidelines and I am accumulating a huge number of logs (currently 726017 records, in 7 days of inclusion). What logs are you referring to? Do these logs originate from Acrobat.exe? Link to comment Share on other sites More sharing options...
Dex98 0 Posted July 11, 2023 Author Share Posted July 11, 2023 @itman It's not just Acrobat.exe. I have all the rules set up. And unfortunately I can't exclude individual processes. The exclusions look like this, but it still doesn't work. The report continues to generate these logs despite the exclusion. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,044 Posted July 11, 2023 Administrators Share Posted July 11, 2023 Please provide ELC logs from the machine so that I can check your HIPS rules. Link to comment Share on other sites More sharing options...
itman 1,654 Posted July 11, 2023 Share Posted July 11, 2023 1 hour ago, Marcos said: Please provide ELC logs from the machine so that I can check your HIPS rules. For starters, all his HIPS deny rules have a Action of Allow versus Ask or Deny. It appears these rules correspond to Eset's recommended anti-ransomware HIPS rules except for the Adobe rule. If this is the basis for these rules, the Action should be Deny. Link to comment Share on other sites More sharing options...
ludolf 6 Posted August 9, 2023 Share Posted August 9, 2023 I found only one "Exclusions" box in the "HIPS\Deep behavioral Inspection" section. Staying with the above example, creating a HIPS rule, where the source app is the adobereader executable, and the child app is "All applications", the above excluded applications will be excluded? Or there is no way to apply a HIPS rule to all child processes with some exceptions? Link to comment Share on other sites More sharing options...
ludolf 6 Posted August 9, 2023 Share Posted August 9, 2023 Just checked this: https://help.eset.com/ees/10.1/en-US/idh_hips_editor_main.html Maybe this works with 2 rules: 1. Allow rule, source: adobereader.exe, child: the allowed specific apps 2. Deny rule, source: adobereader.exe, child: all apps (lower priority, since this less specific) Link to comment Share on other sites More sharing options...
Recommended Posts