Jump to content

VS Code and HIPS issue


Nono

Recommended Posts

Since many years now, I'm using HIPS to protect our endpoints, and for most of it, it works really well, the main issue is and always was, the filtering options to catch random folder/name of the application.

This become quite difficult since we use VS Code, which trigger 2 alerts everytime we open it.

The logs of those errors looks like this :

Time;Application;Operation;Target;Action;Rule;Additional information
2023-05-10 1:43:33 PM;C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe;Start new application;C:\Users\User\AppData\Local\Temp\vscode-update-user-x64\CodeSetup-stable-6a995c4f4cc2ced6e3237749973982e751cb0bf9.exe;Allowed;Executables ExecAsk;
2023-05-10 1:43:36 PM;C:\Users\User\AppData\Local\Temp\vscode-update-user-x64\CodeSetup-stable-6a995c4f4cc2ced6e3237749973982e751cb0bf9.exe;Start new application;C:\Users\User\AppData\Local\Temp\is-BVE93.tmp\CodeSetup-stable-6a995c4f4cc2ced6e3237749973982e751cb0bf9.tmp;Allowed;Executables ExecAsk;

The issue here, relies on the fact that the filename (and not the path) are random char, when the HIPS rules can only afford a "wildcard" for folder, aka :

to catch all

Quote

C:\Users\*<USERNAME>*\folder

you can use as filter:

Quote

C:\Users\\folder

But you cannot catch any "*.exe" within this same folder.

(see proposal here : 

 )

Link to comment
Share on other sites

  • 3 weeks later...
On 6/15/2023 at 5:27 AM, Marcos said:

Currently this is not possible but we have added your suggestion to our backlog.

Could you also (or instead?) consider using the rules based on codesigning ? That would be even more secured IMO.

Link to comment
Share on other sites

On 6/14/2023 at 3:35 AM, Nono said:

But you cannot catch any "*.exe" within this same folder

You can detect any .exe startup in a directory/folder and subordinate folders by creating a HIPS rule to Ask or Deny any application startup in C:\Users\folder and C:\Users\folder\* .

Example of one of my HIPS rules shown below;

Eset_HIPS.png.63849ed7abebc98d523b1a5944395ed2.png

 

 

Link to comment
Share on other sites

16 hours ago, itman said:

You can detect any .exe startup in a directory/folder and subordinate folders by creating a HIPS rule to Ask or Deny any application startup in C:\Users\folder and C:\Users\folder\* .

Hi itman,

If I agree with your statement (and use it too on some occasion), it's not as secure as: 

  • Fine filtering as suggested
  • Signed code check


If you have something on a TEMP folder, this is something you clearly don't want to do (allowing EVERYTHING).

 

For instance, you rule

Quote

C:\Users\\AppData\Local\*

all softwares and scripts in any subfolder (including on the very untrusted C:\Users\\AppData\Local\TEMP\xxxxxxx\badscript.ps1)

This is clearly a no-go for us and I can only highly suggest the same for anyone else.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...