Nono 3 Posted June 14 Share Posted June 14 Since many years now, I'm using HIPS to protect our endpoints, and for most of it, it works really well, the main issue is and always was, the filtering options to catch random folder/name of the application. This become quite difficult since we use VS Code, which trigger 2 alerts everytime we open it. The logs of those errors looks like this : Time;Application;Operation;Target;Action;Rule;Additional information 2023-05-10 1:43:33 PM;C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe;Start new application;C:\Users\User\AppData\Local\Temp\vscode-update-user-x64\CodeSetup-stable-6a995c4f4cc2ced6e3237749973982e751cb0bf9.exe;Allowed;Executables ExecAsk; 2023-05-10 1:43:36 PM;C:\Users\User\AppData\Local\Temp\vscode-update-user-x64\CodeSetup-stable-6a995c4f4cc2ced6e3237749973982e751cb0bf9.exe;Start new application;C:\Users\User\AppData\Local\Temp\is-BVE93.tmp\CodeSetup-stable-6a995c4f4cc2ced6e3237749973982e751cb0bf9.tmp;Allowed;Executables ExecAsk; The issue here, relies on the fact that the filename (and not the path) are random char, when the HIPS rules can only afford a "wildcard" for folder, aka : to catch all Quote C:\Users\*<USERNAME>*\folder you can use as filter: Quote C:\Users\\folder But you cannot catch any "*.exe" within this same folder. (see proposal here : ) Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,841 Posted June 15 Administrators Share Posted June 15 Currently this is not possible but we have added your suggestion to our backlog. Quote Link to comment Share on other sites More sharing options...
Nono 3 Posted July 4 Author Share Posted July 4 On 6/15/2023 at 5:27 AM, Marcos said: Currently this is not possible but we have added your suggestion to our backlog. Could you also (or instead?) consider using the rules based on codesigning ? That would be even more secured IMO. Quote Link to comment Share on other sites More sharing options...
itman 1,595 Posted July 4 Share Posted July 4 On 6/14/2023 at 3:35 AM, Nono said: But you cannot catch any "*.exe" within this same folder You can detect any .exe startup in a directory/folder and subordinate folders by creating a HIPS rule to Ask or Deny any application startup in C:\Users\folder and C:\Users\folder\* . Example of one of my HIPS rules shown below; Quote Link to comment Share on other sites More sharing options...
Nono 3 Posted July 5 Author Share Posted July 5 16 hours ago, itman said: You can detect any .exe startup in a directory/folder and subordinate folders by creating a HIPS rule to Ask or Deny any application startup in C:\Users\folder and C:\Users\folder\* . Hi itman, If I agree with your statement (and use it too on some occasion), it's not as secure as: Fine filtering as suggested Signed code check If you have something on a TEMP folder, this is something you clearly don't want to do (allowing EVERYTHING). For instance, you rule Quote C:\Users\\AppData\Local\* all softwares and scripts in any subfolder (including on the very untrusted C:\Users\\AppData\Local\TEMP\xxxxxxx\badscript.ps1) This is clearly a no-go for us and I can only highly suggest the same for anyone else. Nightowl 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.