Nono 3 Posted June 14, 2023 Posted June 14, 2023 Since many years now, I'm using HIPS to protect our endpoints, and for most of it, it works really well, the main issue is and always was, the filtering options to catch random folder/name of the application. This become quite difficult since we use VS Code, which trigger 2 alerts everytime we open it. The logs of those errors looks like this : Time;Application;Operation;Target;Action;Rule;Additional information 2023-05-10 1:43:33 PM;C:\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe;Start new application;C:\Users\User\AppData\Local\Temp\vscode-update-user-x64\CodeSetup-stable-6a995c4f4cc2ced6e3237749973982e751cb0bf9.exe;Allowed;Executables ExecAsk; 2023-05-10 1:43:36 PM;C:\Users\User\AppData\Local\Temp\vscode-update-user-x64\CodeSetup-stable-6a995c4f4cc2ced6e3237749973982e751cb0bf9.exe;Start new application;C:\Users\User\AppData\Local\Temp\is-BVE93.tmp\CodeSetup-stable-6a995c4f4cc2ced6e3237749973982e751cb0bf9.tmp;Allowed;Executables ExecAsk; The issue here, relies on the fact that the filename (and not the path) are random char, when the HIPS rules can only afford a "wildcard" for folder, aka : to catch all Quote C:\Users\*<USERNAME>*\folder you can use as filter: Quote C:\Users\\folder But you cannot catch any "*.exe" within this same folder. (see proposal here : )
Administrators Marcos 5,453 Posted June 15, 2023 Administrators Posted June 15, 2023 Currently this is not possible but we have added your suggestion to our backlog.
Nono 3 Posted July 4, 2023 Author Posted July 4, 2023 On 6/15/2023 at 5:27 AM, Marcos said: Currently this is not possible but we have added your suggestion to our backlog. Could you also (or instead?) consider using the rules based on codesigning ? That would be even more secured IMO.
itman 1,801 Posted July 4, 2023 Posted July 4, 2023 On 6/14/2023 at 3:35 AM, Nono said: But you cannot catch any "*.exe" within this same folder You can detect any .exe startup in a directory/folder and subordinate folders by creating a HIPS rule to Ask or Deny any application startup in C:\Users\folder and C:\Users\folder\* . Example of one of my HIPS rules shown below;
Nono 3 Posted July 5, 2023 Author Posted July 5, 2023 16 hours ago, itman said: You can detect any .exe startup in a directory/folder and subordinate folders by creating a HIPS rule to Ask or Deny any application startup in C:\Users\folder and C:\Users\folder\* . Hi itman, If I agree with your statement (and use it too on some occasion), it's not as secure as: Fine filtering as suggested Signed code check If you have something on a TEMP folder, this is something you clearly don't want to do (allowing EVERYTHING). For instance, you rule Quote C:\Users\\AppData\Local\* all softwares and scripts in any subfolder (including on the very untrusted C:\Users\\AppData\Local\TEMP\xxxxxxx\badscript.ps1) This is clearly a no-go for us and I can only highly suggest the same for anyone else. Nightowl 1
Recommended Posts