Panayiotis Zezos 0 Posted September 12 Share Posted September 12 (edited) Hello to all community here. We have a policy in ESET Protect Cloud to disable "rundll32.exe". Users are complaining because are getting several times in a day the notification that the specific executable file tried to open but its blocked due to ESET Policies. We disabled the notify button on the policy but users still get it. Can anyone please assist what is the actual case here? Rule is on prepend fyi. Thank you, Panayiotis Edited September 12 by Panayiotis Zezos vocabulary Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,841 Posted September 12 Administrators Share Posted September 12 Please provide logs collected with ESET Log Collector from such machine, ideally along with a screenshot of the notification. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,841 Posted September 12 Administrators Share Posted September 12 I couldn't find the HIPS rule from the first screenshot. There's only one rule "Allow powershell" on the machine from which you have provided the ELC logs. Quote Link to comment Share on other sites More sharing options...
itman 1,598 Posted September 12 Share Posted September 12 (edited) I find it odd that the rundll32.exe HIPS rule is being triggered at all. I have the same HIPS rule and it has never been triggered. I advise determining what is triggering the HIPS rule rather than how to disable notification of it being applied. If it turns out to be legitimate activity, you can create a HIPS rule to allow that activity. Edited September 12 by itman Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.