Panayiotis Zezos 0 Posted September 12, 2023 Share Posted September 12, 2023 (edited) Hello to all community here. We have a policy in ESET Protect Cloud to disable "rundll32.exe". Users are complaining because are getting several times in a day the notification that the specific executable file tried to open but its blocked due to ESET Policies. We disabled the notify button on the policy but users still get it. Can anyone please assist what is the actual case here? Rule is on prepend fyi. Thank you, Panayiotis Edited September 12, 2023 by Panayiotis Zezos vocabulary Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted September 12, 2023 Administrators Share Posted September 12, 2023 Please provide logs collected with ESET Log Collector from such machine, ideally along with a screenshot of the notification. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted September 12, 2023 Administrators Share Posted September 12, 2023 I couldn't find the HIPS rule from the first screenshot. There's only one rule "Allow powershell" on the machine from which you have provided the ELC logs. Link to comment Share on other sites More sharing options...
itman 1,741 Posted September 12, 2023 Share Posted September 12, 2023 (edited) I find it odd that the rundll32.exe HIPS rule is being triggered at all. I have the same HIPS rule and it has never been triggered. I advise determining what is triggering the HIPS rule rather than how to disable notification of it being applied. If it turns out to be legitimate activity, you can create a HIPS rule to allow that activity. Edited September 12, 2023 by itman Link to comment Share on other sites More sharing options...
Recommended Posts