pcuser64 0 Posted April 7, 2015 Share Posted April 7, 2015 Hi, runnning windows 7 x64bit & ESET trial I'm testing ESEt because I was hoping ESET offered windows task scheduler protection I basically need protection from google, opera and any app ftm enabling task without my permission. the ESET HIPS rule editor seems promising as a way to be prompted. but I'm not sure how to make this work do I prevent apps writing to the %SystemRoot%\Tasks folder or what? and if so how? has ESET vets played with this? or can offer assistance / solution ? tia Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted April 7, 2015 Administrators Share Posted April 7, 2015 Try creating a blocking rule with "Write to file" selected in the "Target files" tab and "C:\WINDOWS\Tasks\*.*" selected in the "Over these files" section. Link to comment Share on other sites More sharing options...
rugk 397 Posted April 7, 2015 Share Posted April 7, 2015 (edited) AFAIK in Windows Vista and above Windows doesn't use C:\WINDOWS\Tasks anymore. You could try blocking the access to "C:\Windows\System32\schtasks.exe" (so that it can't be run), however this would only block the commando line tool and this wouldn't help very much as there are other ways to modify tasks. Edit: No they are still stored in the file system but mostly under C:\Windows\System32\Tasks in Windows 7. Source: hxxp://stackoverflow.com/questions/2913816/how-to-discover-the-location-of-the-scheduled-tasks-folder So this way if you block access to both directories C:\Windows\Tasks and C:\Windows\System32\Tasks you should be able to protect the tasks from changes. Edit2: If you're running a 64bit version of Windows then you may also block access to C:\Windows\SysWOW64\Tasks. Edited April 7, 2015 by rugk Link to comment Share on other sites More sharing options...
pcuser64 0 Posted April 7, 2015 Author Share Posted April 7, 2015 Thanks for the info guys! I'll try that cause the task scheduler service uses "C:\Windows\system32\svchost.exe -k netsvcs" could'nt figure how to make that would work in a rule set I'll post back the results Thanks again Link to comment Share on other sites More sharing options...
rugk 397 Posted April 7, 2015 Share Posted April 7, 2015 (edited) Well... you're right the "Schedule" running as "C:\Windows\system32\svchost.exe -k netsvcs". However I highly assume this service must run otherwise scheduled tasks can't run.So I don't understand what you want to make. As we said you must block access to some directories.E.g. create a rule this way: So I have done this and tested it by trying to create a new rule in the schedule manager: As you can see it doesn't work and was blocked by ESS. So finally I exported the configuration and trimmed it a bit so you can easily import it into ESS and you'll have this rule.Here you can download it: Block ruleDownload(alternative download link) Ask ruleDownload(alternative download link)I configured it to notify the user and to log all tries of all programs.I hope this will fit your needs. But keep one thing in mind: If you want to edit the tasks by yourself you of course need to disable the rule temporarily. Edit: Updated XML files, added ask rule. Edited April 10, 2015 by rugk Link to comment Share on other sites More sharing options...
pcuser64 0 Posted April 8, 2015 Author Share Posted April 8, 2015 (edited) @rugk Thanks I hadn't had a chance to try the approaches mentioned and was only trying to relay how I was thinking before posting to this fine forum but what you have done is exactly what I had in mind I will change block to ask so I can control the rule enforcement on a case by case but you nailed it. "There's a long line forming to sing your praises!" Thanks again! Edited April 8, 2015 by pcuser64 Link to comment Share on other sites More sharing options...
rugk 397 Posted April 10, 2015 Share Posted April 10, 2015 (edited) Yeah, useful idea to set it to "Ask". I did it too and added the corresponding rule. I also made some small changes to the other rule file, but this were only some cosmetic changes. Edited April 10, 2015 by rugk Link to comment Share on other sites More sharing options...
pcuser64 0 Posted April 11, 2015 Author Share Posted April 11, 2015 @rugk can't get new rules, address blocked my eset "The web page is on the list of websites with potentially dangerous content." no worries original works great cheers! Link to comment Share on other sites More sharing options...
rugk 397 Posted April 12, 2015 Share Posted April 12, 2015 (edited) @pcuser64 Ahh yeah. It seems someone has uploaded malicious files on workupload.com. As it's a free filehoster anyone can upload anything. So just try the bug green download link. It links to mega.co.nz and it should work. But besides this I think you don't need to import the new rules file as you already adapted the rule like I did in a similar way. Only some other cosmetic changes. @all However I noticed that in some situation you might see many block or ask messages at startup. This is because of some triggers in some tasks which e.g. ran at startup or specific times and update itself. If you don't always want to allow the update every startup you can create permanent allow rules for these specific tasks. Edited April 12, 2015 by rugk Link to comment Share on other sites More sharing options...
Recommended Posts