how can i add a folder in the source application?

[mantra 1]

 

 

Hi

 

i have some problem with source in the hips

and i can't find an answer

 

i want to create a rule for all files inside  a folder

 

in the help or manual it's not very clear

 

well i click new , i give a name , set the action for example ask or block

in the source application i click only add

 

but only the button select file.. is available

select folder and registry are gray i don't know why

 

well i want to add the folder Z:\my utility

i tried to add Z:\my utility\*.*     Z:\my utility\* but nod doesn't accept it told me "the path is invalid"

 

i can have only Z:\my utility\ but when i run a program inside this folder doens't pop up

 

the others tab are all "use for all operation" and the action is Ask

 

but when i run a program inside this folder nod doesn't pop up !

 

what's wrong?

 

 

thanks

 

 

 

 

 

 

 

 

[0strodamus 5]

I would like the same feature to be added to the HIPS. I don't think you'll find an answer until ESET decides to add this ability. I've found some clever ways around other limitations in the HIPS, but not this one!

[Marcos 5,074]

It'd be dangerous to create general rules for any source application, hence it's not supported. You could try exporting your configuration, duplicating the HIPS rules and changing the application names to cover all the tools you use to accomplish this quicker.

[0strodamus 5]

I agree that these types of rules can be dangerous, however, they can also cut down greatly on the size of a ruleset. I don't know how much of an effect this has on performance, but it can't hurt.

 

For example, on my system I have a bunch of applications that try to write to "C:\Windows\Rescache\rc0005\rescache.hit" and "C:\Windows\CSC\v2.0.6\namespace\localhost". It would be nice to just allow these file accesses under a rule with source applications "C:\Program Files\*.*" and "C:\Program Files (x86)\*.*" instead of having to add each application one by one.

 

I also use many NirSoft applications and they all write to separate configuration (.cfg) and report (.html) files in the Nirsoft folder that I have them all in. Again, it would be nice to be able to add as the source application "C:\Program Files\NirSoft\*", instead of adding them all individually.

 

Another, example is that I use SuRun and run in a limited account. Many applications need to launch SuRun and it is the only HIPS allowed access that they need. In my opinion, it would be better to create a rule allowing "C:\Program Files\*.*" and "C:\Program Files (x86)\*.*" to launch Surun.exe instead of adding them all individually.

 

And honestly, when the behavior of ESET's HIPS module in, for example, interactive mode is Rules > Ask > Allow on Failure, what is so dangerous? The HIPS will allow anything without a rule anyway. Am I wrong in this conclusion? I can only see the merit of it being too dangerous if a user is running in Policy-based mode as it is the only mode of the 4 available that will block by default.

 

Thanks for the tip regarding quicker editing of the rules. That will come in handy.

Edited July 22, 2013 by 0strodamus