itman 1,659 Posted January 19, 2016 Share Posted January 19, 2016 (edited) I've tried to reproduce this with v8. When prompted for an action upon an attempt to delete a subordinary key, I expanded Advanced options as the rule would be otherwise created for operations not limited only to that registry key and checked the appropriate check-box. It worked as expected - I was not prompted again when deleting the very same key repeatedly but I was asked for an action when attempting to delete a different subordinary key. v8_hips_ask_rule.png I'm going to test the same scenario with v9 and will post my findings shortly. Update: It works the same way in v9 too: v9_hips_ask_rule.png Sounds good so far. However, a couple more details are needed. When I was testing the initial release of ver. 9, all my ver. 8 rules became jumbled i.e. an allow rule followed by a block rule in some random order it appeared to me. I also noticed that all new rules were always added at the bottom of existing rules; regardless of allow or block/ask specification. So I need more info on how you created your rules. From your example, you created the "ask" rule before the "allow" rule. As such, the physical ordering of rules in the ver. 9 GUI appears to have nothing to do with their actual execution. All user "allow" rules are executed prior to any "block/ask" user rules in ver. 9 just as done in ver. 8? -EDIT- After reviewing again what you did, it isn't what I was specifically referring to. Please perform the following: 1. Create an ask rule for delete for HKEY_LOCAL_MACHINE\Software\fefeewf\fefewr\*. Note the wildcard specification at the end of the registry key. 2. Try to delete a subordinate registry key e.g. HKEY_LOCAL_MACHINE\Software\fefeewf\fefewr\somekey. When alerted, create an allow rule for that registry key delete. 3. Recreate HKEY_LOCAL_MACHINE\Software\fefeewf\fefewr\somekey in the registry. 4. Then again try to delete the subordinate registry key, HKEY_LOCAL_MACHINE\Software\fefeewf\fefewr\somekey . Eset ver. 8 will allow the subordinate key delete w/o alert. 5. Test same above procedure in ver. 9. Result should be the same as in ver. 8. The above testing will prove that in ver. 9, allow rules are executed before block rules regardless of how rules are positioned in the HIPS GUI. Please post result ASAP. Edited January 20, 2016 by itman Link to comment Share on other sites More sharing options...
Recommended Posts