cvvorous 4 Posted January 9, 2016 Share Posted January 9, 2016 Hi, I had a simple HIPS rule on ESS8 that would prompt me for confirmation when launching an executable from my downloads folder. It was something like: application started from downloads folder > ask. It wouldn't ask on file properties inspection or for anything aside from executing an application from that folder. With ESS9, I'm having a hard time getting the HIPS to not spam me when Windows subsystems access files for properties dialogs, or any other trivial operation. Am I missing something? Link to comment Share on other sites More sharing options...
ESET Insiders stackz 112 Posted January 10, 2016 ESET Insiders Share Posted January 10, 2016 Make a new rule with Action = Ask and Operations affecting Applications. At the next screen select All Applications. Next, Select the Application operations you wish to potentially block. Next, Select Specific Applications, Click on Add and browse to your Download folder. You should end up with a path that looks like: C:\Users\<username>\Downloads\*.* Click on Finish and test your rule. Link to comment Share on other sites More sharing options...
cvvorous 4 Posted January 10, 2016 Author Share Posted January 10, 2016 Make a new rule with Action = Ask and Operations affecting Applications. At the next screen select All Applications. Next, Select the Application operations you wish to potentially block. Next, Select Specific Applications, Click on Add and browse to your Download folder. You should end up with a path that looks like: C:\Users\<username>\Downloads\*.* Click on Finish and test your rule. Yeah, that's how I had defined my rule and was receiving way more prompts than just on-exe (which is what I selected in my application operations) - Seems like the behavior is a little different than it was with ESS8. Guess I'll just live without the extra ruleset as I despise being prompted repeatedly. Thanks for the feedback though! Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 10, 2016 Share Posted January 10, 2016 In the target applications section, just checkmark "Start a new application." That will just give you an alert when an executable runs in your Download folder. Link to comment Share on other sites More sharing options...
cvvorous 4 Posted January 11, 2016 Author Share Posted January 11, 2016 In the target applications section, just checkmark "Start a new application." That will just give you an alert when an executable runs in your Download folder. yeah, problem is that it's also prompting windows subsystems running when i engage properties dialogs and stuff as well Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 13, 2016 Share Posted January 13, 2016 In the target applications section, just checkmark "Start a new application." That will just give you an alert when an executable runs in your Download folder. yeah, problem is that it's also prompting windows subsystems running when i engage properties dialogs and stuff as well Are you running the HIPS in "Interactive Mode?" If so, you will be getting numerous alerts for any process that starts for which no existing HIPS rule exists. If you don't want that, switch to either "Default" or "Smart" mode. I personally use Smart mode. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted January 13, 2016 Administrators Share Posted January 13, 2016 Personally I use Smart mode with a custom rule to ask if an application with no rule created attempts to run. If trusted, I choose to create a rule so that I'm not prompted again. Link to comment Share on other sites More sharing options...
Recommended Posts