Jump to content

ESS9 HIPS Rule to ask about launching apps from a folder


Recommended Posts

Hi,

 

I had a simple HIPS rule on ESS8 that would prompt me for confirmation when launching an executable from my downloads folder. It was something like: application started from downloads folder  > ask. It wouldn't ask on file properties inspection or for anything aside from executing an application from that folder. With ESS9, I'm having a hard time getting the HIPS to not spam me when Windows subsystems access files for properties dialogs, or any other trivial operation. Am I missing something?

Link to comment
Share on other sites

  • ESET Insiders

Make a new rule with Action = Ask and Operations affecting Applications.

At the next screen select All Applications.

Next, Select the Application operations you wish to potentially block.

Next, Select Specific Applications, Click on Add and browse to your Download folder.

You should end up with a path that looks like:

C:\Users\<username>\Downloads\*.*

Click on Finish and test your rule. :)

Link to comment
Share on other sites

Make a new rule with Action = Ask and Operations affecting Applications.

At the next screen select All Applications.

Next, Select the Application operations you wish to potentially block.

Next, Select Specific Applications, Click on Add and browse to your Download folder.

You should end up with a path that looks like:

C:\Users\<username>\Downloads\*.*

Click on Finish and test your rule. :)

 

Yeah, that's how I had defined my rule and was receiving way more prompts than just on-exe (which is what I selected in my application operations) - Seems like the behavior is a little different than it was with ESS8. Guess I'll just live without the extra ruleset as I despise being prompted repeatedly. Thanks for the feedback though!

Link to comment
Share on other sites

In the target applications section, just checkmark "Start a new application." That will just give you an alert when an executable runs in your Download folder.

Link to comment
Share on other sites

In the target applications section, just checkmark "Start a new application." That will just give you an alert when an executable runs in your Download folder.

 

yeah, problem is that it's also prompting windows subsystems running when i engage properties dialogs and stuff as well

Link to comment
Share on other sites

 

In the target applications section, just checkmark "Start a new application." That will just give you an alert when an executable runs in your Download folder.

 

yeah, problem is that it's also prompting windows subsystems running when i engage properties dialogs and stuff as well

 

Are you running the HIPS in "Interactive Mode?" If so, you will be getting numerous alerts for any process that starts for which no existing HIPS rule exists. If you don't want that, switch to either "Default" or "Smart" mode. I personally use Smart mode.

Link to comment
Share on other sites

  • Administrators

Personally I use Smart mode with a custom rule to ask if an application with no rule created attempts to run. If trusted, I choose to create a rule so that I'm not prompted again.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...