Jump to content

Recommended Posts

For a very long time, I have been trying to create a registry HIPS rule to monitor creation of new services. I originally created this rule for example:




However, the HIPS would ignore the "\" following the "*" and alert at all levels subordinate to services. After much experimenting, I found that the following will accomplish alerting for only the first level subordinate to services: 




So Eset should update there documentation to include this fact.


Next through testing, I found that the HIPS will not block any new key creation but any new value keys subordinate to the new key. I verified this by running in interactive mode. For example, the HIPS allows the following key to be created:




but will alert on the creation of;


HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xyzservice\some dword field value; and only for xyzservice. If I create a new key subordinate to xyzservice, the HIPS will not alert for any new field values created for that key!


So I am still at wits end on how to block key creation with this HIPS immediately subordinate to services?




I did one last test. This coding:




will alert on renaming or deletion of HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xyzservice key. However, it will not alert on its creation. So as far as I am concerned, this is a bug.

Edited by itman
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...