HIPS Gripe

[itman 1,659]

For a very long time, I have been trying to create a registry HIPS rule to monitor creation of new services. I originally created this rule for example:

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\*\

 

However, the HIPS would ignore the "\" following the "*" and alert at all levels subordinate to services. After much experimenting, I found that the following will accomplish alerting for only the first level subordinate to services: 

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\*\\

 

So Eset should update there documentation to include this fact.

 

Next through testing, I found that the HIPS will not block any new key creation but any new value keys subordinate to the new key. I verified this by running in interactive mode. For example, the HIPS allows the following key to be created:

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xyzservice

 

but will alert on the creation of;

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xyzservice\some dword field value; and only for xyzservice. If I create a new key subordinate to xyzservice, the HIPS will not alert for any new field values created for that key!

 

So I am still at wits end on how to block key creation with this HIPS immediately subordinate to services?

 

-EDIT-

 

I did one last test. This coding:

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\\

 

will alert on renaming or deletion of HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xyzservice key. However, it will not alert on its creation. So as far as I am concerned, this is a bug.

Edited February 7, 2016 by itman