Jump to content

Recommended Posts

Posted (edited)

my config : windows 10 pro version 1607 x64

 

i have done settings to protect files in D: drive from being accessed by applications running in the computer.

 

 

you can see the detail of HIPS rule here

post-7526-0-20223000-1471057929_thumb.jpg

 

post-7526-0-85985100-1471057930_thumb.jpg

 

post-7526-0-45598400-1471057932_thumb.jpg

 

post-7526-0-88991600-1471057936_thumb.jpg

 

Still Aimp audio player is able to access audio file in D: drive.

as you can see in pics below that there is no HIPS rule for Aimp.exe

 

post-7526-0-54744700-1471057942_thumb.jpg

 

So Aimp is basically bypassing ESET HIPS rule.

It means ESET HIPS does not know that Aimp is accessing file in D: drive

 

I am aware that this type of file access exists. what i understand about it is Aimp.exe don't directly access files in hard disk. It actually asks windows OS to access files for it. From what i have noticed is that ntoskrnl.exe (NT Kernel & System ) access the files for Aimp.

 

 

Similarly many other applications also accesses files in hard disk in this way and are potentially bypassing HIPS rule 

 

Interestingly ntoskrnl.exe is also not in the HIPS rule. Then why is allowed to access D: drive without asking the user.

Edited by Slithereen Guard
  • 1 month later...
  • Administrators
Posted

1, It's not possible to block access to files using HIPS. You can prevent applications from deleting them but not from reading them. Also you've confined the rule to files in the root of drives.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...