Hips rule: syntax problem

Hi,

I use HIPS in Interactive mode.
Often programs like Macromedia Flashplayer come with different .exe names, for example

FlashPlayerPlugin_11_03_300_265.exe

It's fastidious if you must make a rule everytime this name slightly changes, but the HIPS rule Editor doesn't seem to accept wildcard names like

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayer*.exe

Also, when I enter a more generic one like this: C:\Windows\SysWOW64\Macromed\Flash\*.* , I only get a "Path error". Also, the "Select Folder" or "Add Group" always remain blank, not selectable. Why?

Can I define specific exe files in the Editor that begin with e.g. "Flash", or define any .exe files in a directory? What syntax must I use in order not to get the error message "Invalid Path" ?

Thanks for any tips,
XenonS

 

Re: Fundamental problem...

Hi,

I'm just thinking further about my question above, and I see a fundamental problem which gets me in trouble (as far as the ESET comfort for Interactive Mode is concerned):

If an expert would reply "Do this and that to get the syntax right", then this could easily be exploited by a Hacker or other people who spread malware, in the example above he would try to infiltrate my system with a fake Flashplayer Plugin (which in reality is a malware or virus).

But then, I wonder:
What's the difference in the security leak in these 2 cases:

a)
I define a rule to block any changes for the file in C:\aaaa\bbbb\FileName.exe
A Hacker trying to enter with a fake FileName.exe will be blocked.

b)
I define a rule to block any changes for the file in C:\aaaa\bbbb\*.exe
A Hacker trying to enter with *any* fake exe file should still be blocked. Or not ?!

So, I don't really see the security leak described in another post just below which roughly treats the same topic:
https://www.wilderssecurity.com/showthread.php?t=328492

My scenario for the Flashplayer Plugin would be to BLOCK any changes in the files in the specific directory, while still allowing operations on other files starting from this directory. This should be safe, or is there any big open door ?

Thanks for a feedback,
XenonS

 

I also use the hips from Eset. I'm using Eset NOD32 v5.2.9.1 and not the ESS, but in this case it doesn't matter. the hips is also present in the AV product.

Yes, I think I understand what you mean, I also use another program to block/allow executables, that program has also MD5 checksum imbedded and you can see it within the program.
Because of the md5 it doesn't matter if filename is different. I tested it myself with cmd.exe .
First I blocked cmd.exe completely and it worked, I wasn't able to start it.
Then I moved the cmd.exe to a different location and renamed it with a random name and still it wouldn't execute, because the MD5 checksum was still the same.
Anyway, program I use for blocking/allow or custom rules is NoVirusThanks exe radar pro. but there are many more programs like Appguard and the likes.

Sorry if I was a bit offtopic at some point, but it would be nice if ESET would implement MD5 checksums and make it work/visible in the HIPS.

Anyway, sorry if I wasn't of any help, but I hope someone will answer you directly about the use of Eset's HIPS.

Edit: To be perfectly honest I'm starting to use Eset's own hips less and less. I use a program from another company to do the blocking of a single individual file, while still allowing the rest of the folder to be used. the key is in the MD5 or other hash checksums if filenames should be completely irrelevant when you want to block a certain file. So, I hope ESET will eventually pick up on HASH checksums, md5 or better.
Or maybe it already does !!! in that case, I'm sorry for my ignorance. I just do not have enough experience with ESET's own HIPS within ESS/EAV.

 

Hi Jna99,

I understand what you mean: A checksum feature would be very helpful, because Windows (or any other OS) has to make file changes / registry changes which are not malware-related but just behave like that.

So, by simply blocking files I won't go very far for protecting my computer, but instead a checksum feature would make the important difference and allow such blockings to be successful while not interfering with Windows operations.
I think the best way is to run ESET in Learning mode, and then only switch to Interactive mode.

Mike

 

Checksums have some disadvantages against pattern signatures such as performance problems, identifying unique samples, etc.