cancel
Showing results for 
Search instead for 
Did you mean: 

HIPS/VSE

Hello Guys,

I have created an custom signature in HIPS which blocks reading/writing the executable files on the removable storage media. Now i have a question say suppose i have an executable in my USB drive which is a known malware to VSE, so when i open the USB drive in explorer and try to double click on the file will VSE OAS will scan the executable and deletes it or my HIPS rule to block executable will take priority and give me an access denied error?

3 Replies
alex.hawke
Level 9

Re: HIPS/VSE

I believe the most restrictive takes priority. So in your case, since the file would not be allowed to run, OAS will not be scanning it. Which would mean the HIPS rule would be taking priority, based on events occurring.

There is overlap between VSE and HIPS - I would recommend tuning VSE down to eliminate such overlap. That recommendation is with the assumption that HIPS and VSE are deployed synonymously throughout your environment. I find that HIPS is sometimes only deployed to nodes with regulatory compliance mandates or high priority data to the organization - in which case you most definitely would not want to tune your VSE.           

0 Kudos

Re: HIPS/VSE

Thanks for the reply. I believe VSE will delete the file if it has the signature to delete it. I placed an EICAR file in USB and as soon as i open the USB the file is getting deleted by VSE. Below are some of the scenarios what we tested and found VSE will take the precedence above HIPS.

Scenarios:

  • The EICAR file was placed just inside the USB drive not inside any folder.
  • VSE takes precedence and deletes the file as soon as we open the Drive (Removable Media) connected to the machine ( Actual File not opened ).
  • If the EICAR is placed inside any Folder , it is not detected unless we open the folder.
  • OAS logs says explorer.exe is the process accessing the EICAR file.
0 Kudos
alex.hawke
Level 9

Re: HIPS/VSE

I read your initial HIPS rule wrong, sorry about that. I was thinking device access not .exe access for whatever reason.

The overlap comment still holds true though.

0 Kudos