I have created an custom signature in HIPS which blocks reading/writing the executable files on the removable storage media. Now i have a question say suppose i have an executable in my USB drive which is a known malware to VSE, so when i open the USB drive in explorer and try to double click on the file will VSE OAS will scan the executable and deletes it or my HIPS rule to block executable will take priority and give me an access denied error?
I believe the most restrictive takes priority. So in your case, since the file would not be allowed to run, OAS will not be scanning it. Which would mean the HIPS rule would be taking priority, based on events occurring.
There is overlap between VSE and HIPS - I would recommend tuning VSE down to eliminate such overlap. That recommendation is with the assumption that HIPS and VSE are deployed synonymously throughout your environment. I find that HIPS is sometimes only deployed to nodes with regulatory compliance mandates or high priority data to the organization - in which case you most definitely would not want to tune your VSE.
Thanks for the reply. I believe VSE will delete the file if it has the signature to delete it. I placed an EICAR file in USB and as soon as i open the USB the file is getting deleted by VSE. Below are some of the scenarios what we tested and found VSE will take the precedence above HIPS.