cancel
Showing results for 
Search instead for 
Did you mean: 

Syntax of HIPs Event-log

Hi,

i have problems to allow some programming tools to be used.

In the Event.log of the HIPs onj the affected workstation I found some entries:

...

8 1271932882 0.0.0.0  0 C:\CYGWIN\BIN\BASH.EXE riOn4syHPOkujW2j68qUYA== 1 22
7 1271932928 0.0.0.0  -1 17 255.255.255.255 17152 0.0.0.0 17408 1 0 -1  0
8 1271932945 0.0.0.0  1256 C:\MSYS\BIN\SH.EXE gT20gFxu8diobq9TBZfqtw== 1 22
8 1271932991 0.0.0.0  0 C:\MSYS\BIN\SH.EXE ktOY8JCXbmLRaWrCGz0cWQ== 1 22
8 1271938545 0.0.0.0  1452 C:\WINDOWS\SYSTEM32\CSRSS.EXE myKq41Zq7+4zzkmNvg0v0g== 1 23
...

What is the meaning of this entrys?

To allow access on the programming tools I modified the HIPs rules.

In "Host Intusion Prevention 7.0.4: Anwendungsblockierung" - "Anwendungsblockierregeln (Windows)" I added the following entries:

     Regelname: BASH.EXE

     Anwendungspfad: BASH.EXE

     Anwendungsoptionen:    "activate" - general 

                                         "activate" - craete application

                                         "activate" - allow hooking

     Übereinstimmungsoptionen: "activate" - path only

In In "Host Intusion Prevention 7.0.4: Allgemein" - "Vertrauenswürdige Anwendungen (alle Plattformen)" I added the entries:

     Name: Tools

     Status:  "activate" - general

                 "activate" - für IPS als vertrauenswürdig markieren (alle Plattformen)

                 "activate" - für Firewall als vertrauenswürdig markieren (Windows)

                 "activate" - für das Erstellen von Anwendungs-Hooks als vertrauenswürdig markieren (Windows)

     Vorgänge: C:\CYGWIN\BIN\*

                     C:\MSYS\BIN\*

                     C:\WINDOWS\SYSTEM32\CSRSS.EXE

But the programming application did'nt work with activated Firewall (includung HIP). What can I do to allow the programming tools?

Tests with PINBALL.EXE on the affected PC are positiv. If I allow PINBALL.EXE the programm can be used. In if I block PINBALL.EXE, using

the rules above, PINBALL.EXE can't be used. The HIPs for PINBALL is working propper.

How can I config the HIPs rule, to garant access for useing the programming tools?

Thank you for help.

Greetings from Germany

Janni

2 Replies

Re: Syntax of HIPs Event-log

Hi,

I can't move this question unfortunately, but it looks like it would be better asked on the system Security - Hips forum than ePO.

Re: Syntax of HIPs Event-log

Hi,

you are right. I posted this question in "Security - HIP" again.

So this tread can bee closed.

Greetings from Germany

Janni