1 2 Previous Next 11 Replies Latest reply on Sep 16, 2010 4:27 PM by Sig

    Problems using HIP and HIP-Event.log

    EPO-Janni

      Hi,

       

      i have problems to allow some programming tools to be used.

      In the Event.log of the HIPs onj the affected workstation I found some entries:

       

      ...

      8 1271932882 0.0.0.0  0 C:\CYGWIN\BIN\BASH.EXE riOn4syHPOkujW2j68qUYA== 1 22
      7 1271932928 0.0.0.0  -1 17 255.255.255.255 17152 0.0.0.0 17408 1 0 -1  0
      8 1271932945 0.0.0.0  1256 C:\MSYS\BIN\SH.EXE gT20gFxu8diobq9TBZfqtw== 1 22
      8 1271932991 0.0.0.0  0 C:\MSYS\BIN\SH.EXE ktOY8JCXbmLRaWrCGz0cWQ== 1 22
      8 1271938545 0.0.0.0  1452 C:\WINDOWS\SYSTEM32\CSRSS.EXE myKq41Zq7+4zzkmNvg0v0g== 1 23
      ...

       

      What is the meaning of this entrys?

       

      To allow access on the programming tools I modified the HIPs rules.

      In "Host Intusion Prevention 7.0.4: Anwendungsblockierung" - "Anwendungsblockierregeln (Windows)" I added the following entries:

           Regelname: BASH.EXE

           Anwendungspfad: BASH.EXE

           Anwendungsoptionen:    "activate" - general 

                                               "activate" - craete application

                                               "activate" - allow hooking

           Übereinstimmungsoptionen: "activate" - path only

       

      In In "Host Intusion Prevention 7.0.4: Allgemein" - "Vertrauenswürdige Anwendungen (alle Plattformen)" I added the entries:

           Name: Tools

           Status:  "activate" - general

                       "activate" - für IPS als vertrauenswürdig markieren (alle Plattformen)

                       "activate" - für Firewall als vertrauenswürdig markieren (Windows)

                       "activate" - für das Erstellen von Anwendungs-Hooks als vertrauenswürdig markieren (Windows)

           Vorgänge: C:\CYGWIN\BIN\*

                           C:\MSYS\BIN\*

                           C:\WINDOWS\SYSTEM32\CSRSS.EXE

       

      But the programming application did'nt work with activated Firewall (includung HIP). What can I do to allow the programming tools?

      Tests with PINBALL.EXE on the affected PC are positiv. If I allow PINBALL.EXE the programm can be used. In if I block PINBALL.EXE, using

      the rules above, PINBALL.EXE can't be used. The HIPs for PINBALL is working propper.

       

      How can I config the HIPs rule, to garant access for useing the programming tools?

       

      Thank you for help.

       

      Greetings from Germany

       

      Janni

        1 2 Previous Next