2 Replies Latest reply on Jan 6, 2015 11:39 AM by Kary Tankink

    Creating exceptions on mapped drives.

    abevan

      Hi, I'm brand new to HIPS and am in the process of running a test group in adaptive mode and creating Exceptions and a Trusted Application list.  It is pretty straightforward, except I am not sure how to handle executables that are called from mapped drives.   When an event is triggered from a mapped drive, the path to the .exe is not just the mapped drive path, but includes alot of junk I don't understand.  For example, if the mapped path is H:\wfx32\tax13.exe where H:\ is mapped to a Share called PROGRAMS on a Server called RM-FILE3, the path that the event reports is:

       

      H:\;LANMANREDIRECTOR\;H:000000000002AA1B\RM-FILE3\PROGRAMS\WFX32\TAX14.EXE

       

      The problem this presents is that the Hexadecimal portion(000000000002AA1B) seems to be a unique number that the client that triggered the event refers to, but is different for every client.   The result being that the Exceptions and Trusted Applications only work for the client that originally reported it.

       

      A few questions I have are:

       

      1.  Is this normal, or is there something on my server that is causing HIPS to report the path in this cryptic way.

       

      2. If it's normal, how does one normally create system wide Exceptions and Trusted Apps for .exe files on mapped drives.

       

      3. Is it legal to use wildcards to specify the path of Exceptions and Trusted Apps?  Could I just replace the Hex portion with a wildcard?

       

      4. Is all that junk necessary for HIPS to properly identify the .exe, or could I replace the entire path with the familiar path of H:\wfx32\tax13.exe?

       

      Similarly, I have a problem with .exe files that run from user profiles.  Again, can I just substitute the profile name with a wildcard?  (e.g. c:\users\**\mydocuments...)

       

      Any further words of wisdom on common pitfalls I may need to look out for would be appreciated as well.

       

      Thanks,

       

      Andy