1 Reply Latest reply on Aug 26, 2015 10:19 AM by Kary Tankink

    execution in removable drives

    takie

      How do I create a HIPS rule to monitor execution of *.exe, *.scr, *.pif, *.lnk files in removable drives (USB)

       

      Should I use "Program" or "Files" from rule type?

       

      What do I use to make a reference to a removable drive device (e.g. e:\*.exe or f:\*.exe)?

       

      Thank you so much for your help

        • 1. Re: execution in removable drives
          Kary Tankink

          You can use either Rule type.  PROGRAM is the better type to use in HIPS 8, but you can't define Drive Type like you can with the FILES type.

           

          1. PROGRAM type; use drive letters to tag USB devices; specify Target Executables by filename (wildcarded if desired; *.exe, *.scr, etc.).  Use RUN TARGET EXECTUABLE operation.

          KB71329 - How to blacklist applications using a Host Intrusion Prevention 8.0 custom signature

           

          2. FILES type; specify the DRIVE TYPE parameter with value OtherRemovable.  Specify EXECUTE operation with FILES parameter of the files you want to monitor.  Files parameters needs to include a path (e.g., **\*.exe, **\*.scr, etc.).  Files can only be specified by filename path; no hashes, file description, or signer (use the PROGRAM type for this, if needed).