I believe the most restrictive takes priority. So in your case, since the file would not be allowed to run, OAS will not be scanning it. Which would mean the HIPS rule would be taking priority, based on events occurring.
There is overlap between VSE and HIPS - I would recommend tuning VSE down to eliminate such overlap. That recommendation is with the assumption that HIPS and VSE are deployed synonymously throughout your environment. I find that HIPS is sometimes only deployed to nodes with regulatory compliance mandates or high priority data to the organization - in which case you most definitely would not want to tune your VSE.
Thanks for the reply. I believe VSE will delete the file if it has the signature to delete it. I placed an EICAR file in USB and as soon as i open the USB the file is getting deleted by VSE. Below are some of the scenarios what we tested and found VSE will take the precedence above HIPS.
- The EICAR file was placed just inside the USB drive not inside any folder.
- VSE takes precedence and deletes the file as soon as we open the Drive (Removable Media) connected to the machine ( Actual File not opened ).
- If the EICAR is placed inside any Folder , it is not detected unless we open the folder.
- OAS logs says explorer.exe is the process accessing the EICAR file.
I read your initial HIPS rule wrong, sorry about that. I was thinking device access not .exe access for whatever reason.
The overlap comment still holds true though.