HIPS - Custom rule blocked file folders not blocking wildcards

V12.2.2.8012 (Firewall only) Windows 7 Ultimate 64-bit (clean install with all MS-updates)

Assigned a custom HIPS rule to notepad.exe and having set the custom rule access name “Protected files/folders → BLOCKED FILES/FOLDERS” to the following entries:


The C:\test directory contains many random txt files including the “hello.txt” file.

Notepad.exe is blocked by HIPS when notepad.exe tries to write to the “hello.txt” file, which is expected and correct.
However, notepad.exe isn’t blocked by HIPS when notepad.exe writes to any other txt files in the C:\test directory.
Also, notepad.exe isn’t blocked when it creates a new file in the C:\test directory.

To clarify things please see attached image.
Only one HIPS rule works, the others don’t.

Just tried it again but I can’t get it to work as it should.

Hi CISfan,

Thank you for reporting, We are checking this.

I’m not sure why you have redundant entries, but the first entry will cover every file and folder with a file path starting with C:\test, also it goes without saying the test folder must be added to protected files. Finally if any matching file/folder paths are defined under the allowed files/folder exclusions, then those will override the blocked exclusions because allowed is checked first before block. With that said I see blocks for any modification within the test folder when I set the rule to block for that directory.

Thank you for the additional information, very welcome.

At first I had only this “C:\test\hello.txt” entry added (and nothing added to protected files) which worked.
Then I checked if I could block any txt file with “C:\test*.txt” but that didn’t work.
In the next steps I added all other possible wildcards combinations to see if that would block access to any file inside “C:\test” but also that didn’t work.

Is it expected that only the “C:\test\hello.txt” entry does work without having it added to protected files?

I’ll add the entries to protected files too and see how it behaves then.

The only bug is it should not block write access when you define a specific file to blocked files/folder exclusions when that file or file type is not set in protected files. It may be an unintended side effect when they fixed icon in groups and rules, or it may have been like that forever and no one noticed it until now. Do note if you didn’t have any rule in place, had set HIPS to paranoid mode, and then try modifying the file you wouldn’t get alerted for the application trying to modify the file.

I’m pondering about this mechanism between custom ruleset setting “Protected files/folders → BLOCKED FILES/FOLDERS” and the general setting “Protected Objects → PROTECTED FILES” and having to add the entries at those two places . . .
Wouldn’t it be a good idea and also more logical to make the manually added (with or without using wildcards) entries in “Protected files/folders → BLOCKED FILES/FOLDERS” work so that these entries can be applied per application (or in other words, on application level)?

To take it a step further, let HIPS check all manually added entries in a custom ruleset per application.

I think checking the manually added entries in a custom ruleset per application can be done without changing the current HIPS functionality but maybe I have overlooked something…

no because hips is not supposed to protect what it does not know about, you must add what you want protected to make HIPS rules for those protected files. The rules define what HIPS should do when an application comes across a protected file, if it is not set to be monitored then the rule should not matter as HIPS won’t know that it is a protected file.