I have HIPS set to Paranoid level and I’d like to get an alert when, let’s say, Chromium and uTorrent try to run an executable.
So I made a ruleset for each one, where “Run an executable” is set to Ask. Yet, I get no alert when the aforementioned software try (with success) to run new processes - Chromium can open new tabs and uTorrent can preview/load downloaded files.
What am I doing wrong?
PS: notice how file rating doesn’t seem to affect the result - Chromium is set as Unrecognised, uTorrent as Trusted.
Can you show the HIPS rules that are set for chromium and utorrent? Make sure process execution is set in monitoring settings in the HIPS settings section.
[attachment deleted by admin]
Try disabling “Create Rules for Safe Applications” and see if that makes a difference.
No difference (I already tried that some days ago).
when you set HIPS to paranoid mode it will ignore all forms of file rating the only thing it will check is your custom rules.
How are you testing your rules? What application is chromium launching?
In order to make Chromium launch another process, I simply open a new tab in it (because Chromium architecture is one tab = one process).
If in the ruleset I set “Run an executable” to “Ask”, no alert is shown, and I can open a new tab without any warning.
If in the ruleset I set “Block” instead, no alert is shown, and I cannot open a new tab (actually, the browser won’t work at all, because an “idle” Chromium requires at least four processes).
You wouldn’t happen to have any other security software installed? That might be causing the issue, I can’t replicate your issue so theirs something specific about your system that causing the problem.
Can you check the all applications rule, and any other non custom rules.
The Default rules should not cause this problem.
@futuretech: nope, CIS is the only security software on my system
@Dennis2: kind of Bingo!!! I had one second-to-bottom (and custom) ruleset for Executables, which had “Run an executable” set to “Ask”, with Executables whitelisted. A catch-all to let me focus only on Chromium and some other software. I un-whitelisted those Executables and now I get the alerts I was expecting.
This brings another question tho: why is that lower ruleset evaluated/taken into account, even if the Chromium one is the top-most?
It may start at the top of the rule list, but it does search all rules top to bottom before you receive a alert.
The only time it will stop at a particular rule is if the require action block or start is there.
Oh, I see. Thanks for the explanation!
By the way, another (hopefully final) question comes to my mind.
If I wanted to have:
- a ruleset for Chromium so that I’m alerted every time it tries to launch another process
- and a ruleset for all executables so that are allowed to do anything
keeping HIPS level to paranoid, what should I do? Is it even possible, in an elegant way? Basically, I want Chromium to be an exception to a general policy on my system in which executables can do almost anything.
Sorry no you cannot do that as far as I am concerned, you would need to alter all other rules rather than just one for executables.
Unless some one can suggest a way.