Want to create a HIPS group under which to add programs

CIS 8.2
Windows 7 x64 Home Premium

Just installed CIS and am trying to figure out how to create an application rule in HIPS to block a program from loading. I have the Home edition of Windows 7 which means I don’t get the group policy editor to help me define Software Restriction Policies (SRPs) that let me specify a Path rule to a particular executable to keep it from loading. So I thought I could use CIS since it advertises support of application rules.

In the settings under Security Settings → Defense+ → HIPS → Rulesets, the “Isolated Application” ruleset seems to be appropriate to preventing a program from loading. I’m assuming the “Run an executable = Blocked” means the program is not allowed to load.

Security Settings → Defense+ → HIPS → HIPS Rules looks to be where I define an application rule. I would right-click in the empty space, select Add, and use Browse to select the .exe file and then select “Use ruleset = Isolated application” to keep that program from loading. Okay, but that defines just 1 rule for 1 program.

I noticed that under there that some rules are actually a group of rules. There is a rightward chevron you can click to see that rule identifies multiple executable targets that can be included under one rule. That’s what I would like to do for some rules. If a program has multiple executables that I want to prevent from loading, management and recognition would be easier if I could create 1 rule that would apply to multiple files. I have not found out how to define a rule with multiple targets like those that come pre-installed with CIS.

Instead of defining a rule with multiple targets, we users are forced to defined a separate HIPS rule for each separate target?


Well, using HIPS rules doesn’t do what I expected. Instead of preventing the executable from loading, apparently “Isolated Application” with its “Run an executable = Blocked” setting really means that program itself can load but it cannot load other executables. Okay, understood (maybe).

I tested after defining the HIPS rule (which points at the file and the rule specifies to run isolated) and the program loaded. So that’s not where in CIS that I can block programs from loading. Now I have a process running that I cannot kill using Task Manager. I’ll have to reboot to kill it.

So how do I use CIS to prevent a program from even loading? Is that under:

Security Settings → Defense+ → Protected Objects → Blocked files tab

What your looking for is called ‘File Groups’ located under the ‘File Ratings’ tab under ‘Advanced Settings’.

Thanks for the info on how to define file groups. That is handy for organizing actions against a program with rude behavior or lack of options to eliminate the rude behavior - for where file groups are supported in CIS.

Alas, the “Security Settings → Defense+ → Protected Objects → Blocked files tab” where you list what to block from loading doesn’t not support file groups. If this list gets long, it will get messy and tedious to wade through the list to review or modify those blocking rules. Even a file group for just 1 file lets you give a name to the group that allows you to provide a description of why you are blocking an executable loading. The block list of paths to files isn’t always self-explanatory.

Thanks for helping, anyway.

You can prevent execution by creating/modifying the All Applications rule under HIPS rules, to the right of the Run an executable access right there is a section called Exclusions, clicking that brings up a new window where you can add files, folders, file groups, or running processes to the list of the Blocked files/folders tab. I would also do the same for the explorer.exe rule.