Windows 7 x64 Home Premium
Just installed CIS and am trying to figure out how to create an application rule in HIPS to block a program from loading. I have the Home edition of Windows 7 which means I don’t get the group policy editor to help me define Software Restriction Policies (SRPs) that let me specify a Path rule to a particular executable to keep it from loading. So I thought I could use CIS since it advertises support of application rules.
In the settings under Security Settings → Defense+ → HIPS → Rulesets, the “Isolated Application” ruleset seems to be appropriate to preventing a program from loading. I’m assuming the “Run an executable = Blocked” means the program is not allowed to load.
Security Settings → Defense+ → HIPS → HIPS Rules looks to be where I define an application rule. I would right-click in the empty space, select Add, and use Browse to select the .exe file and then select “Use ruleset = Isolated application” to keep that program from loading. Okay, but that defines just 1 rule for 1 program.
I noticed that under there that some rules are actually a group of rules. There is a rightward chevron you can click to see that rule identifies multiple executable targets that can be included under one rule. That’s what I would like to do for some rules. If a program has multiple executables that I want to prevent from loading, management and recognition would be easier if I could create 1 rule that would apply to multiple files. I have not found out how to define a rule with multiple targets like those that come pre-installed with CIS.
Instead of defining a rule with multiple targets, we users are forced to defined a separate HIPS rule for each separate target?
Well, using HIPS rules doesn’t do what I expected. Instead of preventing the executable from loading, apparently “Isolated Application” with its “Run an executable = Blocked” setting really means that program itself can load but it cannot load other executables. Okay, understood (maybe).
I tested after defining the HIPS rule (which points at the file and the rule specifies to run isolated) and the program loaded. So that’s not where in CIS that I can block programs from loading. Now I have a process running that I cannot kill using Task Manager. I’ll have to reboot to kill it.
So how do I use CIS to prevent a program from even loading? Is that under:
Security Settings → Defense+ → Protected Objects → Blocked files tab