Whitelisting files in a folder

Curious · August 24, 2023, 3:26pm

I am using a program that is triggering a HIPS alert every time I use certain functions of the program. The program creates uniquely named json files in a specific folder that triggers the alerts. Because the files are uniquely named, even when I “allow” the files through or characterized them as safe application, the alerts continue for each uniquely named file. The moderators of this forum have kindly analyzed some of these files and found that they are safe. However, the files continue to trigger HIPS alerts. I was asked to enable “Create rules for safe applications” under firewall settings, but this setting did not end the HIPS alerts. I tried to place the temporary file folder location under Protected Objects in the HIPS settings, but that did not stop the alerts.

What setting can I create that will stop these alerts? Is there a way to whitelist the contents of a folder?

Thanks for any assistance.

C.O.M.O.D.O_RT · August 25, 2023, 4:50am

Hi Curious,

Thank you for reporting.
Could you please share us the product download link ? so that we will check and update you.

Thanks
C.O.M.O.D.O RT

Curious · August 26, 2023, 11:22pm

Thank you. The product has been checked already. Please see the thread .json triggering firewall - #31 by 1807.

In case you would still like to have the link to the product:

I noted the persistent alerts, but the solutions presented didn’t help. I posted the question to help whitelist the folder in the thread, but there hasn’t been a response. Since I no longer worried about the security of these json files as per the previous thread, I wanted to see if I could whitelist the folder in which the program sends its temporary json files.

Thank you for your assistance.

C.O.M.O.D.O_RT · August 28, 2023, 8:57am

Hi Curious,

Thank you for providing the requested information.
We will check with the related team and update you.

Thanks
C.O.M.O.D.O RT

Curious · August 31, 2023, 11:25pm

Thank you. Hope there is a resolution.

Curious · September 5, 2023, 2:04pm

Hello. I was wondering if there is a resolution? Is there a way to whitelist a folder? Thank you.

C.O.M.O.D.O_RT · September 7, 2023, 2:22am

Hi Curious,

Thank you for reporting.
We have whitelisted the PDF24 creator from our end.
However we are checking on this.
We will keep you posted.

Thanks
C.O.M.O.D.O RT

Curious · September 10, 2023, 11:52pm

Thank you. I believe that the program was whitelisted from my previous post. Despite this effort, the program is still being flagged with its uniquely named json files. This persistence of notification led me to ask the question of whitelisting contents within a specific folder. Does this mean that there is no way to whilelist contents in a specific folder? Does it create too great of a security risk? Thanks.

infosec · September 11, 2023, 5:12pm

Hello @Curious, see if the solution found by @Boris_3 at Grand access to exe in a folder that's changing its name constantly - #8 by Boris_3 will be the fix for your persistant alerts as well.

Curious · September 11, 2023, 8:07pm

Thank you for directing me to that thread.

I tried to add the file type into applications rules, but that didn’t work. I tried to add it to the rulesets, but that didn’t work either. I tried to use the folder and the *.json format to see if that would work. I’m not sure how to set the rule either. Which protocol would I use? Which direction? At this moment, I have Protocol IP (although UTCP or UDP doesn’t stop the alerts either), Direction In or Out. I really don’t have any idea what I am doing when I am trying to create this ruleset, but it doesn’t work anyway.

The post gave me the idea to try to create the ruleset in the HIPS settings (given that the alerts are HIPS alerts. That didn’t work. I tried to put it under protected objects and that didn’t work either.

I have settings on safe mode which is the default setting. Does this setting ignore rulesets created?