Both Behaviour Blocker and HIPS intercept requests for ‘Event Log Online Help’ when querying errors in Windows 7 Event Viewer - is this normal?
If I have HIPS and Behaviour Blocker enabled…
I need to create the two following custom rules for HIPS:
[ol]- ‘C:\Windows\System32\taskeng.exe’ → ‘Run an executable’ → ‘C:\Users\fade2gray\AppData\Local\Temp\tmp*.vbs’.
- ‘C:\Users\fade2gray\AppData\Local\Temp\tmp*.vbs’ → ‘Run an executable’ → ‘C:\Program Files (x86)\Mozilla Firefox\firefox.exe’.[/ol]
… and I need to add ‘C:\Users\fade2gray\AppData\Local\Temp\tmp*.vbs’ Behaviour Blocker as an exclusion (just this exclusion if HIPS is not enabled).
Is this the best/correct method?
Thanks for any info.
That’s weird it does that; hey, its M$ are ya truly astonished by anything it does? Quite frankly, I didn’t need to know that; I had the highest regard for Win7 - compared to Win8 and in contrast to Vista - but know I now that and that just can’t be unseen and no amount of mental showers will ever get me clean now.
- will allow taskeng.exe to execute any arbitrary VBS (Visual Basic Script) in the user temp folder
- will allow any VBS in the user temp folder to launch your browser
I think, all things being equal - nothing has carte blanche resource access to taskeng.exe - option #1 should be o.k. in that an alert is generated when taskeng.exe is launched.
Albeit Firefox is fairly robust with its inherent security protocols - even more so if you’ve implemented Comodo IceDragon (CIS Egghead-derivation based on FF v26) - I’d be averse to temp folder VBS files to launch the browser; I’d tolerate the CIS alert on the rare occassions that was about to occur due to deliberate action by the user. If the VBS browser launch is not overtly user deliberate, you’ll get an alert; its a means of implementing a backstop fro ■■■■ like that.
WRT to exclusions, such preclude CIS AV from detecting specified files as false malware; I wouldn’t want to prevent CIS alerting me that any arbitrary VBS file in any arbitrary directory - temp or otherwise - is malware.
CIS inherent backstop to all this is unrecognized cloud scan; it doesn’t matter where any arbitrary file is being executed: if it fails cloud lookup it’ll get sandboxed. I’m fairly confident that these specific VBS files will pass mustard regardless of their random file-name nomenclature. I keep tabs on trusted files-list and prune out the entries making reference to TEMP files / folders; I delete them all.
OBTW: version upgrades is another thing to keep track of w/ in trusted files-list. After a version upgrade, the latest files will be found at the bottom of the list. Sometimes you’ll know that file is duplicate of a previous version. What you needs to do is select it, and then sort the list of trusted-files by file name. Then you’ll be able to discern all the duplicates fairly easily enough. The checked one is the latest, so you’d want to delete any additional entries and leave the latest one alone; CIS keeps track of file image by hash and knows the difference betwixt the individual trusted files in the trusted files-list. But sometimes CIS gets wonky in that regard and you have to ■■■■ all duplicate entries away for some arbitrary file. It gets re-entered on-the-fly the next time the file gets used.
Sorry 'bout that, I digressed.