Block a browser launch from a shell link in Eset HIPS

[jasonX]

Block a browser launch from a shell link in Eset HIPS

Hello,

How can I block a link that launches a browser in an application GUI via Eset HIPS. In CIS and OA Premium I can block that in the HIPS portion to "not start an application". I see in ESS that it has this and I place a rule like in CCleaner:

Source application : C:\Program Files\CCleaner\CCleaner.exe
Target Application: Start new application
Over these applications: C:\Program Files\Mozilla Firefox\firefox.exe
Firefox still launches.

The same thing with KMPLayer but instead of FF it's IE. I placed the IE folder there in the "Over these application" but it still launches IE.

I used the same rule for some applications, like a freeware game that launches the default browser upon exit.



The Eset HIPS blocks it. On this two specific application (CCleaner and KMPlayer) the rule is useless.

In Comodo IS, KMPlayer uses COM so I place the block in COM Interfaces in D+. I assume that CCleaner is the same. Where can I plave that in ESS?

In OA Premium I placed it in the Advanced setup and add the broswers and it blocks it from launching.

How can I block such "shell links"(correct...?) in ESS HIPS...?

I'd like to be able to restrict such like these in the windows of applications other what I need. The kids might use the pc and might accidentally click. You know kids...

I tried to block the URL in KMPLayer but it also launched and connected. So blocking it via the firewall is useless also or the rule is wrong.



Kindly see images attached.





Please help

 

[jamescv7]

Did you use interactive mode? Since all operation would prompt then try to add those rules on the type of the behavior. If you set those rules, you may choose the Policy Mode which block any rules created.

 

[jasonX]

Did you use interactive mode? Since all operation would prompt then try to add those rules on the type of the behavior. If you set those rules, you may choose the Policy Mode which block any rules created.

Hello jamescv7 ,

Thank you for the reply and help

Kindly see image below. I set it in interactive mode and launched CCleaner>clicked OnlineHelp at the lower left corner and it launched a Firefox tab without a pop-up alert from the HIPS.

 

[jamescv7]

Did you try those other modes?

Policy-based mode: All operations are denied automatically.

Learning mode: In Learning mode, operations are enabled and a rule is created after each operation. Rules created in this mode can be viewed in the Rule editor, but their priority is lower than the priority of rules created manually or rules used in automatic mode.

Selecting Learning mode enables the check box next to Notify about learning mode expiration in X days. Once the specific time period passes, Learning mode is disabled. The maximum time period is 14 days. After this time period has passed, you will be prompted to edit the rules and select a different filtering mode.
Rule editor: Click Configure rules to add, modify, or remove HIPS rules.

From KB Article.

Likely test it and one of the modes may work for the rules.

 

[jasonX]

Did you try those other modes?

Policy-based mode: All operations are denied automatically.

Learning mode: In Learning mode, operations are enabled and a rule is created after each operation. Rules created in this mode can be viewed in the Rule editor, but their priority is lower than the priority of rules created manually or rules used in automatic mode.

Selecting Learning mode enables the check box next to Notify about learning mode expiration in X days. Once the specific time period passes, Learning mode is disabled. The maximum time period is 14 days. After this time period has passed, you will be prompted to edit the rules and select a different filtering mode.
Rule editor: Click Configure rules to add, modify, or remove HIPS rules.

From KB Article.

Likely test it and one of the modes may work for the rules.

Hi jamescv7,

I tried the Policy base mode and it block everything related to the application. It will block even it's GUI launch and will not let you use the app. So that I did not use. As to the learning mode, I nearly let me run everything in the first 3 days. Seems to be an ok-to-all.

Well I'll try again in Learning Mode. I'll just finish some testing and make a bakup image that system partition. Then I'd try it again.



Images again:

 

[jasonX]

Just went t Learning Mode earlier. I deleted the rule I created for KMPlayer and ran it. In the KMPLayer Options>About I clicked the same forum website link. IE launched and there was no pop-up from Eset HIPS!

 

[jamescv7]

On this thread

There is a pre configured rules in a .xml file, so likely try to configure something that can be connected through browsers in a shell link method.

 

[jasonX]

I'll check out the link later and read/try. Thank you.

Incidentally I made a system image of the partition with Eset Samrt Security earlier. I removed ESS and loaded Eset NOD32 AV only. Installed OA Premium and tested if they will work together. Eset HIPS of NOD32 conflicts with OA Premium when I was making a rule for the said issues I posted. I had to disable it. When It was okay I did the rule and OA Premium blocked all issues at hand. See images. So I think Eset HIPS has problems trying to block applications which start another application.

 

[jasonX]

Tried fiddling on the .xml file and I must have nade a wrong entry or something I had an error and ESS would not start. I will have to reload a system image when all was well.

Along this line, did another experiment on the a different combination. Outpost Pro nd Nod32 ver5. Outpost blocked the shell link launch of both CCleaner and KMPlayer cold. See images.

Kindly see the details of the Outpost block log.

1:27:31 AM Block CCLEANER.EXE OLE automation control \RPC Control\OLED7B946B272704CC093E655064640

1:10:54 AM Block KMPLAYER.EXE OLE automation control \RPC Control\OLE78C3F6C3069540328588B6732929

1:10:44 AM Block KMPLAYER.EXE DNS API request


The behavior of launching the browser is block with OLE automation control \ RPC Control. Anyone know how I can place that rule in ESS..? That particular block rule was placed in Outpost Anti-Leak settings located in Application Control.

As to the DNS request I know that I have placed that already for both applications but ESS did not block it. I believe if I can place that "OLE automation control \ RPC Control" block in the HIPS of ESS I can prevent that particular behavior of browser launch.


Thank you

 

[jamescv7]

Just wondering did you set "automatic mode with rules" from the first place? If yes ESET will decide on the rules according on it.

 

[malbky]

Jason you are having too much trouble with ESET just dump it and opt for something like Kaspersky or Bitdefender. ITs not worth so many times restoring and toying around except if you have spare time.

 

[jasonX]

Jason you are having too much trouble with ESET just dump it and opt for something like Kaspersky or Bitdefender. ITs not worth so many times restoring and toying around except if you have spare time.

Hi malbky,

Well I have KIS 2012 in another pc and it's indeed okay. On the suites around I am finding KIS 2012 more to my liking. I just wanted to use the license that I got and the AV component is quite okay. It's the HIPS and firewall which is in question here for me. I was looking towards just using a suite really but I am not yet getting there as there are issues like this.

I do not have a license for BitDefender IS, been wanting to have a one but the links to promo's or giveaways I am getting some trouble with proxies and stuff. When I tried BitDefender way back 2009 it made the system slow. I believe that 2012 version is lighter.

On Eset I'll be deciding if I'll hang-on to the suite or just use the AV component without the HIPS feature sometime next week. Still am waiting for some advise and some tweaks that can be done. I am doing this one on a spare hdd so it's not a bother to the other hdd's I have in tow in this system.

There were some very interesting discoveries I had when I posted here and that is thanks to you who have convinced me to come here. Kudos to you for that

Thanks

 

[jasonX]

I interestingly discovered something earlier as I was checking out in another computer how Outpost blocks the launch of the browser in it's gui. In the blocks of CCleaner and KMPlayer it was listed as "Application is trying to control another network enabled application behavior through OLE" the object service target is the RPC Control.

I checked RPC through the services suing Process Hacker and it is Remore Procedural Call - C:\Windows\system32\rpcss.dll. So I took note of it and tried placing it in the HIPS rule on the pc with the Eset Smat Security ver5 as:

Source applications:
C:\Program Files\CCleaner\CCleaner.exe

Target files:
C:\Windows\system32\rpcss.dll

Target applications:
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe

The Eset HIPS prevented the launch of the browser. It first tried to launch the default browser which was FF. When blocked it launched IE. So I placed both blocks for IE and FF.

This issue with CCleaner is now solved.

The same rule cannot be said for KMPlayer although the pop-up was the same from Outpost. I accidentally glanced at the Process monitoring of Outpost when KMplayer launched the IE browser. The IE launch was under svchost.exe and not under KMPlayer. Took note of it and used it in the pc with the Eset Smat Security ver5. Made this rule:

Source applications:
C:\Windows\System32\svchost.exe

Target applications:
C:\Program Files\Internet Explorer\iexplore.exe

The result that the IE launched was now blocked. So KMPlayer was using svchost.exe to trigger the launch of IE from it's gui. The block did not launch another browser unlike CCleaner which tried to launch another when the default was blocked.

So this is apparaently solved.

Now I saved(exported the settings) in another folder so I can reload it again later. I deleted the block rule and went on to "interactive mode" so I can see whether there will be a pop-up when I try to launch the browser through the CCleaner and KMPlayer gui. Restarted the pc.

Tried to launch the browser through the shell link in the gui of both CCleaner and KMPlayer. The browsers launched and there was no pop-up. Well that shoild have been prompted at least.

I went recovered an image where I have Nod32 AV and Outpost Pro in another spare hdd partition. Booted it and disabled AntiLeak in Outpost. Likewise I enabled Eset HIPS. Rebooted. When I was sure that only Eset HIPS was running I set Eset HIPS filtering mode to "interactive mode".

No rules set for CCleaner and KMPlayer so when I click the shell link in both gui's I should be seeing a pop-up or prompt or nothing the same as ESS.

There was a pop-up and it seemed like to behave like Online Armor and Comodo when you have no rules set for your programs. It nearly did not made me work. Pop-ups here and there.

BUT it blocked the CCleaner and KMPlayer broswer launch! Fancy that! This was EsetNOD32 AV with HIPS enabled. And the Eset HIPS was giving me hell! In Eset Smart Security ver5 no pop-ups in interactive mode!

The CCleaner pop-ups was asking me to allow or block,

Application: C:\Program Files\CCleaner\CCleaner.exe
Operation: Start New application
Target: C:\Program Files\Mozilla Firefox\firefox.exe

When I clicked "Deny" to that another pop-up showed with "Target: C:\Program Files\Internet Explorer\iexplore.exe"

So the alert messages that I did get from ESSver5 when I placed the rules for CCleaner where correct after all.

On KMPlayer behavior the pop-up showed:

Applications: C:\Windows\System32\svchost.exe
Operation: Start New application
Target: C:\Program Files\Internet Explorer\iexplore.exe

I clicked "Deny" to that and a pop-up showed with a "Access Denied: Class ID etc etc..."

I checked the rules after all the "Deny" and the rule was the same as I placed it in Eset ESSver5.

I saved/exported the settings again in another folder and transfered to "automatic mode with rules" in Eset HIPS filtering mode. Deleted the rules resulted from the interactive mode and tried to launch the browser vai the CCleaner and KMPlayer gui. It launched without pop-ups.

So in Eset NOD32ver5 AV HIPS the interactive mode is showing pop-ups and intercepts the behavior of CCleaner and KMPlayer. While in Eset Smart Security ver5 the HIPS intercative mode seems not to be functioning even when there is no rules created. No pop-ups given like the one in Eset NOD32 AV with HIPS "automatic mode with rules".

I wonder why that is...? In all HIPS especially when it's a new install and I am not familiar with it I always prefer "interactive" or "maximum" or Safe/Paranoid(Comodo) to see those pop-ups. Surprisingly with ESS there was none and with Eset NOD32 there was a ton of it!

Anyway the problem is solved now and going back to the pc with ESSver5, the settings stayed and the issue is resolved.


Thanks to jamescv7and malbky for the assistance and patience

 

[jasonX]

I interestingly discovered something earlier as I was checking out in another computer how Outpost blocks the launch of the browser in it's gui. In the blocks of CCleaner and KMPlayer it was listed as "Application is trying to control another network enabled application behavior through OLE" the object service target is the RPC Control.

I checked RPC through the services using Process Hacker and it is Remote Procedural Call - C:\Windows\system32\rpcss.dll. So I took note of it and tried placing it in the HIPS rule on the pc with the Eset Smat Security ver5 as:

Source applications:
C:\Program Files\CCleaner\CCleaner.exe

Target files:
C:\Windows\system32\rpcss.dll

Target applications:
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe

The Eset HIPS prevented the launch of the browser. It first tried to launch the default browser which was FF. When blocked it launched IE. So I placed both blocks for IE and FF.

This issue with CCleaner is now solved.

The same rule cannot be said for KMPlayer although the pop-up was the same from Outpost. I accidentally glanced at the Process monitoring of Outpost when KMplayer launched the IE browser. The IE launch was under svchost.exe and not under KMPlayer. Took note of it and used it in the pc with the Eset Smat Security ver5. Made this rule:

Source applications:
C:\Windows\System32\svchost.exe

Target applications:
C:\Program Files\Internet Explorer\iexplore.exe

The result that the IE launched was now blocked. So KMPlayer was using svchost.exe to trigger the launch of IE from it's gui. The block did not launch another browser unlike CCleaner which tried to launch another when the default was blocked.

Now I saved(exported the settings) in another folder so I can reload it again later. I deleted the block rule and went on to "interactive mode" so I can see whether there will be a pop-up when I try to launch the browser through the CCleaner and KMPlayer gui. Restarted the pc.

Tried to launch the browser through the shell link in the gui of both CCleaner and KMPlayer. The browsers launched and there was no pop-up. Well that should have been prompted at least.

I went recovered an image where I have Nod32 AV and Outpost Pro in another spare hdd partition. Booted it and disabled AntiLeak in Outpost. Likewise I enabled Eset HIPS. Rebooted. When I was sure that only Eset HIPS was running I set Eset HIPS filtering mode to "interactive mode".

No rules set for CCleaner and KMPlayer so when I click the shell link in both gui's I should be seeing a pop-up or prompt or nothing the same as ESS.

There was a pop-up and it seemed like to behave like Online Armor and Comodo when you have no rules set for your programs. It nearly did not made me work. Pop-ups here and there.

BUT it blocked the CCleaner and KMPlayer browser launch! Fancy that! This was EsetNOD32 AV with HIPS enabled. And the Eset HIPS was giving me hell! In Eset Smart Security ver5 no pop-ups in interactive mode!

The CCleaner pop-ups was asking me to allow or block,

Application: C:\Program Files\CCleaner\CCleaner.exe
Operation: Start New application
Target: C:\Program Files\Mozilla Firefox\firefox.exe

When I clicked "Deny" to that another pop-up showed with "Target: C:\Program Files\Internet Explorer\iexplore.exe"

So the alert messages that I did get from ESSver5 when I placed the rules for CCleaner where correct after all. (Image is from the pc with Eset Smart Security ver5)

On KMPlayer behavior the pop-up showed: (Image is from the partition with Eset NOD32 with HIPS and Outpost Pro with AntiLeak (Proactive --hips) disabled)

Applications: C:\Windows\System32\svchost.exe
Operation: Start New application
Target: C:\Program Files\Internet Explorer\iexplore.exe

I clicked "Deny" to that and a pop-up showed with a "Access Denied: Class ID etc etc..."

(Image is from the partition with Eset NOD32 with HIPS and Outpost Pro with AntiLeak (Proactive --hips) disabled)

I checked the rules after all the "Deny" and the rule was the same as I placed it in Eset ESSver5.

I saved/exported the settings again in another folder and transferred to "automatic mode with rules" in Eset HIPS filtering mode. Deleted the rules resulted from the interactive mode and tried to launch the browser vai the CCleaner and KMPlayer gui. It launched without pop-ups.

So in Eset NOD32ver5 AV HIPS the interactive mode is showing pop-ups and intercepts the behavior of CCleaner and KMPlayer. While in Eset Smart Security ver5 the HIPS interactive mode seems not to be functioning even when there is no rules created. No pop-ups given like the one in Eset NOD32 AV with HIPS "automatic mode with rules".

I wonder why that is...? In all HIPS especially when it's a new install and I am not familiar with it I always prefer "interactive" or "maximum"(Agnitum) or Safe/Paranoid(Comodo) to see those pop-ups. Surprisingly with ESS there was none and with Eset NOD32 there was a ton of it!

Anyway the problem is solved now and going back to the pc with ESSver5, the settings stayed and the issue is resolved.


Thanks to jamescv7and malbky for the assistance and patience

 

[jamescv7]

You're welcome but glad you found the solution, well seems its good that you test other firewall from that capabilities so that you can observe it. As like HIPS its take a time and knowledge to make a rules for more specific.

 

[jasonX]

You're welcome but glad you found the solution, well seems its good that you test other firewall from that capabilities so that you can observe it. As like HIPS its take a time and knowledge to make a rules for more specific.

Spoke too soon about the problem being solved. It seems the rule is only good when a browser IS NOT running. When an instance of a browser is at the moment present clicking the link launches the site and the browser.

That's again a good question:

How can I block that "web page launch behavior" when an instance of browser is already running?

So for now the remaining thing to do is block specifically the URL of which the link is tied to. The web page tab will launch(when running a browser) but the URL will be blocked).