hi,
ok so im trying to block several LOLbins by putting them in a "group" to be distributed to all users via the RuleManager but failed to do so, so far, the rules arent being deployed.
i bet i did something wrong somewhere or maybe i just cant do it.
edit1: guess the * wildcards at the beginning is wrong.
edit2: seems if the exe is located on System folder, the rule cant be deployed if set on Windows folder in RuleManager
edit3: default db rules (in RuleManager) take precedence over custom one, so they must be deleted for the custom rule to be applied.
my question: there is a way to write, in RuleManager, a single rule for a process that will take precedence over default one and be both in system32 and syswow64 at same time?
for now, what i have to do to create a block rule (i.e: powershell.exe) in my custom group (Block LOLbins):
in RuleManager:
1- delete the default group (i.e: powershell)
2- create 2 new powershell.exe rules in my custom group (Block LOLbins) one for System32 , one for SysWOW64
in REHIPS rules:
3- delete installed powershell.exe rules
all this is a bit a hassle to be honest.
Here is a blogpost as a small reminder of how wildcards work https://forum.rehips.com/index.php?topic=9647.0 In short words:
1. Keep in mind that wildcards don't include path separators (\ or /). That's why it's quite useless to put * in the beginning. But ** will be introduced in upcoming build.
2. First exact match is searched. It's used, if found. If not, ReHIPS tries to match wildcards. So wildcarding already existing exact rules does nothing. This was done to make exceptions from wildcards, but wildcards can't be exceptions from exact rules.
So no, wildcarded rule won't take precedence over exact rule. Exact rule should be deleted for the wildcarded to take effect. But having it deleted you can cover files in both System32 and SysWow64 folders with a single wildcarded rule.
Quote from: fixer on August 06, 2019, 08:21:29 AM
Here is a blogpost as a small reminder of how wildcards work https://forum.rehips.com/index.php?topic=9647.0 In short words:
will read thx.
Quote1. Keep in mind that wildcards don't include path separators (\ or /). That's why it's quite useless to put * in the beginning. But ** will be introduced in upcoming build.
great
Quote2. First exact match is searched. It's used, if found. If not, ReHIPS tries to match wildcards. So wildcarding already existing exact rules does nothing. This was done to make exceptions from wildcards, but wildcards can't be exceptions from exact rules.So no, wildcarded rule won't take precedence over exact rule.
found out myself lol
QuoteExact rule should be deleted for the wildcarded to take effect. But having it deleted you can cover files in both System32 and SysWow64 folders with a single wildcarded rule.
In example, for blocking netstat.exe in both System32 and SysWow64 folders , how would i syntax the wildcarded rule in RuleManager?
Thanks by advance.
Quote from: Umbra on August 06, 2019, 08:27:32 AM
In example, for blocking netstat.exe in both System32 and SysWow64 folders , how would i syntax the wildcarded rule in RuleManager?
C:\Windows\*\netstat.exe should work.
Quote from: fixer on August 06, 2019, 09:35:26 AM
Quote from: Umbra on August 06, 2019, 08:27:32 AM
In example, for blocking netstat.exe in both System32 and SysWow64 folders , how would i syntax the wildcarded rule in RuleManager?
C:\Windows\*\netstat.exe should work.
With folderID_Windows?
The whole path is C:\Windows\*\netstat.exe
In terms of RulesManager, predefined folder FOLDERID_Windows and file *\netstat.exe
Quote from: fixer on August 06, 2019, 02:37:35 PM
The whole path is C:\Windows\*\netstat.exe
In terms of RulesManager, predefined folder
FOLDERID_Windows and file *\netstat.exe
Okie thanks, I am making rules for RM :)
Thanks for your help Fixer, i made it, all works well.
1- made the block rules as one group in RuleManager
2- deleted the duplicates that was implemented by default
3- uninstalled ReHIPS
4- reinstalled it but prevent it to start right away
5- copied rdb files in ReHIPS program files folder
6- started ReHIPS
7- let the the rules being installed
A blogpost about little lifehack to make it install with your RDB file instead of the default one https://forum.rehips.com/index.php?topic=9742.0
Quote from: fixer on August 07, 2019, 10:50:12 PM
A blogpost about little lifehack to make it install with your RDB file instead of the default one https://forum.rehips.com/index.php?topic=9742.0
i did try the trick but it didn't work (installer and rdb file were on the desktop), maybe a glitch.
will keep playing with the RuleManager while waiting the new build, i hope it will implement the blocking of all executables in a folder/partition by wildcards (i.e: D:\*)
Syntax is D:\** to distinguish from * wildcard. But yes, it'll be there ;)
Quote from: fixer on August 09, 2019, 07:32:32 AM
Syntax is D:\** to distinguish from * wildcard. But yes, it'll be there ;)
cool thanks