This is the path/program
C:\Users\MrX\AppData\Local\Google\Chrome\User Data\SwReporter\104.289.200\software_reporter_tool.exe
I want to block it.
Google Chrome is currently un-bound.
As a matter of fact there's one more I can't add a block rule, who knows what else...
C:\Users\MrX\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Microsoft.SharePoint.exe
Hello.
What do you mean, you can't add a rule? There is an error when you add it? Or you added it, but it doesn't seem to work? In the latter case try to take a look at logs, most likely parent process is allowed to spawn children without inspection.
Hello fixer,
Perhaps a couple of screenshots might help. Look first post please.
I found today one more I can't add
C:\Users\MrX\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Microsoft.SharePoint.exe
I edited the first post with screenshots.
Found one more.
Curiously this one cannot be added under user MrX, under user SYSTEM it can be added though.
C:\Users\MrX\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileCoAuth.exe
Weirdest thing is even if I add a very tight rule under SYSTEM, ReHIPS is not blocking its execution when I manually double click on FileCoAuth.exe.
Thank you for your report. This one requires some research. What OS version do you have, BTW?
Windows 10 21H2 x64 Education EN
If you need to research in my computer be my guest. I do not store sensitive information on this machine.
Any news on this?
I want to keep exploring and make use of the anti-executable side of ReHIPS.
Should come back until the end of the week. In the meanwhile a couple of questions.
1. Are you adding by clicking "+" button and manually browsing, from Log or somehow else?
2. What does the hint say when you hover your mouse over red path?
Quote from: fixer on November 04, 2022, 10:43:29 AM1. Are you adding by clicking "+" button and manually browsing, from Log or somehow else?
By clicking + button and manually browsing.
Quote from: fixer on November 04, 2022, 10:43:29 AM2. What does the hint say when you hover your mouse over red path?
This file doesn't exist or isn't valid
Since I miserably failed to take a look at it until the end of the week, try a workaround. Add it using a wildcard like
software_reporter_tool.ex?
Yes it is possible to add it using a wildcard to both users MrX and SYSTEM:
*\software_reporter_tool.exe
The block rule still doesn't work though.
Double clicking on the executable effectively launches it again.
Looks like you slightly misused wildcards, take a look at this blogpost https://forum.rehips.com/index.php?topic=9647.0
Your wildcarded path should be something like
C:\Users\MrX\AppData\Local\Google\Chrome\User Data\SwReporter\104.289.200\software_reporter_tool.ex?
It worked. Even adding another wildcard worked
C:\Users\MrX\AppData\Local\Google\Chrome\User Data\SwReporter\*\software_reporter_tool.ex?
I added that extra wildcard '*' cause Google will increase version number and this wildcard covers such change.
What I don't quite understand is why the '?' at the end replacing the 'e' on .exe
My experiences with other security apps adding complete 'exe' extension has never been an issue.
Even more stranger to me is the fact in some cases here on ReHIPS it actually works, this line for example:
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
I think all the lines I worked on now they seem to be blocking the executables correctly, except for one:
C:\Users\MrX\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileCoAuth.exe
I tried several wildcard variations and it keeps running when I double click on it.
Now I got another issue I didn't notice before: ReHIPS is recreating rules I already delete to put mine instead.
I deleted these ones Allowed
C:\Users\MrX\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileCoAuth.exe
C:\Users\MrX\AppData\Local\Microsoft\OneDrive\OneDrive.exe
C:\Users\MrX\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
in favor of these to Block
C:\*\Google\Update\GoogleUpdate.exe
C:\Users\*\AppData\Local\Microsoft\OneDrive\*\Microsoft.SharePoint.exe
C:\Users\*\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
C:\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe
C:\Users\*\AppData\Local\Microsoft\OneDrive\*\FileCoAuth.exe
The latter were working fine until ReHIPS re-created the Allowed rules above.
Didn't know ReHIPS was able to bypass my Block rules.
How can I stop such behavior?
Quote from: Mr.X on November 09, 2022, 12:17:16 AMWhat I don't quite understand is why the '?' at the end replacing the 'e' on .exe
ReHIPS uses full match on executable file name, ? means one character, * means any number of characters.
Quote from: Mr.X on November 09, 2022, 02:10:31 AMI tried several wildcard variations and it keeps running when I double click on it.
Can you give exact rule that should cover it and a line from Log tab regarding this app running freely?
Quote from: Mr.X on November 16, 2022, 07:41:11 AMHow can I stop such behavior?
Sometimes ReHIPS reinstalls rules, you can take a look here https://forum.rehips.com/index.php?topic=11885.0 That's why it's a good idea to set to Block instead of deleting rules. And specific non-wildcarded rules have more priority than wildcarded ones.
Quote from: fixer on November 16, 2022, 11:08:58 AMSometimes ReHIPS reinstalls rules, you can take a look here https://forum.rehips.com/index.php?topic=11885.0 That's why it's a good idea to set to Block instead of deleting rules. And specific non-wildcarded rules have more priority than wildcarded ones.
I think this is the cause of all my "issues" described in this thread. I hadn't understood how really ReHIPS behaves with respect to the bundles rules with ReHIPS. And I think I still need to observe carefully after software updates how ReHIPS deals with them and how to manage my Block rules. Also I need to play with wildcards to fully understand all of this.
Thanks fixer for your kind help.