[RulesManager] custom block list

Started by Umbra, August 06, 2019, 05:41:00 AM

Previous topic - Next topic

Umbra

hi,

ok so im trying to block several  LOLbins by putting them in  a "group"  to be distributed to all users via the RuleManager but failed to do so, so far, the rules arent being deployed.

i bet i did something wrong somewhere or maybe i just cant do it.

edit1: guess the * wildcards at the beginning is wrong.
edit2: seems if the exe is located on System folder, the rule cant be deployed if set on Windows folder in RuleManager
edit3:  default db rules (in RuleManager) take precedence over custom one, so they must be deleted for the custom rule to be applied.

my question: there is a way to write, in RuleManager, a single rule for a process that will take precedence over default one and be both in system32 and syswow64 at same time?

for now, what i have to do to create a block rule (i.e: powershell.exe) in my custom group (Block LOLbins):

in RuleManager:
1- delete the default group (i.e: powershell)
2- create 2 new powershell.exe rules in my custom group (Block LOLbins) one for System32 , one for SysWOW64

in REHIPS rules:
3- delete installed powershell.exe rules

all this is a bit a hassle to be honest.

fixer

Here is a blogpost as a small reminder of how wildcards work https://forum.rehips.com/index.php?topic=9647.0 In short words:
1. Keep in mind that wildcards don't include path separators (\ or /). That's why it's quite useless to put * in the beginning. But ** will be introduced in upcoming build.
2. First exact match is searched. It's used, if found. If not, ReHIPS tries to match wildcards. So wildcarding already existing exact rules does nothing. This was done to make exceptions from wildcards, but wildcards can't be exceptions from exact rules.

So no, wildcarded rule won't take precedence over exact rule. Exact rule should be deleted for the wildcarded to take effect. But having it deleted you can cover files in both System32 and SysWow64 folders with a single wildcarded rule.


Umbra

#2
Quote from: fixer on August 06, 2019, 08:21:29 AM
Here is a blogpost as a small reminder of how wildcards work https://forum.rehips.com/index.php?topic=9647.0 In short words:
will read thx.

Quote1. Keep in mind that wildcards don't include path separators (\ or /). That's why it's quite useless to put * in the beginning. But ** will be introduced in upcoming build.
great

Quote2. First exact match is searched. It's used, if found. If not, ReHIPS tries to match wildcards. So wildcarding already existing exact rules does nothing. This was done to make exceptions from wildcards, but wildcards can't be exceptions from exact rules.So no, wildcarded rule won't take precedence over exact rule.
found out  myself lol

QuoteExact rule should be deleted for the wildcarded to take effect. But having it deleted you can cover files in both System32 and SysWow64 folders with a single wildcarded rule.
In example, for blocking netstat.exe in both System32 and SysWow64 folders , how would i syntax the wildcarded rule in RuleManager?

Thanks by advance.

fixer

Quote from: Umbra on August 06, 2019, 08:27:32 AM
In example, for blocking netstat.exe in both System32 and SysWow64 folders , how would i syntax the wildcarded rule in RuleManager?
C:\Windows\*\netstat.exe should work.

Umbra

Quote from: fixer on August 06, 2019, 09:35:26 AM
Quote from: Umbra on August 06, 2019, 08:27:32 AM
In example, for blocking netstat.exe in both System32 and SysWow64 folders , how would i syntax the wildcarded rule in RuleManager?
C:\Windows\*\netstat.exe should work.
With folderID_Windows?

fixer

The whole path is C:\Windows\*\netstat.exe

In terms of RulesManager, predefined folder FOLDERID_Windows and file *\netstat.exe

Umbra

Quote from: fixer on August 06, 2019, 02:37:35 PM
The whole path is C:\Windows\*\netstat.exe

In terms of RulesManager, predefined folder
FOLDERID_Windows and file *\netstat.exe
Okie thanks, I am making rules for RM  :)

Umbra

Thanks for your help Fixer, i made it, all works well.

1- made the  block rules as one group in RuleManager
2- deleted  the duplicates that was implemented by default
3- uninstalled ReHIPS
4- reinstalled it but prevent it to start right away
5- copied rdb files in ReHIPS program files folder
6- started ReHIPS
7- let the the rules being installed

fixer

A blogpost about little lifehack to make it install with your RDB file instead of the default one https://forum.rehips.com/index.php?topic=9742.0

Umbra

Quote from: fixer on August 07, 2019, 10:50:12 PM
A blogpost about little lifehack to make it install with your RDB file instead of the default one https://forum.rehips.com/index.php?topic=9742.0
i did try the trick but it didn't work (installer and rdb file were on the desktop), maybe a glitch.

Umbra

will keep playing with the RuleManager while waiting the new build, i hope it will implement the blocking of all executables in a folder/partition by wildcards (i.e:  D:\*)

fixer

Syntax is D:\** to distinguish from * wildcard. But yes, it'll be there ;)

Umbra

Quote from: fixer on August 09, 2019, 07:32:32 AM
Syntax is D:\** to distinguish from * wildcard. But yes, it'll be there ;)
cool thanks