Author Topic: [RulesManager] custom block list  (Read 148 times)

Umbra

  • Active Testers
  • Hero Member
  • *****
  • Posts: 596
  • Beta tester
[RulesManager] custom block list
« on: August 06, 2019, 05:41:00 am »
hi,

ok so im trying to block several  LOLbins by putting them in  a "group"  to be distributed to all users via the RuleManager but failed to do so, so far, the rules arent being deployed.

i bet i did something wrong somewhere or maybe i just cant do it.

edit1: guess the * wildcards at the beginning is wrong.
edit2: seems if the exe is located on System folder, the rule cant be deployed if set on Windows folder in RuleManager
edit3:  default db rules (in RuleManager) take precedence over custom one, so they must be deleted for the custom rule to be applied.

my question: there is a way to write, in RuleManager, a single rule for a process that will take precedence over default one and be both in system32 and syswow64 at same time?

for now, what i have to do to create a block rule (i.e: powershell.exe) in my custom group (Block LOLbins):

in RuleManager:
1- delete the default group (i.e: powershell)
2- create 2 new powershell.exe rules in my custom group (Block LOLbins) one for System32 , one for SysWOW64

in REHIPS rules:
3- delete installed powershell.exe rules

all this is a bit a hassle to be honest.
« Last Edit: August 06, 2019, 08:12:09 am by Umbra »

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1461
Re: [RulesManager] custom block list
« Reply #1 on: August 06, 2019, 08:21:29 am »
Here is a blogpost as a small reminder of how wildcards work https://forum.rehips.com/index.php?topic=9647.0 In short words:
1. Keep in mind that wildcards don't include path separators (\ or /). That's why it's quite useless to put * in the beginning. But ** will be introduced in upcoming build.
2. First exact match is searched. It's used, if found. If not, ReHIPS tries to match wildcards. So wildcarding already existing exact rules does nothing. This was done to make exceptions from wildcards, but wildcards can't be exceptions from exact rules.

So no, wildcarded rule won't take precedence over exact rule. Exact rule should be deleted for the wildcarded to take effect. But having it deleted you can cover files in both System32 and SysWow64 folders with a single wildcarded rule.


Umbra

  • Active Testers
  • Hero Member
  • *****
  • Posts: 596
  • Beta tester
Re: [RulesManager] custom block list
« Reply #2 on: August 06, 2019, 08:27:32 am »
Here is a blogpost as a small reminder of how wildcards work https://forum.rehips.com/index.php?topic=9647.0 In short words:
will read thx.

Quote
1. Keep in mind that wildcards don't include path separators (\ or /). That's why it's quite useless to put * in the beginning. But ** will be introduced in upcoming build.
great

Quote
2. First exact match is searched. It's used, if found. If not, ReHIPS tries to match wildcards. So wildcarding already existing exact rules does nothing. This was done to make exceptions from wildcards, but wildcards can't be exceptions from exact rules.So no, wildcarded rule won't take precedence over exact rule.
found out  myself lol

Quote
Exact rule should be deleted for the wildcarded to take effect. But having it deleted you can cover files in both System32 and SysWow64 folders with a single wildcarded rule.
In example, for blocking netstat.exe in both System32 and SysWow64 folders , how would i syntax the wildcarded rule in RuleManager?

Thanks by advance.
« Last Edit: August 06, 2019, 08:39:54 am by Umbra »

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1461
Re: [RulesManager] custom block list
« Reply #3 on: August 06, 2019, 09:35:26 am »
In example, for blocking netstat.exe in both System32 and SysWow64 folders , how would i syntax the wildcarded rule in RuleManager?
C:\Windows\*\netstat.exe should work.

Umbra

  • Active Testers
  • Hero Member
  • *****
  • Posts: 596
  • Beta tester
Re: [RulesManager] custom block list
« Reply #4 on: August 06, 2019, 01:50:23 pm »
In example, for blocking netstat.exe in both System32 and SysWow64 folders , how would i syntax the wildcarded rule in RuleManager?
C:\Windows\*\netstat.exe should work.
With folderID_Windows?

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1461
Re: [RulesManager] custom block list
« Reply #5 on: August 06, 2019, 02:37:35 pm »
The whole path is C:\Windows\*\netstat.exe

In terms of RulesManager, predefined folder FOLDERID_Windows and file *\netstat.exe

Umbra

  • Active Testers
  • Hero Member
  • *****
  • Posts: 596
  • Beta tester
Re: [RulesManager] custom block list
« Reply #6 on: August 06, 2019, 03:00:24 pm »
The whole path is C:\Windows\*\netstat.exe

In terms of RulesManager, predefined folder
FOLDERID_Windows and file *\netstat.exe
Okie thanks, I am making rules for RM  :)

Umbra

  • Active Testers
  • Hero Member
  • *****
  • Posts: 596
  • Beta tester
Re: [RulesManager] custom block list
« Reply #7 on: August 07, 2019, 05:53:29 pm »
Thanks for your help Fixer, i made it, all works well.

1- made the  block rules as one group in RuleManager
2- deleted  the duplicates that was implemented by default
3- uninstalled ReHIPS
4- reinstalled it but prevent it to start right away
5- copied rdb files in ReHIPS program files folder
6- started ReHIPS
7- let the the rules being installed

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1461
Re: [RulesManager] custom block list
« Reply #8 on: August 07, 2019, 10:50:12 pm »
A blogpost about little lifehack to make it install with your RDB file instead of the default one https://forum.rehips.com/index.php?topic=9742.0

Umbra

  • Active Testers
  • Hero Member
  • *****
  • Posts: 596
  • Beta tester
Re: [RulesManager] custom block list
« Reply #9 on: August 08, 2019, 06:49:54 am »
A blogpost about little lifehack to make it install with your RDB file instead of the default one https://forum.rehips.com/index.php?topic=9742.0
i did try the trick but it didn't work (installer and rdb file were on the desktop), maybe a glitch.

Umbra

  • Active Testers
  • Hero Member
  • *****
  • Posts: 596
  • Beta tester
Re: [RulesManager] custom block list
« Reply #10 on: August 09, 2019, 07:09:32 am »
will keep playing with the RuleManager while waiting the new build, i hope it will implement the blocking of all executables in a folder/partition by wildcards (i.e:  D:\*)

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1461
Re: [RulesManager] custom block list
« Reply #11 on: August 09, 2019, 07:32:32 am »
Syntax is D:\** to distinguish from * wildcard. But yes, it'll be there ;)

Umbra

  • Active Testers
  • Hero Member
  • *****
  • Posts: 596
  • Beta tester
Re: [RulesManager] custom block list
« Reply #12 on: August 09, 2019, 09:11:17 am »
Syntax is D:\** to distinguish from * wildcard. But yes, it'll be there ;)
cool thanks