Can't add a rule for a program

Started by Mr.X, October 26, 2022, 02:26:48 AM

Previous topic - Next topic

Mr.X

This is the path/program
C:\Users\MrX\AppData\Local\Google\Chrome\User Data\SwReporter\104.289.200\software_reporter_tool.exe

I want to block it.
Google Chrome is currently un-bound.

As a matter of fact there's one more I can't add a block rule, who knows what else...
C:\Users\MrX\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Microsoft.SharePoint.exe

fixer

Hello.
What do you mean, you can't add a rule? There is an error when you add it? Or you added it, but it doesn't seem to work? In the latter case try to take a look at logs, most likely parent process is allowed to spawn children without inspection.

Mr.X

#2
Hello fixer,

Perhaps a couple of screenshots might help. Look first post please.

Mr.X

I found today one more I can't add
C:\Users\MrX\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Microsoft.SharePoint.exe

I edited the first post with screenshots.

Mr.X

#4
Found one more.

Curiously this one cannot be added under user MrX, under user SYSTEM it can be added though.
C:\Users\MrX\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileCoAuth.exe

Weirdest thing is even if I add a very tight rule under SYSTEM, ReHIPS is not blocking its execution when I manually double click on FileCoAuth.exe.

fixer

Thank you for your report. This one requires some research. What OS version do you have, BTW?

Mr.X

#6
Windows 10 21H2 x64 Education EN

If you need to research in my computer be my guest. I do not store sensitive information on this machine.

Mr.X

Any news on this?

I want to keep exploring and make use of the anti-executable side of ReHIPS.

fixer

Should come back until the end of the week. In the meanwhile a couple of questions.
1. Are you adding by clicking "+" button and manually browsing, from Log or somehow else?
2. What does the hint say when you hover your mouse over red path?

Mr.X

Quote from: fixer on November 04, 2022, 10:43:29 AM1. Are you adding by clicking "+" button and manually browsing, from Log or somehow else?
By clicking + button and manually browsing.

Quote from: fixer on November 04, 2022, 10:43:29 AM2. What does the hint say when you hover your mouse over red path?
This file doesn't exist or isn't valid 

fixer

Since I miserably failed to take a look at it until the end of the week, try a workaround. Add it using a wildcard like
software_reporter_tool.ex?

Mr.X

Yes it is possible to add it using a wildcard to both users MrX and SYSTEM:
*\software_reporter_tool.exe
The block rule still doesn't work though.
Double clicking on the executable effectively launches it again.

fixer

Looks like you slightly misused wildcards, take a look at this blogpost https://forum.rehips.com/index.php?topic=9647.0

Your wildcarded path should be something like
C:\Users\MrX\AppData\Local\Google\Chrome\User Data\SwReporter\104.289.200\software_reporter_tool.ex?

Mr.X

#13
It worked. Even adding another wildcard worked

C:\Users\MrX\AppData\Local\Google\Chrome\User Data\SwReporter\*\software_reporter_tool.ex?

I added that extra wildcard '*' cause Google will increase version number and this wildcard covers such change.

What I don't quite understand is why the '?' at the end replacing the 'e' on .exe
My experiences with other security apps adding complete 'exe' extension has never been an issue.
Even more stranger to me is the fact in some cases here on ReHIPS it actually works, this line for example:
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe


Mr.X

I think all the lines I worked on now they seem to be blocking the executables correctly, except for one:

C:\Users\MrX\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileCoAuth.exe

I tried several wildcard variations and it keeps running when I double click on it.