Author Topic: Excluding Right Click Run Command Prompt Here As Administrator  (Read 487 times)

Offline cDreamDancer

  • Comodo Member
  • **
  • Posts: 29
So I installed the powertoy to be able to open an administrator level command prompt on any folder.

But I cannot isolate just this with Comodo because EVERY TIME I do this, I get a UNIQUE script ID from the action:
C_powershell.exe_02FB532AC72BF176E85F81F262DA02815F7C1FB6.ps1
C_powershell.exe_2BEC689A2F7D79130422D978FB7D1454172C973A.ps1
C_powershell.exe_590434AF9AA112BABBFF08DDD6247B1AC057C2E8.ps1
C_powershell.exe_8AF783CBB222E23876DAA5E91524FFE4E930AC06.ps1
C_powershell.exe_8CB6E89A85F3049A976164D99B5ABAC1B17DF4AB.ps1
C_powershell.exe_8E297F3F30C0F14B42351B9AF1F2125A418FB03D.ps1
C_powershell.exe_B09DB1EBB0AECEED8507A0C1B39AD12C6BB74F8D.ps1
C_powershell.exe_C3CC449F67B6DBBF0857499985673C0BB0584875.ps1
C_powershell.exe_D21463176B6B0DC1F7B548E9278EF62AE11579E2.ps1
C_powershell.exe_D85F8F0184D57FC3C4AEF14AAE5B6E8501A230BC.ps1
C_powershell.exe_FE879BB41A8293994ACF682EE1DB49DC7099A8AA.ps1

I swear this auto-containment system is seriously bugged.

I added an exclusion rule to NOT tamper with powershell, but that just does away with the alerts, the command prompt is still isolated.

This can be proved by the fact that I can run:
dir /b >thisname.txt

And will not be able to find thisname.txt in explorer, it only exists in the virtual container.

If I disable the auto-containment, I get a zillion new alerts from comodo about this, that, and the other thing from HIPS!
2018-07-12 14:11:48 
C:\ProgramData\Comodo\Cis\tempscrpt\C_powershell.exe_8AF783CBB222E23876DAA5E91524FFE4E930AC06.ps1 
Create Process 
C:\Windows\System32\conhost.exe 

2018-07-12 14:12:22 
C:\ProgramData\Comodo\Cis\tempscrpt\C_powershell.exe_8AF783CBB222E23876DAA5E91524FFE4E930AC06.ps1 
Access Memory 
C:\Windows\explorer.exe 

2018-07-12 14:12:30 
C:\ProgramData\Comodo\Cis\tempscrpt\C_powershell.exe_8AF783CBB222E23876DAA5E91524FFE4E930AC06.ps1 
Modify Key 
HKUS\S-1-5-21-2169025747-476265085-4070312717-1000\Software\Microsoft\SystemCertificates\CA 

2018-07-12 14:12:37 
C:\ProgramData\Comodo\Cis\tempscrpt\C_powershell.exe_8AF783CBB222E23876DAA5E91524FFE4E930AC06.ps1 
Access COM Interface 
C:\Windows\System32\svchost.exe 

I should not be having to add this many rules to the system for a simple action, ...

And overall, the idea of having a global exclusion to powershell is a tad disturbing.

Offline cDreamDancer

  • Comodo Member
  • **
  • Posts: 29
Re: Excluding Right Click Run Command Prompt Here As Administrator
« Reply #1 on: July 12, 2018, 03:49:44 PM »
Just want part of Comodo is creating these temp files?

HIPS is disabled & Auto-Containment is disabled and I watched as ANOTHER unique script was opened.

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4333
Re: Excluding Right Click Run Command Prompt Here As Administrator
« Reply #2 on: July 12, 2018, 04:06:50 PM »
Embedded code detection for powershell.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek