Author Topic: Office 365 and Comodo HIPS  (Read 538 times)

Offline shmu26

  • Comodo's Hero
  • *****
  • Posts: 235
Office 365 and Comodo HIPS
« on: September 17, 2018, 01:16:28 PM »
I was running Office 365 Proplus on Windows 10 1803
Comodo Firewall 10, Firewall config
I got a HIPS block for OfficeClickToRun.exe.
This surprised me, because the file is internally signed by Microsoft.
Later, I saw that it is doing something funny with schtasks.exe.
The question is whether this block is expected behavior or not?
I will paste details on 2 logged events that seem related to the block.
(The logs are from a different software, at a later time, so some details might be irrelevant)

Date/Time: 2018-09-17 10:02:54.605

PID: 3416
Process Path: C:\Windows\System32\schtasks.exe
SHA1: 815A050FC4BD12C6CA0B62D38D0FB6F8A95F70A8
Signer:
Command Line: schtasks.exe /change /tn "Microsoft\Office\Office Automatic Updates 2.0" /enable
Parent: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
Parent SHA1: 5A3D059789DF052DC49B358D2B2E7F8ADEBB71B5
Parent Signer: Microsoft Corporation
Expression: -
Category: Alert Dialog
User/Domain: SYSTEM/NT AUTHORITY
Integrity Level: System
System File: True



Date/Time: 2018-09-17 10:02:31.831

PID: 920
Process Path: C:\Windows\System32\schtasks.exe
SHA1: 815A050FC4BD12C6CA0B62D38D0FB6F8A95F70A8
Signer:
Command Line: schtasks.exe /change /tn "Microsoft\Office\Office Automatic Updates" /enable
Parent: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
Parent SHA1: 5A3D059789DF052DC49B358D2B2E7F8ADEBB71B5
Parent Signer: Microsoft Corporation
Expression: -
Category: Alert Dialog
User/Domain: SYSTEM/NT AUTHORITY
Integrity Level: System
System File: True

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4360
Re: Office 365 and Comodo HIPS
« Reply #1 on: September 17, 2018, 01:42:51 PM »
Yes if you have embedded code detection enabled for cmd.exe

Offline shmu26

  • Comodo's Hero
  • *****
  • Posts: 235
Re: Office 365 and Comodo HIPS
« Reply #2 on: September 17, 2018, 01:57:11 PM »
Yes, I did have it enabled, if I remember right.
But where do you see cmd.exe in the command line?

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4360
Re: Office 365 and Comodo HIPS
« Reply #3 on: September 17, 2018, 02:47:17 PM »
You don't need to see any reference to cmd.exe, the way embedded code detection feature of CIS works is when an application executes cmd with a command passed to its command line, it turns it into a script. In this case it went something likes this: cmd /c schtasks /change /tn "Microsoft\Office\Office Automatic Updates 2.0" /enable

Offline shmu26

  • Comodo's Hero
  • *****
  • Posts: 235
Re: Office 365 and Comodo HIPS
« Reply #4 on: September 17, 2018, 03:15:30 PM »
Interesting.
Is this unique to cmd.exe, or are there other processes for which embedded code detection can cause issues like this?

Offline Ploget

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 947
  • 'Your best teacher, is your last mistake'
    • Security & Privacy
Re: Office 365 and Comodo HIPS
« Reply #5 on: September 17, 2018, 04:02:54 PM »
Perfectly normal with Office 365

Been running it now for 2 + years and same warning every time when they update in the morning. Treat as Installer or Updater . . . .

Find it quite reassuring really  8)

This surprised me, because the file is internally signed by Microsoft.
Later, I saw that it is doing something funny with schtasks.exe.
The question is whether this block is expected behavior or not?
Ploget -

Win10x64 Pro 1903 (18362.418) x 2  .  .  .  Win7x64 Pro x 1
CIS v.12.1.0.6914 (Pro) & CCAV v.2.0.470195.867
COS for Mozilla
. . . . . . . . . . . . . . . . . . . . . . .

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4360
Re: Office 365 and Comodo HIPS
« Reply #6 on: September 17, 2018, 04:19:58 PM »
Interesting.
Is this unique to cmd.exe, or are there other processes for which embedded code detection can cause issues like this?

Depends on what other applications you have enabled embedded code detection for.

Offline shmu26

  • Comodo's Hero
  • *****
  • Posts: 235
Re: Office 365 and Comodo HIPS
« Reply #7 on: September 18, 2018, 12:19:17 AM »
Perfectly normal with Office 365

Been running it now for 2 + years and same warning every time when they update in the morning. Treat as Installer or Updater . . . .

Find it quite reassuring really  8)
[at]Ploget, do you have embedded code detection enabled for cmd.exe, or is that not the issue here, in your opinion?

Offline Ploget

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 947
  • 'Your best teacher, is your last mistake'
    • Security & Privacy
Re: Office 365 and Comodo HIPS
« Reply #8 on: September 18, 2018, 04:00:26 AM »
No I don't have that enabled for cmd.exe

I'm running Proactive with a few tweaks, but have never touched the default settings in those field, so only Heuristic Command-Line Analysis is checked for that

When Office Click to Run does its thing every week or so, I get the CIS warning about modifying a Protected Registry Setting . . . treat it as Installer / Updater and that's it.

[at]Ploget, do you have embedded code detection enabled for cmd.exe, or is that not the issue here, in your opinion?
Ploget -

Win10x64 Pro 1903 (18362.418) x 2  .  .  .  Win7x64 Pro x 1
CIS v.12.1.0.6914 (Pro) & CCAV v.2.0.470195.867
COS for Mozilla
. . . . . . . . . . . . . . . . . . . . . . .

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4360
Re: Office 365 and Comodo HIPS
« Reply #9 on: September 18, 2018, 01:55:38 PM »
The question then becomes if OfficeClickToRun.exe is rated trusted in the file list, if not then that could be why you had HIPS blocking.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek