List of current bugs discussion

[safemode]

I've tried out your suggestion. The setting was at default (checked) all the time so I've tried again and now with unchecked setting.
However the issue still persists and also HIPS "Create rules for safe applications" doesn't work when executing a Trusted application elevated as SYSTEM.

So, no change...

Try opening up CIS interface > Tasks > Containment tasks > View Active processes > Under 'Rating' check if the application running as SYSTEM is rated as either Unknown/Installer or Trusted/Installer.

I think the issue maybe lies within the fact that Installer Detection cannot be turned off (even if disabling the suggested setting) but maybe I am mistaken and this has no relation to the issue you are reporting.

[prodex]

HIPS "Create rules for safe applications" doesn't work when executing a Trusted application elevated as SYSTEM.

Seemingly HIPS doesn't monitor Trusted or Unrecognized applications at all when they run elevated as SYSTEM...

I havn't activated  "Create rules for safe applications"

And of course some more settings to protect my PC as shown in the attechments.

Edit: Forgotten, I deactivated "trust files by trusted installers".

[C.O.M.O.D.O RT]

33. HIPS does not monitor access to COM Interfaces that are of InProcServer32 server type, so even when adding a COM object interface by its ProgID or CLSID to protected COM Interfaces, HIPS will not alert on access to that COM object by an unknown application.

Hi all,

Could anyone please elaborate the issue no - 33 as well.
We are checking on issue no -31 & 32.

Thanks
C.O.M.O.D.O RT

[CISfan]

Hello C.O.M.O.D.O RT,

Do you confirm issue no. 30 including not working "Create rules for safe applications" as elaborated in previous posts?

[C.O.M.O.D.O RT]

Hello C.O.M.O.D.O RT,

Do you confirm issue no. 30 including not working "Create rules for safe applications" as elaborated in previous posts?

Hi CISfan,

We have checked and couldn't able to reproduce the issue no - 30.
And for the "Create rules for safe application" issue, we did check the option "create rules for safe application" & HIPS in "safemode" and run some trusted application, the rules does created & listed in the hips rules setting as the "Create rules for safe application" is checked.
Or did we missed something to understand ?
May I know your:
1.Win version & system type(32bit/64bit) ?
2.CIS/CFW  version ?

Thanks
C.O.M.O.D.O RT

[CISfan]

Hi CISfan,

We have checked and couldn't able to reproduce the issue no - 30.
And for the "Create rules for safe application" issue, we did check the option "create rules for safe application" & HIPS in "safemode" and run some trusted application, the rules does created & listed in the hips rules setting as the "Create rules for safe application" is checked.
Or did we missed something to understand ?
May I know your:
1.Win version & system type(32bit/64bit) ?
2.CIS/CFW  version ?

Thanks
C.O.M.O.D.O RT

Hello C.O.M.O.D.O RT,

Answering your question 1 & 2 : V12.2.2.8012 (Firewall only) Windows 7 Ultimate 64-bit (clean install with all MS-updates)

Regarding the not working "Create rules for safe applications", did you run the Trusted applications elevated to SYSTEM ?
Note that when running the same Trusted applications normally (not elevated) "Create rules for safe applications" does work correctly. The issue happens when Trusted applications run elevated to SYSTEM, have you tried that?
Please also make sure to delete the Trusted application HIPS rule(s) before running the Trusted application to have HIPS re-create the rule when running the Trusted application.

Regarding issue no.30 (and the "Create rules for safe applications" issue) did you try to reproduce it on Windows 10, 8 and 7 ?

[C.O.M.O.D.O RT]

Hello C.O.M.O.D.O RT,

Answering your question 1 & 2 : V12.2.2.8012 (Firewall only) Windows 7 Ultimate 64-bit (clean install with all MS-updates)

Regarding the not working "Create rules for safe applications", did you run the Trusted applications elevated to SYSTEM ?
Note that when running the same Trusted applications normally (not elevated) "Create rules for safe applications" does work correctly. The issue happens when Trusted applications run elevated to SYSTEM, have you tried that?
Please also make sure to delete the Trusted application HIPS rule(s) before running the Trusted application to have HIPS re-create the rule when running the Trusted application.

Regarding issue no.30 (and the "Create rules for safe applications" issue) did you try to reproduce it on Windows 10, 8 and 7 ?

Hi CISfan,

We did run trusted application as "administrator" and checked the hips rules setting, the rules are being created for the trusted application which is ran as administrator.
Where the Hips is in "safemode" and the option "create rules for safe application" is checked
We have checked on win 10, 7 & 8 machines
So, we couldn't able to reproduce this issue.
 
Thanks
C.O.M.O.D.O RT

[CISfan]

Hi CISfan,

We did run trusted application as "administrator" and checked the hips rules setting, the rules are being created for the trusted application which is ran as administrator.
Where the Hips is in "safemode" and the option "create rules for safe application" is checked
We have checked on win 10, 7 & 8 machines
So, we couldn't able to reproduce this issue.
 
Thanks
C.O.M.O.D.O RT

Hello C.O.M.O.D.O RT,

Issue no.30 and the issue "Create rules for safe applications" only happen when applications first are elevated from "administrator" to "SYSTEM" before they are run. Please run the applications with SYSTEM credentials (not administrator) and check again.
Thank you.

[C.O.M.O.D.O RT]

Hello C.O.M.O.D.O RT,

Issue no.30 and the issue "Create rules for safe applications" only happen when applications first are elevated from "administrator" to "SYSTEM" before they are run. Please run the applications with SYSTEM credentials (not administrator) and check again.
Thank you.

Hi CISfan,

Could you please check your inbox for pm and respond.
 
Thanks
C.O.M.O.D.O RT

[futuretech]

Hi CISfan,

We have checked and couldn't able to reproduce, whoever added this issue no - 30 in the List of current bugs could please elaborate so that we will check and report this to the team.

Thanks
C.O.M.O.D.O RT

Run any keylogger or any application that can perform direct disk access such as a hex editor and run them as SYSTEM using process hacker run as feature. HIPS will not alert an automatically allow the action for the following HIPS access rights: Direct Disk, Direct Keyboard, Direct Monitor, Direct Physical Memory, Access to protected COM interfaces, DNS/RPC Client service, and Interprocess memory access.

[futuretech]

Hi all,

Could anyone please elaborate the issue no - 33 as well.
We are checking on issue no -31 & 32.

Thanks
C.O.M.O.D.O RT

One easy way to check is to get OleViewDotNet and then click registry menu then select Prog IDs to list all registered COM objects by their Program IDs, then expand the WindowsInstaller.Installer. Once you expand the COM object it should produce an alert for that specific COM object due the default COM interface WindowsInstaller.* being listed under protected COM interfaces. Now if you try to expand the InternetExplorer.Application.1 COM interface, you will get an alert for OLEview.net trying to access the protected COM interface of InternetExplorer.Application.1

[CISfan]

Run any keylogger or any application that can perform direct disk access such as a hex editor and run them as SYSTEM using process hacker run as feature. HIPS will not alert an automatically allow the action for the following HIPS access rights: Direct Disk, Direct Keyboard, Direct Monitor, Direct Physical Memory, Access to protected COM interfaces, DNS/RPC Client service, and Interprocess memory access.

I've provided C.O.M.O.D.O RT another "run as SYSTEM" method that I've used during testing issue no.30. I confirm that the process hacker run as feature yields the same issue result.

Could you replicate also the not working "Create rules for safe applications" issue, related to no.30, as described in my previous posts?

[C.O.M.O.D.O RT]

Run any keylogger or any application that can perform direct disk access such as a hex editor and run them as SYSTEM using process hacker run as feature. HIPS will not alert an automatically allow the action for the following HIPS access rights: Direct Disk, Direct Keyboard, Direct Monitor, Direct Physical Memory, Access to protected COM interfaces, DNS/RPC Client service, and Interprocess memory access.

Hi futuretech,

Could you please check your inbox for pm and respond.

Thanks
C.O.M.O.D.O RT

[ZorKas]

HIPS will not alert an automatically allow the action

Does it depend on the processes already requested ?

[C.O.M.O.D.O RT]

Hi all,

The issue no -30 & 31 has been reported to the team.
Thanks to futuretech for providing the detailed information & video for issue no -30 & 31.

Thanks
C.O.M.O.D.O RT