So if it still contains the powershell scripts then either increase the number of parent process level, or enable HIPS to see which process is attempting to start the script and use that process as the parent process for the ignore rule.
Tried increasing the parent process level. At 2 no change, but at 3 chaos - 122 unrecognised files - 40 blocked and still counting. So I have gone back to 1 parent process level. Just enabled HIPS but not sure what I am looking for, but I will wait and see what happens.
I turned on HIPS and straight away it spat out the unrecognised files. I have had to turn HIPS off again as it is blocking OneDrive updating files.
It seemed to me that it was the AsusSystemAnalysis.exe was the program that created the processes. So I have created five ignore rules that cover any ASUS folders that generate any of the offending scripts.
I have attached an image of the explorer folders that contain the offending program, an image of the rules I set up and a copy of the HIPS log. I would be grateful for your further thoughts on what I have done.
The Ignore Rules didn’t work and I am getting at least 6-8 notifications and blocked files a day. I am tearing my hair out and really considering ditching Comodo as no-one seems to be of help. Really disappointed :-.
Could you do:
- Open “File Rating → File List”
- Select (click on) a file called “C:\Users\ASUS\AppData\Local\Temp<whatever random name>.bat”
- Then click on the “File Details” button in the button bar which opens a “File Details” window of the selected .bat file (double clicking on the .bat file in step 2 does the same).
- Submit a screen capture of “File Details” window here.
The screen capture of the “File Details” window of the selected .bat file may provide some more info to solve the issue…
Hi CISfan
I have looked at the file details of both the .bat and .psi files and included a screenshot of the details of the last few days. I have had 310 unrecognised files generated in the last 6 or 7 days. It is stealing so much time I must get this issue sorted soon. I can’t understand why the ignore rules I set up for the ASUS folder don’t work. I am sure I must be setting them up incorrectly, but the CIS Help doesn’t explain things in terms a numptie like me will understand.
Thanks for providing the screenshot but unfortunately it isn’t the right screenshot (it does provide some extra information though).
Please see the attached “FileList_Windward10.jpg” image which shows you how to open the File Details window of a “.bat” file on the File List.
An example of how the File Details window looks like is attached as “FileDetailsWindow_Example.jpg”.
Please try again to submit a screenshot of the “.bat” File Details window.
Unfortunately it is the .ps1 files that are causing the main problems.
I am not sure if the rule I set up for Onedrive is working but if I look in the logs OneDrive has run today and been ignored.
I have attached a copy of the file details for the last .ps1 when I clicked on it. The original screenshot showed the content of all the last few .ps1 files. Unfortunately whatever updater is causing the scripts to run has tried to run 165 times since 6pm.
Ah I see, my mistake.
Unfortunately the .ps1 File Details don’t reveal any useful information, the “Origin” and “Created by” info are unknown.
I have to give this issue back to the mods or to Staff how to tackle and solve this script problem for you.
I hope they will respond and provide clear information on how to solve script issues in general.
Thanks for the try. I am not sure how to give this back or where to go from here.
You’re welcome.
They do read these posts too, don’t worry. It may just take some time before they respond.
These kind of script issues have to be solved in some way, anyone can get stuck on this.
P.S.
If you happen to have a “.bat” on the File List then provide a screenshot of the File Details as well. Maybe that screenshot reveals information about the “Origin” and “Created by” for those .bat files which may be the same for the .ps1 files, but I don’t know for sure it is just a guess…
Hi Windward10,
Sorry for the trouble. We have asked our back end team to check, we will reach you through Private message to get required logs.
Hi Windward10,
Thanks for providing the requested log. Will forward the log to developer for investigation.
I have had to return the ASUS Laptop as there was an intermittent fault with the WiFi and Bluetooth. I upgraded to a newer ASUS model and the same scripts are being run every day. Probably 50 unrecognised files run virtually over the last 6 days. I assume as they are being run virtually no real ASUS maintenance updates will be being done and I imagine this is an issue for any ASUS user that has installed CIS. I cannot believe that I am the only one who has had problems with two individual machines.
Any news on the developers???
They are not going to be able to do anything about it other than guide you with the same steps to create the rule already explained before. But you are better off disabling embedded-code detection for powershell.
I am not sure why they are not going to be able to do anything about a problem which must affect most ASUS laptops. I cannot believe I have had the only two that CIS has caused this issue with. Surely it is in COMODO’s interest to find a solution.
Re the same steps to set up the rules. I thank you for your earlier guidance, but I either was setting up the rules wrongly or they didn’t sort the issue out. I would appreciate someone looking over the rules and telling me where I am going wrong.
Re disabling embedded-code detection for powershell Is this disabling script analysis?? I thought someone suggested that was a bad idea. If it is not disabling script analysis then I don’t know how to do that?
Have a look at attached image, toggle the indicated switch from Green (= on) to Grey (= off) to switch off the Embedded Code Detection for powershell.
With this you don’t switch off Script Analysis completely but only for powershell.
Hope this is a solution for you.