If application X is allowed certain functions, and it is also allowed to run a child process Y, does that mean Y process inherits all the HIPS settings of application X?
This application is spawned by “Diablo Immortal.exe” and it seems to run without triggering any hips alerts or log entries.
I have removed all certificates in the comodo vendor list and also disabled all the options that trust basically the whole internet thanks to those certificates, so I would have expected a HIPS alert when this application was launched?
Like if I launch something from command prompt (cmd.exe already having HIPS rules), I get a popup pretty much immediately with HIPS alerts, yet this application seems to just coast through everything, why is this?
Your obviously using hips in safe mode and the application is trusted in one of three ways. Either by file lookup service that you still have enabled, it is trusted by being created by a trusted installer, or it is trusted by whitelisted anti-virus file signature database. You need to view the file list and check the file rating tab of the file in question to see why it is given a trusted rating.
@FutureTech:
HIPS is running in Paranoid mode with popup requests disabled (Set to Block Requests).
Verbose Mode for popups (When I enable those, but I had an issue when updating to Win 10 21H2 that Windows would freeze with HIPS popups so now I do everything through the COmodo Log).
File Rating Settings: All Disabled
Vendor List (For certificates): Everything removed except for Comodo/Intel/Microsoft.
VirusScope: Disabled
If the application is detected as an installer/updater type of application and it has a trusted file rating, it won’t get blocked by HIPS even in paranoid mode. Same is true if it is executed by a parent process that is running as a trusted/installer, you can check the active process list of CIS to see if this is the case. Also if the application is running under the SYSTEM level account, some HIPS actions will not be detected and be allowed. It is possible the application doesn’t do anythng that would trigger HIPS alerts/blocking.
What happens if you run the application that is being run as a child process on its own, e.g. browse to the file path to where it is located and execute it from there? Do you get alerts or blocked events from the application after you execute it?
Nothing occurs when I launch the executable by itself, and no messages.
I see the process in ProcessExplorer and it launces with a cmd line argument:
/ipc MLIVECCPLAYERIPC00000D0C62C75D892711 /pid 3340 /videoinfo eyJ2aWRlb3VybCI6IlA6L0dhbWVzL0RpYWJsbyBJbW1vcnRhbC9QYWNrYWdlL01vdmllL3Z4X2RlbmdsdTAxLm1wNCIsImVuYWJsZV9zdHJlYW1fcmVjb3JkIjowLCJzdHJlYW1fUmVjb3JkX2ZpbGVfbWF4X2NvdW50cyI6LTE3NDQ4NDE0MTV9 /initstatus e30=
So it would seem it uses ipc to the parent process (pid 3340 is the parent) to playback video in that application.
It writes to two files in %userprofile%\Appdata\ROaming\CC\Logs\playersdk* which I guess is a folder area that Comodo will not trigger on?