CIS 12.0.0.6882 - Application bypassing HIPS then freezing?

Hi,

I am trying to use this tool to script multimonitor setup and I noticed some weird behaviour from CIS.

Some information:

  • I am running HIPS in Paranoid mode.
  • The application shows up as “Unrecognized” on the Trusted File List
    file hash: F6E09239E3339B281B7DBC5A18C7ECAC88DF8977

The issue:
I am able to launch the application without getting a single HIPS popup. Most often when I launch an application I’d at least get a popup that the application requires access to KsecDD, or a registry key.
For this app - nothing.

I can launch it, and save files to the file system without any prompts. When it launches without any command line parameters it displays monitor information from all attached monitors, so this is either through WMI, Registry or Direct Hardware – how can it do this without triggering anything from HIPS?

When I attempt to change display resolution, everything freeze. This has normally been the case when the app does something with keyboard/monitor at the same time as Comodo pops up a notification requiring user interaction, and since everything is frozen I have to do a hard-reset. When this occurs, nothing is logged in the comodo log either, so I can not find the event afterwards and approve/deny it. Nor will comodo “auto-block” the popup after a time period, so there is no point waiting for the situation to improve.

So: Any ideas?

  • How can it bypass Comodo entirely?
  • Is it possible for the comodo notifications to auto select an option after a set time period or avoid freezing the computer whenever a prompt appears. (This happens a lot with games when I do not immediately apply a pre-defined rule with some basic settings for directinput/draw and keyboard).

Edit:
I now ran with HIPS set to ‘block’ everything as an automatic rule.
The application ran successfully and was able to poll monitors, registry location and everything. In addition I was able to successfully manipulate the 2nd monitor, adjust resolution and orientation.
All the while, this application was “blocked”.

The HIPS Log shows this: (image) - how can the application work perfectly while HIPS is supposed to be blocking everything?
Is it because the single setting “Monitor Direct Access” isn’t flagged in HIPS I wonder - but surely something else should’ve triggered while running the app and writing files.

in windows 10 not recommended use HIPS in mode paranoid, except if you is a user expert even so is need configure in module HIPS permissions of system files before of reboot or restart :-TU

sorry my english…

HIPS enabled in firewall config or internet config is not the same as using HIPS with the proactive configuration, and you need to specify which areas on the file system you want to protect against modification using protected files section. Finally not all actions are covered by HIPS especially if they don’t really pose a security threat, e.g. getting list of installed monitors.

Shouldn’t the setting “HIPS Settings->Monitoring Settings->Computer Monitor” - which is enabled by default - trigger HIPS when an application tries to access one or more computer monitors?

Surely these configurations are just default options set and the user can configure their “internet security” baseline configuration to work like “Proactive”, or are you saying that, unless the user has picked the ‘Proactive’ setting in the configuration, certain features of CIS will be unavailable?

My HIPS Settings are:

HIPS: Enabled
Paranoid mode.
Verbose
Timeout 360
Monitoring settings: Everything checked.

File Rating Settings: Everything disabled.
Vendor List: Everything but Comodo, Microsoft and Intel is deleted.
File List: Most Windows executables and other files listed as ‘Trusted’, some other drivers and utilities, nothing else.

I fail to see how this application, that triggered so many things can function at all, and especially how it is allowed to write to disk, as so many applications I have made configurations for -do- get a popup from CIS when they try to write to a file, but, perhaps this means that the prompts are meaningless?

Edit:
Just for testing I ran the application with everything on block, it works fine.
I try to save a file with extension .cfg and it goes ok.
I try to save a file with extension .dll and it fails, so I guess this was a misunderstanding on my part and good to have confirmed wrt. the behaviour.

I restart the application, now with no popup:block disabled.
Startup works fine, it is able to poll all the monitors and get their registry information from hklm\system\currentcontrolset\control\class*
Pressing ‘save’ I get a popup with request for access to Explorer in memory, \Device\KsecDD, \Explorer\IconCache_idx.db, \Device\MountPointManager, SvcHost, Direct Keyboard Access (Guessing it allows normal WM events without globally hooking all input), a registry key for fileExt.xml.

The application also (with everything blocked) shows a list of all windows on the screen, their dimensions and state, window class, process path and name.

So;
It seems that applications will work even when all these requests are blocked, which I guess just means Windows is wasting a lot of resources loading stuff it doesn’t need (no surprise there) or it just means that this application is very efficiently coded - which it probably is judging from all the tools the creator has made available.

Guessing also that this registry hive isn’t considered important and thus applications can read/modify it without being triggered by HIPS.

  • Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{4d36e96e-e325-11ce-bfc…
    It contains basic information about devices connected.

So - learned something new. And it is basically just about the Protected Objects list.
Is this list longer in Proactive mode?

Proactive mode gives a user more access to options it’s that simple. Like Windows Sockets Interface for example. Which unlocks the power of the Firewall and the HIPS options if you concerned with traffic control !

A lot of users over the years have claimed to run HIPS in Paranoid mode only a few can prove it.

Proactive Security config lacks other settings which are only found in the other configs (like Firewall Security) unfortunately.

Which are those settings lacking in Proactive config that do exist in Firewall Security config? By reading Forum posts of mods and devs alike over the years and even CIS help manuals, I’ve always got the impression that Proactive config is the most complete/strongest CIS config regarding Protected Objects, self-protection, overall protection level, etc. Maybe this is not entirely true?

Somewhere last year I compared the default Proactive config against the default Firewall config (both configs were created right after a fresh CIS install) just out of curiosity to see in what settings they differ. No doubt the Proactive config has better (if not the best) protection settings but I found Containment settings in the Firewall config which were not present in the Proactive config. Of course, the opposite is also true, there are settings in the Proactive config which are not present in the Firewall config.
Treating the Proactive config as the most sophisticated config I would not expect it to have less Containment settings. As I don’t have V12 installed I can’t exactly pinpoint the GUI Containment settings which relate to the found differences.

Proactive does not lack in anything especially for auto-containment rules, just because it has less rules does not mean it is less effective. Internet and firewall config will only contain applications that meet specific conditions, whereas proactive will contain all unrecognized applications regardless of condition they are introduced to the system.

Which options it give access to?
What more it offers under windows socket interface outside of access to device/nsi? Does Proactive mode offer more ‘default’ settings and options under ‘protected objects’ for example, or under ‘monitoring settings’?

Attached screenshot of running in Paranoid mode and example config.

Both as all options are checked under monitoring settings and protected objects list more file and COM groups, which have additional items in those groups that are not found in the other configurations.

Forest for the trees. That one rule available only in Proactive Mode bricks traffic for any application.

How should we read / interpret the word “bricks” in this context?
Does the rule imply to brick the traffic for any application on purpose?
Is it a wanted or an unwanted effect of the rule to brick the traffic?

Thought the implication would have been clear. If an application is blocked with this rule then it can’t possibly access the internet discounting more sophisticated software that use windows services to back door data.