CIS blocking its own scripts from running?

A. THE BUG/ISSUE (Varies from issue to issue)
Can you reproduce the problem & if so how reliably?:
Yes. Just wait and it periodically pops up

If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1:Enable HIPS
2:Wait
3:Popup eventually shows

One or two sentences explaining what actually happened:
Popup shows CIS blocking itself?

One or two sentences explaining what you expected to happen:

  1. CIS should trust svchost?
  2. CIS should trust its own files/scripts?

Any software except CIS/OS involved? If so - name, & exact version:
Just windows with CIS as only security software

Any other information, eg your guess at the cause, how you tried to fix it etc:
I think this started to happen after comodo self update

B. YOUR SETUP
Exact CIS version & configuration:
10.0.2.6408

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
D+/HIPS enabled in “Safe mode” with “Create rules for safe applications” enabled

Have you made any other changes to the default config? (egs here.):
Disabled Website filtering. Enabled “Create rules for safe applications” also for firewall

Have you updated (without uninstall) from CIS 5, 6 or 7?:
No

Have you imported a config from a previous version of CIS:
Just from previous CIS 10 branch

 [b]if so, have you tried a standard config - if not please do[/b]:
 I'll after this. 

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 10 compilation 1709

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
No. Just CIS since last windows clean installation.

Hi,
This is not a bug. What you are seeing is CIS’s feature of protection against file-less malware, where CIS has created a temporary file out of command line arguments and placed that file under “C:\ProgramData\Comodo\Cis\tempscrpt” and then executed those contents as a temporary file so that user could decide.

Thanks
-umesh

Very well. But should i allow this with remember? Classify svchost as a windows system application? What is the correct way to handle this?

Yes, we have a little bit of usability problem there, which we plan to fix down the road.
We should be able to identify as exactly which application introduced those commands and notify user so he can make better decision.

You shouldn’t use create rules for safe applications as it will cause your rules to be deleted overtime when many rules are created automatically and under heavy system use. It will also cause a performance hit due to CIS having to create rules on the fly and parse existing rules when any application runs.

Svchost by default is a part of windows system applications file group which uses the windows system applications hips ruleset, but it was most likely overwritten by create rules for safe applications which caused a separate rule for svchost to be created and thus generating the alert to execute the embedded script.

Hi luminoso,
May you want to try CCAV as available here and share your opinion about improvisation of the alert?
https://forums.comodo.com/beta-corner-ccav/comodo-cloud-antivirus-v115435004610-beta-t121111.0.html

Thanks
-umesh

Sure. Installing it now :smiley:

Dear experts: I run CIS with Safe mode for HIPS and starting February 1 (2018), it is asking me to periodically allow cmd.exe run these scripts from

C:\ProgramData\Comodo\Cis\tempscrpt

C_powershell.exe_3F99604948B59D88C8EF2BE5383269B9A1F7A68A.ps1
C_powershell.exe_70714EA77E35ED0BF673A8514A7CBB4DD5D48879.ps1
C_powershell.exe_F664F4DDED240C3185BAA6B2A89CA0AF6A50A1C5.ps1

Are these (apparently Comodo) 3 scripts safe to run and if so, why does not HIPS auto-recognize them?

Contents of the three scripts (I replaced my username with …):


-executionpolicy bypass -command “Import-Module C:\Users.…\AppData\Local\Temp\CVE\SpeculationControl\SpeculationControl.psm1;Get-SpeculationControlSettings | Out-File C:\Users.…\AppData\Local\Temp\CVE\result.txt”


-executionpolicy bypass -command "Import-Module C:\Users.…\AppData\Local\Temp\CVE\PSWindowsUpdate\PSWindowsUpdate.psm1;$result = Get-WURebootStatus -Silent;$result = 'RebootRequired: ’ + $result;$result | Out-File C:\Users.…\AppData\Local\Temp\CVE\result.txt -Append


-executionpolicy bypass -command “Import-Module C:\Users.…\AppData\Local\Temp\CVE\PSWindowsUpdate\PSWindowsUpdate.psm1;$result = Get-WUInstallerStatus;$result = 'WUInstallerStatus: ’ + $result;$result | Out-File C:\Users.…\AppData\Local\Temp\CVE\result.txt -Append”

Hi justin_smith,
When CIS encounters that command line are being passed to some interpreters, in your case cmd.exe, it creates temporary file and stores under “C:\ProgramData\Comodo\Cis\tempscrpt” folder and run from that folder allowing you a chance to whitelist.

So these are not Comodo files.

We have made some significant changes to improve user experience on this part in Comodo Cloud Antivirus and we soon be porting those into Comodo Internet Security.

May you please install Comodo Cloud antivirus to see as what application is executing these commands on cmd.exe?

Thanks
-umesh

Thanks umesh, I had incorrectly assumed that since the file path is under “C:\ProgramData\Comodo” directory, that this is Comodo scripts and I have been periodically allowing them through! Doh! (Perhaps you can add a message to the alert indicating this is NOT comodo specific scripts to avoid this confusion? :slight_smile: )

I already have Comodo AV installed and enabled on this specific box, but without Cloud. To enable Cloud option for it, I assume I need to do so under File Rating → File Rating Settings menu, is that right?

Sometimes this computer is on VPN and needs a proxy - do I set that setting somewhere then?

Once the alert comes up again, do I click somewhere to tell me what the Cloud says?

Thanks!

Hi justin_smith,
We have improvised message in Comodo Cloud Antivirus, you can download from following location:
https://antivirus.comodo.com/cloud-antivirus.php

We will be bringing those changes in Comodo Internet Security (CIS) as well.

Please see if you could disable CIS’s Sandbox and try Comodo Cloud Antivirus on same system and see message coming from Comodo Cloud Antivirus.
It has same Sandbox as in (CIS).

Thanks
-umehs

Thanks umesh, unfortunately, on this specific box, I try not to (and cannot) disturb the setup too much and I don’t see this happening on other boxes. Once this is integrated into CIS, would it be able to tell me who is calling this cmd.exe without the Cloud setup enabled?

Do you happen to know when this integration may happen (e.g. which CIS version)?

Yes, CIS will inform actual application invoking cmd.exe. We hope to have updated CIS version within next two releases, hopefully by April-2018 max.

Great, thanks a lot!

A. THE BUG/ISSUE (Varies from issue to issue)
Can you reproduce the problem & if so how reliably?:
Yes

If you can, exact steps to reproduce. If not, exactly what you did & what happened:

  1. Clean the Batch file inside *\ProgramData\Comodo\Cis\tempscrpt
  2. Reboot the computer

One or two sentences explaining what actually happened:
After I reboot the computer,
Comodo Internet Security will create the Batch file which is inside *\ProgramData\Comodo\Cis\tempscrpt.
The Batch file will excute conhost.exe.But the rating of the Batch file is Unrecognized.
One or two sentences explaining what you expected to happen:
The Batch file will rate Trusted
If a software compatibility problem have you tried the advice to make programs work with CIS?:
N/A
Any software except CIS/OS involved? If so - name, & exact version:
N/A
Any other information, eg your guess at the cause, how you tried to fix it etc:
The Log of Comodo Internet Security:

The sample of The batch file:

B. YOUR SETUP
Exact CIS version & configuration:
Comodo Internet Security Beta 10.2.0.6504

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
Firewall - Safe mode
Auto-Containment - Enabled
HIPS - Safe Mode
VirusScope - Enabled
Website Filtering - Disabled

Have you made any other changes to the default config? (egs here.):
Yes

My Config:

Have you updated (without uninstall) from CIS 5, 6 or 7?:
No
if so, have you tried a a a clean reinstall - if not please do?:
N/A
Have you imported a config from a previous version of CIS:
Yes
if so, have you tried a standard config - if not please do:
N/A
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
OS: window 10 build 1709 64bit
Account type: Admin
Virtual machine: not used

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
Bitdefender antivirus free
RansomFree

Not a bug and those scripts are not part of CIS, they look to be generated by an installed Intel software. This is caused by the embedded code detection feature of CIS that turns embedded command line and converts them into a file.