I need to ask for help with multiple alerts from HIPS and Containment.
This is my situation.
I install an application. The application has enourmous of small programs and scripts in folders like .\bin, .\sys, \lib, \scripts etc, which are executed when the application starts or when I run the app. I always create a new entry in File Groups and add the whole folders, e.g. C:\Program Files\Application\bin*, C:\Program Files\Application\sys*. Then this group is added to the required CIS components and this is almost always HIPS → HIPS Rules and Allowed Application, Containment → Auto-containment and Ignore. Usually, I don’t need to setup Firewall.
What I don’t understand is after setting up CIS this way for the given Application, I still get multiple alerts about every single file or script, even though CIS has already rules for them. After some fiddling, I realised CIS can still complain about any file if the source is untrusted. Fair enough.
My question is what can I do to make CIS understand I trust all the files from the same folder belonging to the same application? I know I can add individual files to File Rating → File List but what if I have hundreds or thousands of them in multiple applications? Can I somehow utilise the File Group I create every one of them?
This has been going on with many applications, examples:
- Anaconda Python Environment - there is HUUUGE number of small binary *.exe files and *.py Python scripts which CIS complains about
- Ubuntu for Windows 10 - every executable file in *\usr\bin, *\usr\local\bin, *\usr\sbin is to be not recognised and again I get multiple alerts when just starting the Ubuntu
- Git - the same situations - every bloody file in its bin folder is not recognised.
Before I attempt to answer this I will say, by making CIS components ignore entire folders you might be putting yourself at additional risk. For example in the event malware is dropped into said folder. I also do not guarantee the accuracy, quality or correctness of the following information, it is provided AS IS and if you choose to use it, you use it fully at your own risk.
With that said, you might be able to do something like the following:
First of all, make sure you know where all executables are stored for your application. You can also look in the CIS Logs to see if there is anything that you have missed that CIS is blocking.
- File Rating - You can create a file group for all the folders that you would like to be ignored
- Auto-Containment - You can add a New Ignore rule and apply it to the file group. You can place this ignore rule above Metro Apps.
- HIPS - You can add a new HIPS rule and apply it to the file group. You can select the ‘Allowed Application’ next to ‘Use Ruleset’. You can then place this at the top of the list.
- Advanced Settings > Script Analysis - You can deselect Embedded code detection for all applications that your program uses to process scripts e.g. python.exe (Note this will disable embedded code detection for these applications used to process scripts globally on your system, not just for your listed programs that you are trying to whitelist)
Finally you can reset the sandbox and try launching your application again.
Note: Clearing/resetting the CIS Sandbox will close all processes, and delete files that are currently saved, within the CIS Sandbox. If you are unsure, you should check that nothing needed is stored within the sandbox first.
P.s. Alternatively you can submit your applications to be whitelisted in this forum. If the application is processing scripts via python.exe, etc, these might still be blocked unless you following the steps for ‘Advanced Settings > Script Analysis’.
You are most likely getting alerts for “run an executable” which is set to ask for the allowed application HIPS predefined ruleset, so you need to change it to the Windows System Applications ruleset.
I set Allowed Application rule for the specific folders and put a rule in HIPS and Auto containment in both cases on the top of the lists. I checked that Allowed Application rule should not ask for executables. However, CIS still pops all the alerts for every single one of the script/application. It looks like File List ignores everything if file source is not trusted meaning however I configure CIS I will still get an alert. I might be wrong.
As an example installing WSL creates a structure similar to Linux in \AppData\Local\Packages\CanonicalGroupLimited.Ubuntu20.04onWindows…\LocalStates\rootfs. This folder contains multiple executables and shared libraries in bin/, sbin/, lib/, lib32/, lib64, /home/user/.local/bin. etc. As you can see there this is not a matter of ignoring one file. That’s why I thought about File Group and ignore rule for that group file.
Having said that, I definitely understood the risk and am even more concerned about the consequences. Let’s say I want to configure CIS in a proper way to run Windows Subsystem for Linux (WSL) in Windows 10. How would you recommend to do that?
sorry my inconvenience
alerts can be showing when script analysis is actived
You can try add files unknow or non recognized in settings:
Allowed application ruleset does not allow running executables, so you will get asked on every attempt of process execution, you need to use windows system applications ruleset to allow run an executable access right for the file group in HIPS rules.
My apology, I did not see Modify (1\0) in the column Exclusions. I thought it meant to stop executables and ask to run them.
I selected the ruleset Windows System Application for all files and it seems the pops up stopped showing up. However, the files are still being collected in File List as “Unrecognized”. I am trying to submit all the files but I think it’s going to take some time. I don’t know if I am doing this right.
I am afraid I have to bring this back as I haven’t really understood if there is an answer. What’s the best way to configure CIS for this kind of applications? Is Adding every single file to File Group and then setting a ruleset to as Windows System Application in HIPS the correct way?
There is still the File List, which now collected over hundreds of files from the WSL application and categorised them as “Unrecognized”. I read the Help about the File List and I know the files have no signatures and are considered as from untrusted source. I was wondering if there is anything to Trust the main process which runs other processes and consider them Trusted as well. I really don’t know what would be the best way to proceed.
You can override Comodo own rating for those files in the file list by changing them to trusted, but once they change again from being updated, they will most likely go back to unrecognized rating. The rules are used so that applications will continue to work regardless of their rating.