CIS on Windows 11 keeps blocking Task Manager

Go in Unlock application

Do you mean Unblock Application?

Make sure those files are also “Trusted” in the File Ratings list and add them as exclusion to Shell Code Injections under Miscellaneous settings.

Shouldn’t it be enough if I excluded them from auto containment? That seems like a lot of places and a lot of work for a legitimate application. And funny part is that some instances of those apps get blocked, but some don’t.

They are all interconnected. File rating plays a part in how containment, hips, firewall deal with files.

OK, that’s is WAY too complicated and doesn’t explain why some instances of some files get blocked but other instances of the same files don’t get blocked.

There could be a number of factors, if you could screenshot some of the blocked log entries, it might be possible to figure out why they are being blocked.

I posted them here - CIS on Windows 11 keeps blocking Task Manager - #61 by ComodoUser2025

And here’s more:

Thanks. In your Auto-Containment exclusions. Do you have “Don’t apply the selected action to child processes” unchecked in the Criteria?

image

Unchecked for all three CyberPower processes.

Thanks. Is Cyber Power a trusted vendor in the vendor’s list? What;s the file rating for the servicemonitor? Just trying to figure which element of CIS is causing for it to be contaned and whether is connected with fiel rating, powershell scripts etc.

Where is this vendor’s list?

Under File Rating “Trusted Vendors”

I think it’s this one:

image

Right so it’s not the vendor because you’ve have it as trusted. What’s the file rating for the pppServiceMonitor.exe. Part of me is thinking you may need to add it to Shellcode Injection Exclusions.

Thanks. That narrows it down to the behaviour of the files. Can you try creating a HIPS rule for pppServiceManager.exe as preset “Installer or Updater”? You may need to reboot after to test it.

I currently have it set this way:

image

Should I still change it to Installer/Updater?

Yes. That way it’s allowed to do things like acessing memory and terminating processes etc. Basically, it’s completely allowing the application whereas allowed is still partially restricted based on protected objects etc.