V12.2.2.7036 (Firewall only) Windows 7 Ultimate 64-bit
Below behavior applies to Trusted applications in general.
HIPS Settings: Enabled in Safe mode
Steps to reproduce:
1) Go to “HIPS->HIPS Rules” and add a Custom Ruleset for “C:\Windows\System32\notepad.exe” and set all “Access Name->Action” to “Block” (so 14 “Action->Block” in total) and leave all “Exclusions” and “PROTECTION SETTINGS” to default setting.
See attached image “HIPSCISOverrulesCustomRule1.jpg”
2) Start “C:\Windows\System32\notepad.exe” and type as quickly as you can about 30 to 40 short lines containing some random text.
3) Close notepad and select “Don’t Save” the changes (just discard what has been typed).
4) Go back to the HIPS Custom Ruleset for “C:\Windows\System32\notepad.exe” and check if all “Access Name->Action” items are still set to “Block” (it should be, still 14 “Action->Block” in total).
See attached image “HIPSCISOverrulesCustomRule1.jpg”
5) Now set “Access Name->Keyboard->Action” to “Ask” (leaving 13 “Action->Block” with 1 “Action->Ask”).
See attached image “HIPSCISOverrulesCustomRule2.jpg”
6) Do the same as stated in step 2)
7) Do the same as stated in step 3)
8) Go back again to the HIPS Custom Ruleset for “C:\Windows\System32\notepad.exe” and check again if all “Access Name->Action” items are still set to “Block” except for “Access Name->Keyboard” which should be set to “Ask”.
Now, nearly all “Access Name->Action” settings have been overrruled / modified / altered by CIS. There is only 3 “Access Name->Action->Block” items left and everything else is set by CIS to “Allow”.
See attached image “HIPSCISOverrulesCustomRule3.jpg”
When all the above steps is repeated for an Unrecognized application then the result of step 8) is the same as shown in attached image “HIPSCISOverrulesCustomRule2.jpg” except for “Access Name->Keyboard-Action” which would then be set to “Allow” when the user chooses “Allow” and “Remember” from the HIPS popup Alert “Notepad wants to access the Keyboard directly”.
Unexpected result: CIS overrules / modifies / alters a user defined HIPS Custom Rulesets for Trusted applications.
The user defined Custom Ruleset is not static but volatile and doesn’t work the way the user would expect it to work.
When the user changes one “Access Name->Action” setting this may result in CIS changing many other "Access Name->Action’ settings as well which is unwanted.
Expected result: A user defined HIPS Custom Ruleset for Trusted applications should be static and not be overruled / changed / altered or modified by CIS.
A user defined HIPS Custom Ruleset for Trusted applications should work in the same way as they do work for unrecognized applications.