CIS Wildcard Help

Dear COMODO Staff & Non Staff Members.

I was looking for help concerning wildcards for CIS but couldn’t find what I was looking for. So I decided to post a new topic concerning the subject.
I did find “File specification inc. using wildcards in CIS (Technical FAQ)” but that’s not quite what I need, it’s also hard to understand.

According to “File specification inc. using wildcards in CIS (Technical FAQ)”, the user may use these wildcards in the following places;

  • Comodo multiple selection file dialog: used in HIPS Groups, Protected and Blocked files; also AV exclusions. Where this is used you can select multiple files and directories.

  • Windows dialog: used in HIPS rules, and throughout the FW module Where this is used only single files can be directly selected - multiple files and directories cannot be directly selected. You can however edit a path created by the Windows dialog to create a directory spec.

I only tested the below mentioned wildcard examples, with the anti-virus scanner. In conjunction with the “Scan Exclusions” feature. Therefore, the following is not to be considered 100% accurate. Nor is it relevant for all scenarios.

To my knowledge, COMODO only supports the “*” & “?” wildcards and may be used in conjuction with each other. Environment Variables are also supported.

Please feel free to contribute. Any Staff Members, if your up for it, please feel free to confirm the following wildcards and their meanings. I appreciate any corrections given.

(Used when creating Environment Variables).

%environment variable%
Environment Variables located in the System Properties (right click Start Menu Icon, then left click on System. Look to the right, then click on the “Advanced System Settings” link. Then, left click on “Environment Variables…” (Bottom Right). Creating your own is simple. Left click New, type your Variable Name (you will type this “Variable Name” with “%” on both sides of the “Variable Name” when using it) and Variable Value (the directory where the Variable Name points to). e.g. Variable Name: windir, Variable Value: C:\Windows. When using the environment variable, type %windir%.
%windir%\explorer.exe (C:\Windows\explorer.exe).
%windir%\system32\svchost.exe (C:\Windows\system32\scvhost.exe).
Or a custom variable, such as…
%ani%\Sintel\sintel.avi (D:\Videos\Animation\Sintel\sintel.avi) the Variable Value for %ani% is “D:\Videos\Animation”.
If your directory is very long. e.g. D:\Documents\Clients\regularclients\clientname\project\Buildings\plans.pdf You can shorten it with an environment variable. (%clientname%\ project\Buildings\plans.pdf).

(represents zero or more characters in a string of characters).

Every file or folder (including applications, script files and extension).

any file with a specified extension
*.exe, *.dll, *.sys etc…

A specified file with a specified extension located in any directory.
(Careful, viruses/malware tend to use common system filenames located in non system directories).
*\CCleaner64.exe, *\guard32.dll, *\svchost.exe, *\kill.bat etc…

C:\folder0\file0* or C:\folder0\folder1*
All files or folders, matching the directory name up to “C:\folder0\file0” or “C:\folder0\folder1”. Where directory name will match up to the wildcard and may vary after the wildcard.
(The absence of the backslash is important when identifying various files or folders, starting with the file/foldername “file1” or “folder1”)
C:\Program Files\Comodo*
(C:\Program Files\Comodo111 and C:\Program Files\Comodo222\file.exe are all valid). Unfortunately, C:\Program Files\1Comodo and C:\Program Files\something Comodo\ are all invalid and will not work.

All files or folders located in the directory "C:\folder0\folder1". (It will identify All files and folders contained in “folder1”)
C:\Program Files\7-Zip*

C:\folder0*\DesiredFolder* or C:\folder0\folder1*\DesiredFolder*
Ready for this, it’s a long one… All files and folders, located in a folder with the foldername “DesiredFolder”, which may be located under any of the subfolders in the directory, “C:\folder0*” or “C:\folder0\folder1*” but not “C\folder0” or “C\folder0\folder1”.
C:\Users*\Desktop* (All files and folders located in the folder “\Desktop\”, which is located anywhere under the subfolders in the directory “C:\Users\”. But not in “C:\Users”) or C:\Windows\SystemApps*\pris\ (All files and folders located in the folders named “pris”, which is located under the subfolder in the directory “C:\Windows\SystemApps\” But not “C:\Windows\SystemApps”). This may warrant some further explanation.
When there is more then one folder representing a user’s account, then there is a folder which, represents the “Desktop” for each of those users. If “C:\Users*\Desktop*” is in the anti-virus exclusion list, then only the “Desktop” folder which represents the user’s “Desktop”, will be excluded. However, if there is a user account with the name Desktop, then the useraccount with the name Desktop will be included during a virus scan but the Folder representing their “Desktop”, will be excluded. e.g. Mike, John, Matthew, Ryan and Desktop, each contain a folder representing their desktop. The user Desktop, will be included during a virus scan with the other users, only the folder representing it’s “Desktop”, will be excluded during a virus scan.

(represents only one character in a string of characters).

Only one character in the name of the directory.

Any drive where there is a folder with the name “folder0”.
(NB. The “*” at the end is important or else it will break).
C:\Library, D:\Library, E:\Library, etc…

Drive D:\ containing the folder/s starting with the name “folder” and ending with any one unknown character at the end of it’s name.
(NB. Entering “\” after the “?”, will break this wildcard unless you follow it up with a “*”. e.g. D:\folder?\ will not work but D:\folder?* will work).
D:\Library0, D:\Library1, D:\Library2, or D:\LibraryA, D:\LibraryB, D:\LibraryC, etc…

Any drive containing the folder/s starting with the name “folder” and ending with any one unknown character at the end of it’s file name.
(NB. Entering “\” after the “?”, will break this wildcard unless you follow it up with a “*”. e.g. ?:\folder?\ will not work but ?:\folder?* Will work).
D:\Library0, D:\Library1, D:\Library2, or E:\LibraryA, E:\LibraryB, E:\LibraryC, etc…

?:\folder?1, ?:\folder?1? or ?:\folder?1?1?
Any drive containing the folder/s with the name “folder” and containing any one unknown character in the name. Yes, it may be used more then once in the name.
D:\Library01, D:\Library11, D:\Library21, or E:\LibraryA1, E:\LibraryB1, E:\LibraryC1, etc…
D:\Library01d, D:\Library11P, D:\Library21i, or E:\LibraryA1d, E:\LibraryB1P, E:\LibraryC1i, etc…

C:\ProgramFiles\Java\jreA.B.C_D (Replace A B C & D with “?”) however this will only work with single characters. e.g. C:\ProgramFiles\Java\jre1.2.3_5 will work but not C:\ProgramFiles\Java\jre20.18.30_82. Use the “” in place of the “?” (C:\ProgramFiles\Java\jre.._*).

(applies to contained applications set to “Run Restricted” and restriction level set to “Partially Limited”).

I tested write access against unrecognized application. (Only the orange file rating was used not the Grey file rating)
Only when HIPS is enabled and the user specifically blocks access, is write access blocked to “Protected Files”. When HIPS is disabled, unrecognized applications are allowed write access to “Protected Files”. This was tested, both with and without the pipe symbol. Based on ALisnic’s quote and how I understand the guide, I expected this result.

I tested write access against contained application. (File rating for application was tested on both trusted and unrecognized).
Added an Auto-Contianment rule for “Libreoffice”. Action was set to “Run Restricted” and restriction level set to “Partially Limited”. Write access to “Protected Files” were blocked whether pipe symbol is used or not. Based on Alisnic and futuretech’s quotes this was unexpected. I assumed write access would be blocked only when pipe symbol is used. This was not the case.

Based on the above mentioned quotes. I assumed the pipe symbol would prevent write access to protected files, not just against unrecognized applications but also against contained applications set to "Run Restricted” and restriction level set to “Partially Limited”. I tested this theory. However, protecting write access to “Protected Files” against contained applications were prevented irrespective of whether the pipe symbol was used or not. Also, when I upgrading to CIS I restored the default configuration of “COMODO – Internet Security” back to what it was when it was clean installed. Unfortunately, I can no longer enter in the pipe symbol. I just receive the error message “Please enter valid data”. I tried copying and pasting it from one of CIS predefined directories, located in the “File Group” but receive the same error massage.

I’m not gonna pursue this issue any longer. If anyone want’s to post a reply resolving this issue. Then please do so, without requesting my help. I’m now done with the subject regarding the wildcards and the pipe “|” symbol has been an unwanted headache.

I’m officially done with this thread. I hope it will be of some use, to those whom need it.

So what do you COMODO members think. Did I hit the nail on the head or did I completely miss?

Any confirmation concerning these wildcard will be greatly appreciated. And please, feel free to contributed any thing missed.

Thank You.

name: C:\mainfolder\subfolder\example* meaning: anything containing the letter/word, "example", in it's filename which is located under, "subfolder". (includes filenames of folders) example: C:\Program Files\Comodo* (C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe or C:\Program Files\naughty Comodo vids\nude.mp4 (be careful with this wildcard))
It would only match file paths with the same path name leading up to the wildcard. e.g. C:\Program Files\Comodo111 C:\Program Files\Comodo222\file. But not C:\Program Files\1Comodo and not C:\Program Files\something Comodo\

The ? character means single character so a?c.exe = aac.exe, abc.exe, a0c.exe, a1c.ext, etc.

The pipe symbol | is for the containment restriction levels: partially limited, limited, restriced, and untrusted to prevent contained applications from write access to
those files/folders that have that symbol at the end of the path in HIPS protected objects > protected files.

Are there any official docs that mentioned the usage of the pipe symbol?
Will you please give me some URLs?
Thank you.

The only official mention I can find is this post by a staff member but it doesn’t make it clear as I have stated it.

That thread is also a practical example for the usage.
Thank you again.