In the picture, why is CIS sandboxing it’s own files?
This is new technology to protect you from file-less scripts as Egemen explains here.
To prevent these scripts getting sandboxed, so long as you are sure they are safe, you just add the batch files to trusted files.
Oh yes. This is a new feature we have introduced to catch fileless malware. Fileless malware uses script interpreters such as powershell.exe to execute code through commandline. There are various ways. What CIS 10 does is it catches embedded commandlines and sandboxed them.
But while sandboxing them, we create a file out of them i.e. convert file-less scripts into files in C:\ProgramData\Comodo\Cis\tempscrpt. If is the command-line interpreter. What you can do is
1-You can trust them just like any other file
2- Or you can disable cmd.exe from commandline parsing from Settings->HIPS->Do Heuristics commandline analysis(Certain applications)
It is a new feature.
Assumption based on path is a bit wrong. Upon file contents inspection, you will notice it’s not really triggered by CIS.
How to make these randomly named files trusted, when a new one is generated every time?
This worked for me in the Specified Files/ Folders setting in Sandbox settings
I am looking for a more pinpointed solution, such as making a HIPS rule for the process spawning the command line.
In my case, Google Chrome is involved, so I don’t know how to do that.
I will paste the command line string, if anyone has an idea for me, please share it:
C:\WINDOWS\system32\cmd.exe /c “C:\Program Files (x86)\Norton Family\Engine\18.104.22.168\coNatHstNF.exe” chrome-extension://napjheenlliimoedooldaalpjfidlidp/ --parent-window=0 < \.\pipe\chrome.nativeMessaging.in.c7742736b6507c43 > \.\pipe\chrome.nativeMessaging.out.c7742736b6507c43