Comodo and Hugin's Make.bat files

I have the same problem as a previous writer.
His solution doesn’t work for me:

quote: "I discovered that Hugin created batch files in 2 folders: the user temporary folder and the panorama folder (I don’t know if it is the source or the destination folder, since I always put the final panorama in the same folder as the source pictures). The problem is that of course this folder varies, although in my workflow it is always a subfolder of d:\Images_hugin. My first reaction was to create a folder d:\Images_hugin\WorkForComodo and set it up in Comodo. Then I discovered Comodo accepts jokers in paths, so here is my final solution:

In Protected Files & Folders, I modified the Hugin group to
In Defense+ Rules, I edited the Hugin group: I don't consider it as a trusted application anymore but I added the executables I know it can run in it's normal process.

… and it works!"

I have done as suggested above but I still get every one of the make*.bat files showing up in Comodo asking me to OK them.
I’m tempted to turn Comodo off while I use Hugin but the risk is I will foget to turn it back on when I finish.
I suspect I have not implemented the solution above correctly. I’ve double checked for typos.
Any one able to help?

Hi BDG, welcome to the forums.

What is CIS actually alerting for? If it’s execute permission, then you could add the Hugin File Group to the Allowed Applications tab for Run as executable under Access Rights.

Hugin creates a series of batch files using Make every time you use it to create a panorama.
The batch files are named makexxxxx-x.bat where xxxxx-x is a random number.
These files are located in the C:\Users<user name>\AppData\Local\Temp
I have tried adding a “Hugin” group to Protected files and Folders with
C:\Users<user name>\AppData\Local\Temp\make*.bat
and then making this group a “Trusted Application” in Defense + Rules but it doesn’t work.

Understood. Trusted will not work anyway as the files are being created… trusted means that they are known & safe. Not exactly possible in this case. :slight_smile: What is CIS actually alerting you about? Are you clicking Allow & Remember? If so, then all those one-off permissions are building up (uselessly unfortunately) in the Allowed Applications tab on some application in Defense+. This is where your crafted File Group needs to be.

BTW If the BAT filename is always makexxxxx-x.bat, then the file mask in your Hugin File Group should really be make?????-?.bat. This is for security reasons.

First - Thankyou for your help!
Here’s what Comodo is saying:
“Security Consideration”
Then it details the file the new batch file is trying to run and says:
“However a new parent application make720-1.bat is detected and it could not be recognized.
then blah blah etc if make720-1.bat is one of your everyday applications then it can safely be run.”

OK… assuming you have allowed & remembered some of these, please check Defense+ - Computer Security Policy. Do you see entries for Make BAT files? Lots of them maybe?

Yes, lots (although I’ve deleted most of them).

OK. So, you need to create just one rule based on your Hugin File Group (which obviously should contain the wildcard Make BAT file, with a full folder path) and put it at the top. Then that entry (which includes all possible MAKE*-*.BAT files) needs the permission it needs to stop alerting you. Do you see what I mean?

edit: There could be some other applications we need to deal with depending on how the BAT is executed in the first place.

Sorry, but I don’t know which permision to use.
I have the group “Hugin” in protected files and folders.
It contains this:
C:\Users<User Name>\AppData\Local\Temp\make*-*.bat
In defense + rules I have “Hugin” set as Installer or Updater but I still get the same pop-ups from Comodo.

Is the D+ rule Hugin linked to the File Group Hugin?

I think so. When I try to alter the file string: C:\Users<User Name>\AppData\Local\Temp\make*-*.bat
in D+ it gives me a warning message saying roughly: any settings made here will be lost, do you want to go to file groups now?

That’s not quite the same thing. When you created the D+ rule, you said Add, Select - File Group and gave it your Hugin File Group name. So, when you look at the D+ rule under Computer Security Policy it has the name of the Hugin File Group. Is that correct?

edit: OK, on looking at this more… double click on the Hugin name, not the folder path.

When I dbl click on the Hugin name in D+ it brings up a pop-up window:

Application System Activity Control.
This has an application path (Greyed out) of: Hugin
I have the option in this widow to use a defined policy or use a custom one.

That’s the one! Set it to Use a Custom Policy. Then click on Customize and this takes you to the Access Rights screen.

Currently, everything is probably set to Ask and if it’s not then please make it so. And OK & Apply all the way out to make sure everything is saved. Now perform a Hugin run (and if Hugin can do more things, than less… pick more things). During this run CIS should alert you a fair bit and, assuming nothing untoward appears, you should answer Allow & Remember. Once Hugin is done. Return to above Access List for the D+ Hugin rule to see what CIS has learnt. The Exclusions for Run an executable might be important here.

PS Please note the first alert you receive from CIS, thanks.

I did all that but I’m still having to click allow and remember each time I do a new panorama (because each time there is a new random number appended to the make file).
When I check D+ the random make file is there allong with all the other random make files.

  • one thing though: The string in D+ shows my user name as xxx~1
    I’m using 64bit Win7.

I’m confused… I don’t think I was clear. Sorry, my bad. I said this would happen (the alerts), that was the intention on this Hugin run that you did (just the one!). It was meant to be the first step in seeing what the Make BAT files actually needed in the way of Access Rights within CIS. The only slight hitches are the first alert from CIS (did you note it?)… some other application might need execute rights for the BAT files and if the BAT files needed any file/disk access using random folder names. But, we haven’t looked at your Access Rights screen yet. :slight_smile:

If it’s ignoring your D+ Hugin rule and creating more Make BAT rules for each BAT file you run, then the folder path or wildcard filename is probably wrong. Can you go to your Hugin File Group and copy ‘n’ paste it here. Thanks.

This shouldn’t be an issue, since I (as an x32 user) am not giving you (as an x64 user) any folder paths or file names. Which is where x32/x64 instructions clash. If you see what I mean? :slight_smile:

Sorry so late replying - didn’t know that the “2” meant I should be looking at a second page!
First alert was the same as I described before:
“Security Consideration”
Then it details the file the new batch file is trying to run and says:
“However a new parent application makexxxx-x.bat is detected and it could not be recognized.
then blah blah etc if makexxxx-x.bat is one of your everyday applications then it can safely be run.”

Here is the cut/paste of the file path:

No prob on the x64/x32 just thought I should say.

Oops. No problem. :slight_smile:

Run C:\Program Files\COMODO\COMODO Internet Security\cfplogvw.exe (CIS’s external log viewer). Go to Alerts Displayed, select the alert in question and click on Related event. What Application is it talking about in the actual event?

That looks OK. Verify it is the same as the new D+ rules (created for each BAT file)… maybe it’s make*_*.bat or something. Where is the Hugin rule in D+ rule order?

Related event: C:\AppsVideo\Hugin\bin\make.exe

Hugin rule is below “All Applications”
and amongst a bunch of other rules.

Attached screen shot of D+
The files are either makexxx-x.bat or makexxxx-x.bat

[attachment deleted by admin]

This was the extra thing we needed to fix. Something is running the BAT files & that something needs permission to run them (so you don’t get alerts).

So, make.exe must have a D+ rule. Edit that rule & get to the Access Rights screen. Click on Modify for Run as executable. I suspect that you’ll a have a lot of the Make BAT files under the Allowed Application tabs. Double click on one of them & copy ‘n’ paste the file path (you’ll need this later). Remove all the unwanted BAT file entries. Then Add - File Groups - select the Hugin File Group.

This, effectively, gives C:\AppsVideo\Hugin\bin\make.exe permission to run any Make BAT file is the specified path(s).

OK, that makes sense. Your File Group says C:\Users\Administrator\AppData\Local\Temp, where as the actual file path is C:\Users\ADMINI~1\AppData\Local\Temp. This is why I had you copy the path name into your paste buffer. Go to the Hugin File Group and add the ADMINI~1 path to the group, along with wildcard filename. So, now the File Group should be able to support both methods of path specification.

After you’ve done all of the above. Try a single Hugin run & see what happens. :slight_smile: