Again it depends if they process files and perform actions on behalf of the non-exe file that is passed to its image command-line.
I noticed that forfiles, which I have in a script for deleting logs, brings a notification with HIPs. forfiles is not signed even though it is a default MS\system32 file. As unsigned it is unrecognized normally, and the alert is expected. OK, so I guess command-line heuristics in contrast is not an “unrecognized” and/or “abusable” execution notifier based type of monitoring like with HIPs. It’s just…unrecognized is wanting to use a script engine…allow the tempscrpt, yes or no?
Not to harp on another’s software, but there is software by a small developer team that is kind of interesting. It allows a user to identify potentially abusable processes and then see a stop alert EVERY time the process runs standalone or is started by any other executable. At time of alert, user can allow and/or whitelist the activity by the command-liine that started the process. This means that even standard startup of a program from start menu, etc., can be monitored (and monitored as command-line) and its run activity wholly monitored and approved by command-line (also with knowledge of the parent)…even the startup of the program. Playing with that program to learn about command-line monitoring, I learned it is important what I classify as “abusable” (another term is used in the application) with that app, because it causes alerts. But, it is possible to see down inside the system when setting a hefty number of well constructed “abusables” and not many alerts really. Well, command-lines can also be whitelisted with support of wildcards, which is a whole another topic.
Just thinking about this now, it’s really interesting with regard to HIPS how Comodo HIPs doesn’t monitor the execution of the unrecognized app with the single command-line method, instead it focuses on what the app should be allowed to affect (via HIPs rules). The HIPs brings the possibility of exclusions, while the other app brings whitelisting via command-line monitoring. Yes, HIPs is more powerful o/c, but the command-line approach has helped me keep tabs on things. I suppose I was really wanting to see if I could ditch the other app. Seeing the command-lines is so valuable in terms of knowledge, however, that I don’t think so for now.
Is it true then to say that Comodo command-line heuristics is write based rather than execution based->no command-line heuristics alert/stop until there is an attempt to write? If so, then I guess I need to focus on executable apps for inclusion in heuristic c-l monitoring that could potentially issue a command line associated with writes rather than exclusively on potentiality for abuse of the app by another application. Or maybe I could say that command-line heuristics is sort of an extension of HIPs, in that it produces and alert based on the execution by unrecognized of a script or script contained within a file which leads to a write. HIPs then monitors the tempscrpt.
I really need to understand to visualize this type of under the current protection from Comodo. I have trusted some scripts I run, and I think command-line heuristics played a part in the original alerts for them (tempscrpts), and script in the .bat files is tempscrpted. So I guess that means the heuristiic command-line monitoring is handling them.
One other thing. In proactive in Comodo Firewall, is it true that command line heuristics only alert when a file is unknown? That makes sense I guess, but I like to keep up with what is happening on a system, so that's why I am asking.
I guess this is a no brainer looking at it a second time. The other program I mentioned turns my head around about Comodo, causing me to lose sight of the meaning of unrecognized. With the other program, I say which programs/apps are alerted every time (for the command line responsible for its start) and I get the alert every time…simple. With Comodo via HIPs, I decide which programs a program/app can start with command line monitoring there to monitor for script activity from the program/app->all for all unrecognized apps…idk maybe this is it ;D
I would like to get a meaningful dialog going on this topic. Not afraid to be totally off base, and I would like to understand the protection scope of the heuristics module. Don’t want to add a bunch of processes that have no potential for adding protection.
Thanks for taking the time to reply. Going through this issue is giving me a deeper appreciation of the choreography in Comodo…