Constant block messages from my local scripts

How do I allow all my LOCAL .ps1 (powershell) and .bat (cmd) scripts to not be blocked by CIS every time I run them?

thanks

By adding them to the “File List” and set “File Rating” to “Trusted” perhaps?

Hi CISfan,

The problem is that any change I make to the script, CIS sends a message to allow, run isolated, block… and then I have to go to “blocked applications”, select the script and choose the option “unblock in all modules of security”!..
… every time I change the script, I have to do it all over again!.. this is annoying! My file list already has more than 30 script files because of this!.. soon I’ll have to buy an external hard drive just to put the files from this list on it!

Isn’t there a setting to allow every local script to run without these checks?

Disable ‘Embedded Code Detection’ for powershell.exe and cmd.exe under Script Analysis Settings.

Hi safemode,

But will this make me vulnerable to external scripts or will it just disable parsing of local scripts?

Hi Picandalo,

Thank you for reporting.
We are aware of this issue, we will reach you through private message to get required information & logs for further investigation.

Thanks
C.O.M.O.D.O RT

Hi Picandalo,

Could you please check your inbox for PM and provide us the requested log & information ?

Thanks
C.O.M.O.D.O RT

I believe it can be done to have CIS ignore running local scripts, here’s how.

Suppose you have or want to use or run these scripts:

C:\MyScript01.bat
C:\MyScript02.bat
C:\MyScript03.bat
C:\MyScript04.bat
etc.

Then do:

  • Create HIPS Rule for “C:\MyScript*.bat” (change/edit the “Name” field into C:\MyScript*.bat) with “Use a Custom Ruleset” → “Copy from → Ruleset → Allowed Application”.
  • Edit HIPS rule for “C:\MyScript*.bat” “ACCESS RIGHTS → Run an executable → Modify → ALLOWED FILES/FLDERS → Add → Files” and add your allowed executables to be run from the scripts.

Next do:

  • Create / add an Auto Containment rule, Action “Ignore” “CRITERIA → Edit → File location” and enter “C:\MyScript*.bat” (without quotes)

Press Ok button to close Advanced Settings window.

Now you should be able to run the scripts and to modify them without CIS interfering the execution of those scripts.

Note that the “File List” will be populated (or polluted with as you wish) with “Unrecognized” script files like “C:\MyScript01.bat”, “C:\MyScript02.bat” and so on and also with duplicate script names like “C:\MyScript01.bat” and “C:\MyScript01.bat” when you have edited a script and than ran it again, but I think you can live with this.

Hope it works on your end too.

Follows link results tool run, questionnaire response and screenshot of tool run:
results tool run.

OK, CISfan, I’ll try that.
thanks.

Hi Picandalo,

Thank you for providing the requested log, we will check and report this to the team.

Thanks
C.O.M.O.D.O RT

Hi Picandalo,

Thank you for providing the requested information detailly, we are checking on this.

Thanks
C.O.M.O.D.O RT

hi C.O.M.O.D.O RT,

it would be interesting for you to find the problem, because I can’t stand the way CIS treats batch files anymore! See the screenshot I sent:

Keep in mind that the files on the “File List” are not the same (they are not identical) because the “SHA-1 File Hashes” are different for each file which makes them unique to CIS (even when the file name is the same).

By clicking on the “Purge” button you can easily get rid of the files in the “File List” for which the file on the file system does not exist.
Or tick the files on the “File List” which you want to remove from the list and than click on the “Remove” button.

I have question, did you remove (or purge) files from the “File List” before and did you ever notice that those removed or purged files reappeared on the “File List” after about 30-days?

hi CISfan,

30 days?!.. I wish, in my case, after 20, 30 minutes the files are there again! My list is constantly with these .bat files “with same names”, even if I clean them, they come back in a few minutes!.. …this information you gave me, made me even more discouraged, about the file having the same name and CIS recognizing them as different, because what I was doing to avoid these CIS messages was precisely changing the .bat content without renaming it to avoid CIS bothering me with constant messages… so I don’t know what else to do to avoid this tiresome CIS behavior towards my local .bat.

Yeah, on my end any removed “Unrecognized” files from the “File List” do reappear on the “File List” again after 30-days without executing those files in those 30-days. It seems one cannot remove “Unrecognized” files from the “File List” but that’s another bug story which I reported a while ago.

Back on topic, bare in mind too that some malwares like to create batch files and to modify the batch files content to the malware needs to create attack vectors for a system. CIS has to detect this kind of attack behavior to protect the system and CIS can only do this by using the “File Hashing” method (any change in file content or change in file properties results in a different File Hash).

I do not know what the function of your batch file is but wouldn’t it be an option to supply parameters to your batch file when you call / execute it?
That way you can keep same batch file name and same batch file content.

I usually submit the files within CIS. After submission I remove. Occasionally they reappear. I figured after Comodo analyzed the files, at some point they wouldn’t be unknown anymore.

hi,
One more image to analyze my case.

thanks

hi CISfan,

I didn’t want to spend money on audio plugins so I created a batch using ffmpeg commands to do LUFS normalization
on my audio files. I enter LUFS and True Peak values, and batch does the rest.

Regarding the question “Own CIS files and Windows system files in Containment, is this normal?” the files in question are cmdvirth.exe which is the Virtualization component of CIS so it is expected behavior to see this process inside Containment. The other 2 are virtualized copies of svchost.exe being ran inside cmdvirth.exe which is also to be expected.

As for the main question of this thread there isn’t much you can do to stop CIS from blocking your batch files, either you manually add your batch files as Trusted into the File List or you disable Embedded Code Detection for powershell.exe or cmd.exe, if you are afraid of being vulnerable while doing the later there is not much to be done also, since the Consumer version of CIS does not allow to manually insert exceptions for Script Analysis/Embedded Code Detection while the Corporate version of CIS (Comodo AEP/CCS) allows such exceptions to be defined.