Deleting Temporary Files

Hi. I’m running v 6.2.285401.2860 on a WinXP SP3 box.

I HAD a simple batch file, all it did was change attributes on files in Windows/temp folder and delete them. Unfortunately it seems that Defense+ or the Sandbox, something is blocking this now.

In the log file I’m seeing listings for C:\Windows\system32\attrib.exe, Flags: Modify File, Target:A_TEST.TMP for example, and:

C:\Windows\system32\attrib.exe, Flags:Sandboxed As, Target: Partially Limited

I looked around in the Commodo interface and tried to add exceptions for Attrib.exe but it doesn’t seem to have worked. Can someone PLEASE tell me step by step how to configure CIS to allow this simple batch file to work without it resulting in “Access denied” and it not working?

It did work previously, this is not a system admin/privileges issue. Thanks.

attrib -h -r -s C:\windows\temp\*.tmp
del C:\windows\temp\*.tmp

Below is a little thing I just made, it might seem like a lot in the beginning but it’s ‘designed’ to have fall back methods if the other fails - Hope it helps!

Is the file listed in the Unrecognized Files:

• Open CIS main GUI.
• Click the “Tasks” button next to the green arrow in the top right.
• Expand “Advanced Tasks”
• Click “Open Advanced Settings” - A new window should show up.
• Expand “Security Settings” in the left menu of the new window.
• Expand “File Rating”
• Click “Unrecognized Files”[li]Is your file showing up in the list? (If there are no unrecognized files there won’t be a list)[list][li]If it shows up then go to “It shows up”- If it doesn’t show up then go to “It doesn’t show up”[/li][/list][/li]

It shows up:

• Right-click the entry > Move to > Trusted Files
• Click “OK”
• Try the program again to see if it’s resolved.[li]If not resolved, move on to part “We need to go deeper”[/li]

It doesn’t show up:

• Click “Trusted Files” in the left menu
• Press ctrl + f (If no search bar shows up then try left clicking an item and then pressing ctrl + f again)
• Search for your file
• Is it there?

[li]If no[list]
[li]Right-click somewhere in the Trusted Files List and choose Add > Files; Navigate to your file and add it

• Click “OK”
• Try the program again to see if it’s resolved.[list]
  [li]If not resolved, move on to part “We need to go deeper”
  [/li]
  [/list][/li]
• If yes
  [li]Move on to part “We need to go deeper”
  [/li]
  [/list][/li]

We need to go deeper:

• Expand “Defense+” in the left menu.
• Click “Behavior Blocker”
• Make sure “Define exceptions for behavior blocking” is ticked in.
• Click the blue “Exceptions” next to the line quoted above
• Add the file in the new window that pops up and click “OK”
• Click “OK”
• Try the program again to see if it’s resolved.
  [li]If not resolved, move on to part “HIPS”
  [/li]

HIPS:

• Expand “HIPS” in the left menu.
• Click “HIPS Rules”
• If your file exist in the list, right-click it and click “Edit”; If your file doesn’t exist then click “Add”
  [li]Make sure your file is chosen in the new window (only necessary if you clicked ‘Add’ instead of ‘Edit’)
• Tick “Use Ruleset”
• Choose “Allowed Application”
• Click “OK”
  [/li]
• Click “OK”
• Try the program again to see if it’s resolved.
  [li]If not resolved, make a comment ???
  [/li]

I asked for a solution. That’s a list, one I’m not going to bother with. They need to fix their mistake and I’m not going to do an excessive amount of work.

It’s a list of steps to unblock a file locally (i.e a solution), if you find that excessive amount of work, then good luck and have fun with CIS. :-TU

You want Comodo to fix the mistake? I assume you refer to attrib.exe being blocked because it’s for some reason perceived as unknown? Then try this thread https://forums.comodo.com/news-announcements-feedback-cis/submit-applications-here-to-be-whitelisted-2013-t89867.0.html

Really? I should have to submit a program that’s been around since DOS? I disagree, they are showing bad judgement and burdening the users.

What they should have done is on their list of activities, you should be able to click on the thing the product did that you don’t want it to do and choose “allow”. It’s not just about attrib.exe it’s about a design flaw that’s going to interfere with my basic use of the system over and over.

No, you just opted to not take the manual way, i.e the way I posted in my first reply. However yes I know what you mean, the file should already be trusted, which it is for me, so why it’s not trusted for you is a mystery to me, has it been modified?

When an application gets sandboxed it should show a pop-up in which you can click “Don’t isolate this application again” or something like that, can’t remember the exact wording. If you clicked this, then it wouldn’t get sandboxed again; depending on whether you have HIPS enabled or not you might get more pop-ups in which you could choose Treat as > Allowed Application and now it’d be allowed.

Edit: And on the occasion that something gets sandboxed without giving a pop-up then you can follow the basic steps in my first post.

I am receiving no popups.

I manually deleted the windows/temp/*.tmp files, then for testing I created a text file in notepad named C:\windows\temp\A_TEST.temp

I followed your list originally posted, which included adding the batch file itself as allowed, and attrib.exe in every section of your list.

Upon running the batch file a command prompt window pops up as usual, the batch proceeds to execute as usual, then with the command “attrib -h -r -s C:\windows\temp*.tmp”, the message displayed is “Access Denied”.

Further when the batch file issues the command “del C:\windows\temp*.tmp” it returns the message “C:\windows\temp\A_TEST.tmp Access is denied”.

Looking again in the CIS log file, it displays the same things as previously reported:

"In the log file I’m seeing listings for C:\Windows\system32\attrib.exe, Flags: Modify File, Target:A_TEST.TMP for example, and:

C:\Windows\system32\attrib.exe, Flags:Sandboxed As, Target: Partially Limited"

Next I just disabled HIPS, tried again and it still didn’t work, then checked the Sandbox settings and found that the batch file and the attrib.exe were already added by me as excluded or allowed, whichever it is.

Next I tried the batch file one last time and it worked! The only thing I can guess is that when I disabled HIPS it took a while for it to rebuild a list or something so the effect wasn’t immediate, BUT when I go into HIPS Rules, it does list attrib.exe because I added it, but then I checked User a Custom Ruleset and it lists everything as “Exclusions” “Modify”, as if no matter what I do it refuses to allow modifications of file attributes as it lists “Ask” for all of them but it never asks.

It seems the best option for me is to just leave HIPS deactivated.

That sounds weird, just to be sure check the HIPS Settings and see if “Do NOT show popup alerts” is checked in, if it’s checked in then no alerts will be shown.

However as it states attrib is being sandboxed, it won’t show any HIPS alerts. If you want you can try temporarily disabling the auto-sandbox and with HIPS enabled run the batch file again and see if HIPS generates any pop-ups now.
Basically the sandbox overrides the HIPS, it’s kind of a pre-set HIPS rule (excluding the ‘Fully Virtualized’ setting)

If the batch file still gets ‘Access denied’ when you have HIPS enabled, “Do NOT show popup alerts” unchecked for HIPS and auto-sandbox disabled, then there might be something wrong with the installation of CIS.

I never did see any popups at all related to the issue, the only way I knew it was CIS was it worked before installing CIS and the events showed up in the log file.

In HIPS, “Show message from Comodo message center” is checked. “Show notification messages” is also checked. “Do not show popup alerts” is not checked.

Under Defense+ > Sandbox, “Do not virtualize access to the specified files/folders” is checked, and the specified files and folders link has the following exceptions listed which I added:

Temporary Files (includes %temp% and ?:\Recycle?*)
C:\windows\system32\attrib.exe

I THINK I JUST FOUND THE SOLUTION. By also adding the batch file itself as an exception to that list, I mean the following entry, now it works with HIPS enabled.

C:\windows\temp\delete_temp_files.bat

So something seems broken with the popup notifications as there have been several things that wouldn’t work on the system recently including installer errors for other apps that I just attributed to an OS problem or bad installer but these also show up in the CIS event logs.

I’m starting to feel like I’d be more productive with a virus than with CIS on the system.

Oh, I’m sorry for the way I wrote it, I of course meant to add both the batch file and program however now looking back it comes out as just the program, I apologize for that.

Yes I’ve been noticing too that the auto-sandbox doesn’t always show pop-ups for when it sandboxes things, I don’t know in what cases it does this, but I think it might be related to batch files but I have no idea. For that reason I have disabled the auto-sandbox and enabled HIPS.

Btw, if you have auto-sandbox on then HIPS won’t be generating any alerts, it’ll basically be inactive because the auto-sandbox kicks in before HIPS. Once you look into the different components of CIS and how they work, for example how auto-sandbox makes HIPS pretty much inactive, then you quickly start to realize how to use CIS, it’s not always as with other security products, but if there ever is something wrong there’s always this forum.

I’m glad it’s working for you now.