I am trying to create a HIPS rule and I see that I can block or allow an activity for a particular application, but not that HIPS asks me. Does the ‘Ask’ action work? Does any other configuration interfere with the fact that it fails?
Thanks for help.
P.S. Security level configured to ‘safe mode’.
Maybe you find the answer here:
and a bit further down in section Access Rights you see in HIPS Rule window “Use a Custom Ruleset” checkbox ticked and in column “Action” you see the “Ask” option.
Hope this helps.
Yes, I already read the help. The problem is that selecting the action ‘Ask’ (for example in ‘Run an executable’), does not work and does not ask anything, although if you select ‘Block’ it does block it.
And if you move the custom rule to the top of the HIPS Rules list does the Ask option then work?
No
Have you tried Paranoid mode to check if Ask option works in that mode?
In paranoid mode it asks EVERYTHING about other programs but asks about ‘Run an executable’ NO. I’m trying to configure the rule for ‘Altap Salamander’, a browser type ‘Norton Commander’, and I’m looking for and running programs. Anyway I have done tests with other programs and other actions and the result is the same. ‘Ask’ does not work. Perhaps the question would be: Who has tried it and does it work?
I can try if it works on my system (Windows 7 64-bit) if you wish.
I would appreciate it very much, although I would dislike having your time.
Ask option only works for non trusted rated applications when HIPS is in safe mode, and ask works for all applications when HIPS is set to paranoid mode.
I checked the Ask option on my system and it works.
Did the following:
Thank you. Tomorrow I try it. Now I am going to sleep, I am in Spain and here it is 11 PM. Have a good day
Same to you!
I think that’s why what makes it work for you is that you have rated the application as unregcognized, with which HIPS asks for any action you do. The rules have to work for trusted applications too.
I think I get your point, you would like to have some kind of custom override HIPS rule for trusted applications, right?
Unfortunately the way HIPS is designed and works is as @futuretech explains so the options are either to use Safe Mode and set trusted application to Unrecognized state or to use paranoid mode.
When you use the option “Safe mode and Unrecognized state” then just let HIPS create the custom rule by answering all the HIPS popup Alerts with “Remember my answer” ticked. Once that is done you can tailor the created custom rule for that application to your needs.
And from that moment on, in the custom rule created by HIPS, will the ‘Ask’ option already work? I think not. The option ‘Ask’ has no application.
The objective of all this is to create a rule for all applications in the last position of the HIPS rules. A kind of personalized ‘paranoid mode’.
Thanks for your time CISfan, I appreciate your opinion.
Sorry futuretech, I had not seen your comment. I’m going to test what you say to see if I achieve my goals. Then I tell you …
I think it does work.
Whenever you start that particular application (having the custom rule created by HIPS) and it wants to start a new application (which is not already in the custom rule) then you will again get asked by HIPS popup Alert what you want to do Block/Allow/Remember etc.
You can see which applications are Allowed or Blocked to run by that particular application by checking the created custom HIPS rule and then going to “Exclusions” column and click on “Modify (x\y)” next to “Run an executable” in the HIPS Rule window.
You can add your own Allowed or Blocked applications there.
But, it still could be that I don’t get your point exactly.
Thanks also! I too was wondering this.
Ask option in HIPS Safe mode does not work anymore for all Microsoft executables when those executables are manually set to Unrecognized state in “File Rating->File List”.
Since version V12 Comodo implemented in their CIS software a hardcoded whitelist for all Microsoft executables which gives them a trusted state by default.
As a result of this whitelist Microsoft executables are allowed really everything when HIPS is in Safe mode. Even accessing or modifying your own added HIPS protected files and folders and maybe even more HIPS protected objects of your own.
There is no way for the user to change this behavior in Safe mode back to as it was in pre V12 versions when
“HIPS in Paranoid mode” or “HIPS in Safe mode with Unrecognized files” worked in the same way, meaning HIPS would popup Alerts for everything any application or executable tries to do, regardless from which Vendor.
Very very sad that I had to discover all this myself the hard way . . .