On my workstation, I have CIS installed with HIPS configured to Paranoid mode, and the Enable Auto-Containment option disabled (which I disabled in pursuit of addressing this issue).
I use VSCode to create PowerShell scripts on my machine, and any PowerShell script I attempt to execute pops-up with an alert indicating that VSCode or PowerShell.exe is attempting to execute C:\ProgramData\Comodo\Cis\tempscrpt\C_powershell.exe_.ps1. This is presumably CIS attempting to containerise the actual script that I’m running… but how do I configure CIS to stop this? I would have assumed that disabling the Enable Auto-Containment option would have been enough. I tried creating a containment rule to ignore VSCode.exe, but that didn’t work.
Any help is most appreciated!
I have a problem that looks like yours
Maybe you should look at HIPS rather than Containment.
This is a HIPS issue and nothing to do with auto-containment, what you can do is either completely disable embedded-code detection for powershell or add vsode to HIPS rules and set it as the installer/updater predefined ruleset.
You mean HIPS predefined ruleset “Windows System Application” presumably since there isn’t a “installer/updater” HIPS predefined ruleset anymore.
No, “Installer or Updater” is a special ruleset that can not be edited so it does not show up in the rulesets section. You can select it when use ruleset is set in the HIPS application rule creation window.
Ah thanks, I remember now that I’ve seen this predefined rule “Installer or Updater” popping up somewhere in the past and didn’t remember anymore that it isn’t listed in the rulesets section.
Also I can’t recall that I ever needed this “Installer or Updater” predefined rule as the “Windows System Application” predefined rule sufficed for me in some rare cases.
As a note, like the help page says: Be warned when using this “Installer or Updater” predefined rule.