File Rating System - Quirks - Questions

hjlbx · May 3, 2015, 6:11am

Hello,

I have a few questions regarding File Rating system:

Sometimes CIS will detect modules published by vendors on the TVL list - e.g. Microsoft, Malwarebytes, Quarri, etc.

I have to move the files from Unrecognized to Trusted - which is really is no big deal…

It seems CIS randomly rates files\modules as Unrecognized, but the publisher is a Trusted vendor.

Is this an on-going issue ?

Thanks,

HJLBX

SanyaIV · May 3, 2015, 1:15pm

Are the files in question signed?

hjlbx · May 3, 2015, 1:24pm

Hello Sanya,

Thank you for your reply…

Yes. Most are digitally signed by known vendors on the TVL.

For example, mbam.sys, mwac.sys,…

A few are not; for example, some Windows OS dlls, etc.

The files are Unrecognized, but I assume since the vendor is on the TVL the files are not treated as Unrecognized (e.g. autosandboxed).

However, there have been a few isolated cases - that seem to be system dependent - where a digitally signed file from a vendor on the TVL - generates Unrecognized alerts (HIPS, autosandbox, firewall).

For example, MRT.exe on my AMD system, and MdCmdRun.exe, System32\dllhost.exe and SysWOW64\dllhost.exe on my Intel system.

I am continually having to submit files to be white-listed, change rating locally, etc - which is no big deal - just trying to understand how CIS is supposed to work versus how it actually works.

Best Regards,

HJLBX

Citizen_K · May 4, 2015, 2:32pm

When you get these detections again can you double check if the digital signature of the files is on the TVL? The reason for asking is that incidentally vendors may change their signature. When checking look at the name and that the name completely matches.

hjlbx · May 4, 2015, 4:26pm

I will check next time… just to be extra thorough.

The vast majority of the files I am referring to are Microsoft\Windows OS files. From what I see MS does not change its digital signature.

Some file modules are not digitally signed - Microsoft is famous for this - especially with their dlls.

Despite not being signed, except for a few rare cases - they are not blocked\autosandboxed.

So there is some confusion as to what exactly is happening and why.

Best Regards,

HJLBX

Citizen_K · May 4, 2015, 8:13pm

To see if Windows system files you need Sigcheck.

It can be set as a shell extension. Download this zip archive and unpack it to C:\Program Files\SysinternalsSuite\ . When done run sigcheck.reg to add it to the registry.

When this is done navigate to the system32 folder, look up and select the file you want to check, click right and choose Signature from the context menu. A black command box will pop up. See if it is signed or not.

hjlbx · May 4, 2015, 8:22pm

Coincidentally it just happened with lpremove.exe - which evidently is a digitally unsigned Microsoft system application.

lpremove.exe was added to the File List and rated as Trusted on 04/20.

A few moments ago - on 05/04 - Defense+ generated a HIPS alert for lpremove.exe when it attempted to execute conhost.exe.

Images attached.

This type of behavior is occurring randomly and vast majority are either is System32 or SysWOW64 directories… on both AMD and Intel systems.

So it appears the problem is that there are a bunch of System32 and SysWOW64 files that are digitally unsigned… and while CIS recognizes the vendor as Microsoft and the file is rated as Trusted in the File List, CIS will treat those files as Unrecognized ???

What do you think?

In the case of MBAM.sys the file is digitally signed by a TVL vendor, but a Rating Scan indicated the file was Unrecognized; it was not blocked but I had to transfer it to the Trusted file list.

Best Regards,

HJLBX

PS - Thanks a million EricJH for pointing out SI SigCheck… I did not think to use it. I will continue to monitor the situation.

[attachment deleted by admin]

Citizen_K · May 4, 2015, 9:03pm

Does the problem occur on multiple versions of Windows? Ipremove is XP only (I could not find it on Vista, 7 or 8).

It’s a tough problem to tackle as it only happens intermittently.

hjlbx · May 4, 2015, 9:09pm

Hello EricJH,

Not Ipremove.exe but Lpremove.exe…

Windows 8.1 - both Intel and AMD systems - laptop and desktop.

It could very well be a W8.1-only issue… although, I am not absolutely sure it is an issue.

Obviously I do not want to submit a Bug Report if CIS is working as intended…

What do you think ?

Best Regards,

HJLBX

Citizen_K · May 5, 2015, 2:21pm

When submitting a bug report you will be asked to clean install CIS following ]Chiron’s guide. An important step is to remove possible traces of previously installed security programs.

Are there other security programs running in the background that could interfere? What security programs do you have installed?

Edit. I noticed you had a bug report about the same problem in which you are working with settings that differ from the default settings. I responded there:

May be continue there?

hjlbx · May 6, 2015, 3:21am

My Windows OS is a clean install…always.

CIS is immediately clean installed afterwards… always.

There is no other security software installed on system…always.

The reported issue occurs whether Cloud lookup is enabled or disabled.

Best Regards,

HJLBX