Interesting facts (or bugs).
I removed the Company entry from the “Vendor List” and checked the files on the “UNRECOGNIZED FILES” again. All 4 files are still there (so still in unrecognized state) and all 4 files have now their Company name cleared (2 files had a Company name set the other 2 files had not).
Next, I removed 1 of the 4 files from the “UNRECOGNIZED FILES” and executed the removed file again. Then checked “UNRECOGNIZED FILES” again, now here comes the odd part, the number on the right side of “UNRECOGNIZED FILES” is still 4 but opening “UNRECOGNIZED FILES” only shows 3 unrecognized files. The file that I removed and executed again is on the File List and has Trusted state (like it had on 07-apr).
Now, when opening “View Logs” → “File List Changes” there is no log entry about the file removal, neither a log entry about an Old/New Rating change and neither a log entry about the addition of the file after it got executed again.
When opening “View Logs” → “Vendor List Changes” there is a log entry about the Company(Vendor) removal and a log entry about the addition of the same Company again as a result of the file execution, the rating of the Company is again Unrecognized.
So the above in short:
- Vendor removed from Vendor List.
- 1 file removed from File List.
- Executed the same file again.
- Executed file got rated Trusted.
- No logs about file File List Changes.
- Vendor got added to the Vendor List because of file execution.
- Vendor got rated unrecognized.
- Logs about Vendor List Changes.
- CIS window show 4 “UNRECOGNIZED FILES” but only 3 files are listed when clicking on it (the 4th file is rated Trusted).
Next I did remove the Vendor again from the Vendor List, now interestingly
- CIS window shows 3 “UNRECOGNIZED FILES” which is correct.
Next I executed the file again and interestingly
- CIS window still shows 3 “UNRECOGNIZED FILES” which is correct.
- However the Vendor isn’t added to the Vendor List anymore, not even after executing the file multiple times.
In order to try to bring back the Vendor on the list I did
- Remove the file (application) from the HIPS rules list.
- Executed the file again.
- Result: no Vendor added to the Vendor list.
- And really weird too, there is no new application HIPS Rule either (remember that I have “Create rules for safe applications” set to on). The file now runs without a HIPS rule in place???
In order to try to let HIPS create a new file application rule I did
- Removed the file (with rating Trusted) from the File List.
- Executed the file again.
- Result: no new HIPS rule and still no Vendor added to the Vendor List
Something is going out of sync here.
Question: What do I have to do to bring back the Vendor on the Vendor List and to bring back the auto created HIPS application rule for the file?
The Vendor got added to the Vendor List again automatically after some very long delay.
However HIPS still doesn’t create a new application rule for the file anymore, and a reboot also to no avail.
How to bring back the auto create HIPS rule for the file?
HIPS rule is back too.
Apparently just executing and closing the application (the removed file) isn’t enough to trigger HIPS to create a new rule. After executing the application and doing some stuff with it HIPS created a new rule for it.
Anyhow, with the Vendor on the Vendor List again as Unrecognized and the removed file back on the File List as Trusted again I’ll keep an eye on it if it becomes Unrecognized again after a while.