Getting HIPS alerts for allowed file groups


I am not sure about anyone else but the Defense+ system seems to be quite buggy. Please tell me what is happening here, see attachment. As you can see, the Cygwin file group includes …/bash.exe as a allowed application but I am still getting a HIPS alert irregardless. Which I opted to treat it as a Windows Application? Am I missing something in regards to the File Rating system, does it work?

CIS Ver.
Windows 10 build 1511

[attachment deleted by admin]

Where is the file “base.exe” located? can you give us a full flie path or a screenshot of the alert.

You mean bash.exe and it’s located here C:\cygwin\base\bin\bash.exe. I specifically clicked on browse and selected the file by hand when I added it to Cygwin file group. The first rule is the same path as listed in the Cygwin file group on my first post. Additionally, C:\cygwin\base* is listed in the Cygwin file group, but I got an alert for C:\cygwin\base\Cygwin.bat irregardless. Are rules like C:\cygwin\base* recursive? Requested image is attached.

[attachment deleted by admin]

Here is another attachment.

[attachment deleted by admin]

The allowed application ruleset allows everything except for running an executable. You can change ask to allow in the ruleset by double clicking your rule in the HIPS settings and changing it to “Use a custome ruleset” then click ask and change it to allow.

Hope that helps

[attachment deleted by admin]

Thanks for pointing that out but did not quite help, see attachment. There is no allow option unfortunately.

[attachment deleted by admin]

I noticed there was an modify option for ‘Run an excutable’ and added the File group Cygwin to the Allowed Files/Folders to no avial. I still get allert requesting permission for bash.exe to excute another command which then leads on to a parade of alerts. See attactment.

[attachment deleted by admin]

Hmm… I think the only option would be to change from the allowed rueleset to the installer/updater ruleset. This will allow bash.exe to do anything it wants so make sure you trust it completely.

Should this be reported as a bug?

I dont think its necessary. I think that is the only difference between the installer/updater ruleset and the allowed ruleset.

Just set the ruleset from allowed application to windows system application as allowed application will still ask for run an executable but windows system application will allow all run an executable.

Both Installer/Updater and Windows System Application policies allow an executable to start other executables without asking.