Growing tempscrpt folder -- don't know why

Hi, I am running Comodo Firewall 11.0.0.6710, on Win 10 pro x64 1809.
I installed Comodo after running what Windows calls a “Reset” of the OS.
I then ran some safe powershell scripts that tweak Windows Defender settings, such as turning on PUA protection and stuff like that.
They were not blocked, but they are populating the tempscrpt folder.
I am puzzled by this behavior: if they are not blocked, why do they land in the script folder? Is this expected behavior?

Here’s an example:
file name: C_powershell.exe_8E86DBDACAFE18998DC112A68A0F5B8FB5ACA1B4

contents of file:
-NonInteractive -WindowStyle hidden -command Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled

I am running CFW in Proactive mode, with HIPS disabled.

As a followup, I opened Powershell console and ran a simple command:
PS C:\Program Files\Microsoft Office\root\Office16> .\winword
MS Word launched. Comodo did not block it, and no file was created in the script folder.

In short, I don’t think that embedded code protection is working exactly as expected.
Maybe some of you experienced Comodo testers could check it out and see if you agree with me.

Slightly off-topic, but firewall is blocking a Windows Defender process and other Windows files such as dashost.exe.

It’s been a few weeks since I posted, and there is no response. :frowning:

As been said many times before, CIS will always create script files out of anything that tries to execute commands passed to certain applications, those applications being set to having embedded-code detection enabled.

Because you are not running a command, you’re just specifying the application to open which is no different than opening a command prompt and typing out the name of an executable in the current working directory.

Please tell me if this is correct:
There will be a block (or alert) if cmd.exe is executed, with a command line, by another process. But if cmd.exe is the executor of a command, it will not trigger a block or alert, unless cmd passes a command to another process.
I am just trying to define the behavior…

Commands that are issued onto the command line are turned into files, these files are then checked using comodo fls by using its hash. If they are rated as anything other than trusted, then they get blocked like all other non-trusted files.