In CIS 7 when get HIPS Alert
Selecting Treat As (to apply pre-set HIPS rule set to application),
there are only 3 options on my system:
Installer/Updater
Windows System Application
Isolated
NOT PRESENT:
Allowed
Limited
Can someone tell me is this by design (and a change from the CIS 7 User Guide)
OR
is it a bug?
If it is a bug, is it a known issue?
It could be that the sprcific action the HIPS alert is about isn’t covered by those presets, ie choosing one of those presets would neither allow or block the action.
Attached are images of the
CIS 7 User’s Guide versus an Actual HIPS Alert
The Actual HIPS alert is in response to execute an application before it has been Rated by a Rating Scan (run as Untrusted).
Notice that the Allowed and Limited Application are missing under “Treat As…”.
According to the User’s Guide these options should be available in the menu.
If it is by design, then it certainly is not obvious as to why these two options are not listed under “Treat As…”
[attachment deleted by admin]
If the action (launch another application) is dealt with (either by allow or block) by the rulesets (like Allowed Application) then those rulesets wont be visible because choosing them would mean neither block nor allow for the action in question.
For example both Allowed Application and Limited Application have “Run an executable” set to “Ask” by default (not block nor allow) so choosing Ask as an answer to a question isn’t allowed.
Another way to say it is that if the ruleset doesn’t have any rules to deal with the action, you can’t choose it, you can only choose rulesets that have rules that deal with the action in question reported by the HIPS alert.
You can try this by getting an unknown application to do something else other than launch an executable, for example it could try to get direct access to keyboard or change a protected file, in those cases you should be able to choose Allowed Application.
Through trial-and-error I have figured out that selecting “Remember my answer” and then “Allow” will assign a Custom, as opposed to the pre-defined Allowed Application HIPS rule set. And the “Ask” before running an executable is assigned under the Custom rule set - just like the rule sets for Allowed Application and Limited Application.
Then, if I wanted or needed to change the Custom HIPS rule set to an Allowed Application rule set I can do that under HIPS Rule Sets in Advanced Settings.
I’m sorry, but I still do not see how the Allowed Application rule set does not apply.
Because that is what the HIPS alert is for - to assign a HIPS rule set.
However, Comodo removed the Allowed Application and Limited Application options under “Treat As…” in the HIPS alert box at some point after CIS v. 6, but never updated the change in the User’s Guide until version 8. Evidently, the developers made this change so that HIPS assigns a Custom rule set upon selecting Allow in the alert.
It’s this constant, never-ending rigmarole with Comodo’s products that makes for a very poor user experience.
By choosing “Remember my answer” and clicking “Allow” you’re not choosing to treat the application as an Allowed Application, you’re allowing the application to do the very exact specific thing that the HIPS alert is about, in this case to launch the very exact specific application that it says it’s trying to launch. (See point 1 in the screenshot)
Yes of course you could but doing that would clear the exclusion that was created for running an application hence if you set the application to “Allowed Application” and ran it again, you’d be alerted about the application trying to launch the application.
I’ve already explained that.
In the HIPS alert you are referring to, you are presented with the situation that application MOM.exe is trying to execute CCC.exe, this is what the whole HIPS alert is about and HIPS wants YOU to decide what should be done in this situation, the “Allowed Application” ruleset DOES NOT have any rules to deal with this, so if you were able to choose it, you’d be answering “Ask me!” when it needs a definite “Block” or “Allow” (See point 2 in screenshot)
That is why you can’t choose “Allowed Application” for that specific action because by choosing it, you wouldn’t be answering what to do with the action in the situation.
No it’s actually not, the HIPS alert is for dealing with highly specific actions that applications are trying to carry out, you do however have the option to answer these alerts by using rulesets but in order to be able to use specific rulesets they need to be able to answer the specific action at hand, if they can’t then you can’t choose it, that simple.
The “Allowed Application” and “Limited Application” rulesets are only not available when they do not have an answer to the very specific action at hand, if they do have an answer for the action in question then they will be shown and you can choose them.
For example, if my application “Test Viruscope.exe” tries to create the file “Test.exe” then I will be able to choose “Treat As” > “Allowed Application” because it has rules that can answer that. (See point 3 in screenshot)
[attachment deleted by admin]
What file does the “Treat As…” apply to in the case you use - explorer.exe or Test Viruscope.exe?
In other words, will the selected rule set be applied to explorer.exe or Test Viruscope.exe?
It applies to Test Viruscope.exe…correct? In other words, allow Test Viruscope.exe to run as either an Installer/Updater, Windows System Application, or Isolated Application.
So why not permit the assignment of an Allowed Application or Limited Application rule set?
I don’t think I ever claimed that though, if I did then I miss-typed.
If I understand the quoted part correctly then yes.
I don’t understand what you mean by that part.
My point is that the rulesets are just that, a set of rules, and if a ruleset doesn’t have any rules for the specific action that an application is trying to do, you can not choose that ruleset, because it wouldn’t answer the alert, it simply wouldn’t, the alert needs an answer, either Allow or Deny on or the other, if the ruleset neither allow or denies it, you can’t choose it. That’s what the main issue was about, wasn’t it? Not being able to choose certain rulesets for certain alerts?
Btw, if you are in the situation where an application is trying to launch another application and you want to make it into an allowed application, you could choose to treat it as Windows System Application, it’s identical to Allowed Application BUT it allows the application to launch other applications, that’s the only difference, and that difference is the reason why you can choose it in those situations.
What file does the “Treat As…” apply to in the case you use - explorer.exe or Test Viruscope.exe?
In other words, will the selected rule set be applied to explorer.exe or Test Viruscope.exe?
It applies to Test Viruscope.exe…correct? In other words, allow Test Viruscope.exe to run as either an Installer/Updater, Windows System Application, or Isolated Application.
So why not permit the assignment of an Allowed Application or Limited Application rule set to Test Viruscope.exe.
In the case of explorer.exe it is automatically assigned an Allowed Application rule set by CIS. So selecting Remember my answer can not modify the Ask before Run an executable. Explorer.exe is always going to generate a HIPS alert when executing an Unrecognized file.
I’m sorry, it just is not clear.
It would be applied to Explorer.exe because that is the application that is trying to do the action, launching Test Viruscope.exe is the action.
So in the example where Explorer.exe tries to launch Test Viruscope.exe, when choosing an answer (Allow, Block, Treat As) the answer will be to whether or not Explorer.exe should be allowed to launch Test Viruscope.exe, so the answer must be applied to Explorer.exe because that is the application doing the behavior.
Another way to put it is, you are answering whether Explorer.exe is allowed to launch Test Viruscope.exe, not whether Test Viruscope.exe is allowed to be launched by Explorer.exe ← Hope you see the difference there and why the rules would be applied to Explorer.exe and not the action.
No, as I said above, since Explorer.exe is the application that is performing the action, the alert is about Explorer.exe trying to perform an action, and in this case it was launch Test Viruscope.exe so by choosing “Treat As > Windows System Application” you would be saying to treat Explorer.exe as Windows System Application.
As I answered above, you’re not making a rule for Test Viruscope.exe in that situation, you’re making the rule for Explorer.exe and its ability to launch Test Viruscope.exe.
The HIPS alert tells you that Explorer.exe is trying to execute Test Viruscope.exe, by alerting you it is asking “Do you want to allow or block Explorer.exe from executing Test Viruscope.exe?” and you have to answer with either “I want to Allow it!” or “I want to Block it!”, you can’t answer with “I want you to Ask me!” (Because it’s already asking you and it wants a definite answer) and because the “Allowed Application” ruleset has “Run an executable” set to “Ask” with no exclusions (Exclusions are a big part here, since you can’t change the “Run an executable” action to “Allow”, the exclusions is a list where you can add specific things to allow and specific things to block) it has ZERO rules that answer the question, it doesn’t have any rules to either allow the action nor block the action, because of that you can not choose it, because it simply doesn’t answer the question that the HIPS alert is asking you.
Explorer.exe does indeed have a default ruleset, however that doesn’t mean you can’t change it. In CIS you can’t change the “Run an executable” to “Allow” for any applications or rulesets, it’s simply not allowed, what you can do is make exclusions.
For example, in the example above where Explorer.exe is trying to execute Test Viruscope.exe, if you were to tick “Remember my answer” and click “Allow” it would add an exclusion to the rules for Explorer.exe that stated it is allowed to launch the application. (See first screenshot)
Now let me prove my point about there not being a rule that deals with launching an executable for “Allowed Application” - Same scenario as above, Explorer.exe is trying to launch Test Viruscope.exe (See second screenshot) (Btw, I undid what I did for the first screenshot for this one, in case you were wondering)
[attachment deleted by admin]
OK. OK. I got it.
I apologize for the slow uptake.
Thanks for answering all my questions. You have been most generous and helpful with your expertise.