HIPS allows Notepad in Unrecognized state

Application under test: “C:\Windows\System32\Notepad.exe”

Having set and done:

  • “HIPS->HIPS Settings->Enable HIPS” ticked (enabled) in “Safe Mode”
  • “File Rating->File Rating Settings->Enable Cloud Lookup” unticked (disabled).
  • “Containment->Auto-Containment->Enable Auto-Containment” unticked (disabled).
  • “HIPS->HIPS Rules” deleted application rules (if any) for “C:\Windows\System32\Notepad.exe”.
  • “File Rating->File List” changed “C:\Windows\System32\Notepad.exe” rating to “Unrecognized”.

Now when running notepad HIPS still allows everything (read and write a file), no HIPS popup Alerts are shown.

Why is that?

Yes it is enabled.
However notepad is (still) rated as Unrecognized in File List and HIPS still allows it to run.

I have just noticed notepad.exe is not digitally signed. Not sure then.

Signed or unsigned, in my opinion that shouldn’t matter. But if it does then this is a serious security leak.

Well no.

‘Rate applications according to their vendor rating’ is you telling Comodo to trust them if they are unknown.

If you don’t want it to do this then you can uncheck it.

However, as I have said, notepad.exe does not have a digital signature anyway, so therefore I am not sure that this applies and not sure the reason for it being allowed to run.

It’s possible legitimate Windows components (file hashes) are permanently trusted to prevent windows from breaking. Just a guess.

I was not clear in my answer sorry for that, I referred to my findings in the first post. Whether a file is signed or unsigned when it is set to Unrecognized state then HIPS should popup Alerts. I think that’s how I understand the help manual.

Now I tried this also:

  • “File Rating->File Rating Settings->Rate applications according to their vendor rating” unticked (disabled).
  • “File Rating->File Rating Settings->Trust files installed by trusted installers” unticked (disabled).
  • Applied all the “have set and done” of the first post once more.

And yet notepad is still allowed to read and write files without any HIPS interference.

I would like to get a clear explanation why notepad (and maybe also other applications) in unrecognized state are allowed to do everything by HIPS.

It is still a serous security leak to me.

You know it really could just be Comodo having an internal whitelist for known Windows applications.

I would like to know too though :stuck_out_tongue:

If that is true then I can no longer trust Comodo . . .

Waiting for an answer . . .

Well if they just whitelist known Windows files, then unless you don’t trust Windows, I see no issue with it.

Oh and by the way, if this is the case, then you just enable paranoid mode in HIPS, then it will prompt you for ‘unrecognised’ files anyway.

Again though, would also like to know.

“HIPS in Paranoid mode” or “HIPS in Safe mode with Unrecognized files” works in the same way, meaning HIPS popup Alerts for everything an application tries to do.

Have you tried running notepad with the above settings but changing it to paranoid mode?

By design MS signed executables are hardcoded to trusted since v12. Also notepad is signed using a security catalog, you can verify with sigcheck -i command.

:\windows\system32\notepad.exe: Verified: Signed Link date: 2:00 PM 3/25/2016 Signing date: 5:28 AM 4/25/2016 Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_299_for_KB3125574~31bf3856ad364e35~amd64~~

Notepad is actually signed. You can check with Sysinternals sigcheck. See attached image.

Traditionally Microsoft signed their applications but did not show in the Properpties of the files and that’s why you need to use Sigcheck. On a side note. Sigcheck shows that it is signed but that one of the timestamps has expired. Looks like this slipped through the cracks of Microsoft. :wink:

I have been playing around with your settings and as far as my insights go CIS seems to always trust executables digitally signed by Comodo and Microsoft. With other applications you will get notified.

Futuretech beat me to this.

If memory serves me right it is done to prevent unexperienced users from bricking their systems when they make Microsoft and CIS untrusted. CIS is the nanny of program behavior and not the nanny of user behavior. CIS allows the user to wipe Windows system files but won’t allow the same to an unknown executable.

So I see no real security risk. The protection CIS (preferably with Proactive Security configuration) delivers to its self and the system at large is very, very strong.

At CISfan, why do you think there is a security risk?

Now this is getting confusing . . .

On @ReeceN request, I tried running notepad with above settings but now with HIPS in paranoid mode. In this mode I get notepad HIPS popup Alerts . . .

Why making a difference in functionality between “HIPS in Paranoid mode” or “HIPS in Safe mode with Unrecognized files”, that I don’t understand!

Furthermore, how can one tell whether an application is hardcoded to always run trusted (even when set to unrecognized state) in Safe Mode or not hardcoded to run trusted in Safe mode?
How is this visible to the user???

Can you confirm that this hardcoding is limited to MicroSoft and Comodo files only?

As for the security question, suppose notepad gets injected with zero-day malicious code and it is then run in Safe mode what would happen then?

It is not clear from the UI that signed Comodo and Microsoft executables are hard coded to be trusted.

In Paranoid Mode CIS does not use the white list and is for the very experienced users only; you truly are on your own. The difference between Paranoid and the stripped Safe Mode that you are testing with is that in Safe Mode signed Comodo and Microsoft executables are always seen as safe to protect inexperienced users.

In case Notepad.exe is compromised, .exe files are protected executables, it means that your system is compromised and CIS was bypassed. If you find a malware capable of bypassing please report it to allow Comodo to assess and fix it.

CIS brings a lot of protection covering a lot of attack vectors but over time new attack vectors may arise hence why Comodo is always interested to learn when CIS gets circumvented.

Very interesting stuff guys.

Yeah figured it might have been.

As for EricJH’s point regarding bricking a system. Yeah I mean look, security is always a balance between security and usability.

The strongest security is not using the system.

As this is not reasonable, there always needs to be a balance.

You could decide to not trust Windows if you wanted, but again, that option is already there for you with Paranoid Mode.

It’s up to you if you want the level of protection of trusting windows executable or not trusting and dealing with the popups and your own configuration.

The options are already there, it’s up to you how you want to set it up.

Because this hard coding is not mentioned in the help manual it even gets experienced users totally confused because things do not work as expected.

Is there a way to switch this stripped Safe mode off for the experienced user to go back to the (used to) normal Safe mode?
Or should it be added to the Wish-list and vote for it to bring it back to Safe mode pre V12?

Also, do the white listed Microsoft executables only belong to OS’s or also to non-OS executables like Word, Excel etc.?
Is this white list published or available somewhere?
Or is it perhaps in some sort of readable form in one of the installed CIS files on the system?

As an aside . . . Notepad in Win10 2004 is Signed and up to date

Please submit this a bug with the Help file.

Is there a way to switch this stripped Safe mode off for the experienced user to go back to the (used to) normal Safe mode? Or should it be added to the Wish-list and vote for it to bring it back to Safe mode pre V12?
With the stripped Safe Mode I referred to the settings as you were testing.

You are free to make a wish to change Safe Mode to how it was without Comodo and Microsoft being trusted hard coded but I would not vote for this wish.

Also, do the white listed Microsoft executables only belong to OS's or also to non-OS executables like Word, Excel etc.? Is this white list published or available somewhere? Or is it perhaps in some sort of readable form in one of the installed CIS files on the system?
It extends to Office from what I have seen so probably also to Edge browser. The white list with the permanently whitelisted certificates for Comodo and Microsoft are not somewhere available for inspection that I know.

That’s interestingly odd because my screenshot was also showing Notepad in 2004. ???

Edit: I booted to 2004 and have the following version numbers:
Windows 10 2004 (build 19041.329)
Notepade.exe (version 10.0.19041.117)

The settings that I showed in the first post are not (Safe mode excluded) the settings that I normally use.
Safe mode is and always was my preferred mode. I had to switch everything else off to exclude any possibility for HIPS to allow notepad running and to prove this notepad “HIPS in Safe mode with Unrecognized files” bug.

I found out about this bug when I added a text file to “HIPS->Protected Objects->Protected Files” (hence my question in the Help HIPS section) and as a test I used notepad to try this protected file setting but it didn’t work at all. Notepad was always allowed (even in Unrecognized state) to read and write to the protected file, now I know the reason why. A really nice not working feature for Microsoft executables. Probably none of the HIPS Protected Objects will ever work on Microsoft executables because of this trusted hard coding, very nice.
I don’t think I’m going to test that all, I don’t feel like it anymore also because I already found too many other issues.

When new hidden features like this hard coding are implemented why not making it public but instead let the user struggle with it?

In order to continue my Comodo CIS journey I would like to know how this hard coding can be switched off by means of a hidden command line switch added to CIS startup.