HIPS custom ruleset difference between File Rating Trusted and Unrecognized

Hello

I’m running CIS premium (Firewall only, no CIS AV) V12.0.0.6882 on Windows 7 with all MS updates.

I have a question about HIPS custom ruleset generation as follows.

To start with, HIPS has the following settings:

“HIPS->HIPS Settings->Enable HIPS” = Enabled (Safe Mode)
“HIPS->HIPS Settings->Do not show popup alerts” = Disabled
“HIPS->HIPS Settings->Set popup alerts to verbose mode” = Enabled
“HIPS->HIPS Settings->Create rules for safe applications” = Enabled

Below “” means just a regular trusted test-application on the system which is rated as Trusted by CIS per default.
So “
” can be anything just for test purpose, like a browser.

Now for test case 1:

Delete (if present) the HIPS custom ruleset “HIPS->HIPS Rules->Application->” to let HIPS generate a new custom ruleset for .

  1. Set “File Rating->File List->Rating->” to Trusted
  2. Start the “” and let HIPS create a custom ruleset for this application (allow all HIPS alerts) and then just close the application.
  3. Now double click on “HIPS->HIPS Rules->Application->” to view the custom ruleset “Access Rights” and notice for all “Access Name” entries the “Exclusions” “Modify (x\y)” as recorded by HIPS.

Now for test case 2:

First delete the HIPS custom ruleset generated by test case 1 “HIPS->HIPS Rules->Application->” to let HIPS generate a new custom ruleset for .

  1. Set “File Rating->File List->Rating->” to Unrecognized
  2. Do the same as in test case 1 point 2)
  3. Do the same as in test case 1 point 3)

Now what I observe is that the custom ruleset for test case 2 point 3) contains a lot more HIPS access information when running then for test case 1 point 3).
I would expect that when “HIPS->HIPS Settings->Create rules for safe applications” is enabled that it would not matter if the “
” is rated as Trusted or Unrecognized for HIPS to generate the same custom ruleset.
Should HIPS not create the same custom ruleset for both test cases? Or do I miss something here?

Thank you.

Yes this has been like this since forever in which auto created rules, whether by using training mode or create rules for trusted applications, the allowed rules are not as specific as it is when you answer the HIPS alert with verbose mode enabled.

Ok, it’s by design, I understand.

So if one would like to know the full specific HIPS access details for a trusted application then its file rating should be set to Unrecognized and the corresponding HIPS Rule for that application should be deleted in order to let HIPS create a new rule by answering all HIPS popup Alerts.

Thanks for your explanation.