HIPS not blocking unrecognized file?

I installed CFW (without AV) and left it in the default Firewall config.
I ran an unsigned exe file with a file rating of “unknown”
C:\DBS\TaklitorTorani.exe
It launched without producing a HIPS prompt. I launched it by clicking on a Windows 10 task bar shortcut.
Is this expected behavior?
In this setup, I am seeing some unknowns that generate HIPS prompts, and others that do not. Can’t figure it out. ???

Please share sha-1 of the file and also export your configuration and share with us.

BFB0AD7A48683CB1C97968865E003618339237ED

Thanks,
team will check.

Hello, shmu26.

Thank you for reporting.
We have checked the issue and it was reproduced in our environment. It looks like issue is reproduced in FW standalone, but absent in CIS 10.1.0.6476. We have created bug. You can check its status via e-mail.

Kind Regards,
Sergey.

Thanks.
Just wanted to mention that this issue does not affect autocontainment, only HIPS, as far as I can tell.
The autocontainment behaves as expected.

Hi, shmu26.

We have rechecked the issue on Windows 10 with installed Firewall standalone 10.1.0.64.76 and it wasn’t reproduced. Before we checked it on Windows 7, but there wasn’t alarm because mentioned the file does not crash (werfault.exe) in win7, thus werfault does not launch at all. But there is no reproducing in OS Windows 10 with your config:

https://is.gd/btk7fL

Kind Regards,
Sergey.

I just checked again on windows 10 x64 1709
The issue is still there, with the same file. Autocontainment catches it, but HIPS misses it.
I tested on CFW proactive config (without AV component).

If it is the same file then it is trusted Advanced File Analysis System | Valkyrie
Did you override file rating to unrecognized in the file list?

Also when you first reported the issue using the firewall config, windows explorer is set to use the windows system applications HIPS ruleset, which allows it to execute any file without alerting.

Yes, I noticed that my beloved program got whitelisted. :slight_smile: I manually set it to unrecognized, to see what would happen.

Ok then yes a bug currently exist with HIPS not seeing updated rating from trusted to unrecognized when changed by user in file list. It will be fixed in an upcoming release.