(The used files below only act as an example to prove the bug, the bug is general).
1) Use notepad and create a text file with some random text and save as “C:\Users<username>\hello.txt” 2) Add file “C:\Users<username>\hello.txt” to “HIPS->Protected Objects->Protected Files” 3) Add file “C:\Users<username>\hello.txt” to “HIPS->Protected Objects->Protected Data” 4) Run notepad again and open “C:\Users<username>\hello.txt” and make some changes to the text (do not save yet).
Now, according to the help files (see link below) notepad should not be allowed (even it is trusted) to make changes to the text file.
5) Now save the modified text in notepad.
Unexpected result: Saving is allowed.
Expected result: Saving is not allowed.
All is done according the 6th bullet from the top of the help file:
Items in ‘Protected Data’ cannot be seen, accessed or modified by applications running in the container
Items in ‘Protected Files’ can be read by any program, but not modified by them. This contrasts to items in ‘Protected Data’, which are totally hidden to contained programs.
If you want to totally conceal an item from contained programs, but allow read/write access to trusted programs, then add it to ‘Protected Data’.
You can add the same item to both areas. This means trusted programs have read-only access to the file, and contained programs have no access rights.
Protected files/folders is only for preventing write access full stop, protected data is to prevent all access for contained applications only, blocked files prevents all access for all applications regardless of file rating and if running contained or non-contained. Having the same items listed in both protected files and protected data doesn’t change anything, so that part of the help is wrong and did not need to be stated.
I’m not sure why that was added as the way it is worded makes no sense, if anything it doesn’t even need to be stated in the first place. If you want read only access for any non-contained you need to make the necessary HIPS rule to block access to that file/folder as long as the file/folder is defined under protected files section.
Thanks for the feedback, unfortunately the help files are again confusing, anyhow…
If I add my files/folders to “HIPS->Protected Objects->Protected Files” only (so not to “HIPS->Protected Objects->Protected Data”) I still don’t get read-only access to my files/folders for trusted applications instantly.
What I want is a general way of defining my own read-only files/folders (and other read-only objects) that applies instantly to all trusted, and of course to not trusted, applications when they run uncontained (running contained is no issue).
Then you add them to the blocked files/folder of the all applications file group HIPS rule. When you added items to protected files they do instantly go into read-only mode, its just that in safe-mode trusted applications are allowed write access as well, if you use paranoid mode then you will get alerted anytime an application is attempting to modify the file. HIPS rules with action set to allow/block or with exclusions defined of an access right, will override HIPS mode and file rating.
Rules are processed from top to bottom so I really wouldn’t move it above the Windows system applications, Windows updater applications, or CIS file groups. Other than that you should be fine, if you have custom rules for other applications, then leave those at the top and just edit them individually to add the blocked files/folders.
That’s what I really would like to prevent, having to go through the already defined custom rules.
Also when more rules are added automatically or manually I think this method is hard to manage and too cumbersome.
It also takes too much time to keep track of the HIPS list and check if the “All Applications” rule is still on its correct spot in the list.
I don’t think this is going to be a workable option.
With respect to concerning HIPS Paranoid mode, I’m just not paranoid enough to start answering All and Each and Every HIPS popup Alerts for All and Each and Every application.
Please spare me this HIPS paranoid mode, it’s unworkable.
According to the first bullets 1 to 5 in the help file:
“Protected Files” should work as described there.
However, it does not to work as described with HIPS in Safe mode. Furthermore, it is not stated that HIPS must be placed in Paranoid mode for “Protected Files” to work.
Can this thread be placed back to the bug section please?
It is not a bug as it is working as intended, the help documentation is not 100% correct and implies default settings. Again protected files is for protecting them from modification by non-trusted applications, if you want to control trusted applications then you must use either paranoid mode or create HIPS rules for those trusted applications.
The protected files screen shows file groups to which other processes have read-only access. Programs on your computer can read the items in here, but cannot modify them.
This prevents malicious programs from modifying important personal or system data.
A good example of a file that ought to be protected is your ‘hosts’ file (c:/windows/system32/drivers/etc/hosts). This will allow web browsers to use the file as normal, but block any attempts to modify it.
You could also use this feature to safeguard valuable files (spreadsheets, databases, documents) against accidental or deliberate sabotage.
You can create exceptions should you want to grant write-privileges to specific applications. See Exceptions for more details
All the above written specifications have been in the help files for all CIS versions V12, V11, V10, V8, V6, V5, …
So all these help files are not 100% correct over time and users and customers cannot rely on what is written in them and have to consult the forum for the mismatches, am I correct?
If you wish to loose a potential paying customer that say yes otherwise please fix this bug and move it back to the bug section.
So all these help files are not 100% correct over time and users and customers cannot rely on what is written in them and have to consult the forum for the mismatches, am I correct?
Unfortunately yes as the help documentation just like CIS, needs a serious rewrite from scratch, as there are other instances where it is either flat out wrong or omits crucial information. For example the silent mode section does not tell you that it creates auto-allow HIPS rules for unknown applications when in silent mode, same as it does for firewall application rules. Well in the past it did, now due to either a bug or design change, the firewall silently blocks connection requests and does not indicate it blocked a connection in the firewall event logs when you enable silent mode. Another example would be the detect shellcode injections, CIS no longer detects shellcode injections, the last version that it did work on was 3.14.
I praise you for your honesty and sincerity and for confirming that CIS is full of bugs, even more bugs then we all know of.
Thank you for selling some hot air in the help files and in CIS itself for all these decades, nice business model Comodo.
Also thanks for informing me not to buy it.
When adding a file or directory into HIPS ‘Protected Files’ I am still able to edit the file with any application I choose. I have not whitelisted these applications.
CIS 12.2.2.7.0.36, Windows 10 2004, I have tried installing CIS.