HIPS Rules - Multiple equal application entries in Allowed Files/Folders

I’m using a virtual file partition which is manually mounted as Z: on which I run an application. The virtual file partition is not mounted at or during boot time it is mounted manually whenever I need it.

When the virtual file partition is mounted and I start the application on it for the first time after a reboot then most of the times HIPS pops up an Alert asking me if explorer.exe is allowed to run that application. When I answer the HIPS Alert to Allow it and ticking remember the application starts and as long as I’m logged in it stays this way and HIPS doesn’t ask me again when I restart the application.

Now, when I reboot the system the above mostly happens again so I have to answer the same HIPS Alert again.

When I open up HIPS Rules “explorer.exe → Custom Ruleset → Run an exectuable → Allowed files/folders” I see multiple equal application entries pointing to the same application on the mounted virtual file partition Z:

Questions are:

Why doesn’t HIPS, after a reboot, recognize the other valid equal application entries listed in “Allowed files/folders” to allow the application to run?
Also, why does it add another equal application entry when there is already one listed?
Is there a fix to this behavior when applications are started as described above?

Because CIS uses device object path instead of standard file paths, so your mounted volume \Device\HarddiskVolumeX changes every time you mount and un-mount it during the same windows session, and it will increase the number after each mount operation, e.g. \Device\HarddiskVolume3, \Device\HarddiskVolume4, etc.

Clear but…

I did some more testing and checks. There seems to be some kind of dependency in the moment of time of mounting, starting the application and un-mounting again how this issue behaves and I can’t figure out what that is.

First I had three duplicate entries in explorer.exe “Allowed Files/Folder” all having the same standard file paths as follows:


I removed all these duplicates and did more testing and checking and all of a sudden I saw these two entries appearing:


So one standard file path and one device object path (notice the ‘Z’ in AppNameVolumeZ, no number there).

After some more checks I found out that when only the device object path is listed the HIPS Alerts don’t occur anymore, even after rebooting there are no more HIPS Alerts when doing multiple Mount-StartApp-Unmount cycles.
When I remove the device object path during the same windows session and do another Mount-StartApp-Unmount then depending on the moment in time either the device object path or the standard file path appears in explorer.exe “Allowed Files/Folder”.

When only the standard file path is listed the HIPS Alerts might popup again but certainly not always during the same windows session, I can easily do 10 Mount-StartApp-Unmount cycles in a row without getting any HIPS Alerts. Seemingly the mapped device object path doesn’t change always.
When the HIPS Alert does show up again then after answering it a duplicate standard file path or the device object path is added to explorer.exe “Allowed Files/Folder”.

What makes it more complicated is the fact that the Application is from a Trusted Vendor and as such is listed as Trusted in File Rating.