HIPS warning on "Sierra.cmd" ???

Hi all,

I’m trying to troubleshoot an annoyance on my sister’s laptop. For several weeks now - following startup and then repeatedly about every 1/2 hour after that - there is a HIPS warning from Comodo about a script called “Sierra.cmd” trying to execute a script called “Sierra_Inv.vbs”.

At the time of the warning, these files are located in a folder:
C:\Windows\temp\inv{4 random hex digits}_tmp\Sierra_multiPNP\

I say “at the time of the warning” because the files get erased after a couple of minutes, and each time the HIPS warning appears the files are in a different directory … so Comodo sees them as new and ignores previous user responses.

The machine is a (couple years old) Dell laptop. It’s used only for online teaching, and there is very little software on it other than Windows10 1909, Dell diagnostics and update service, LibreOffice, Chrome, Skype, Zoom, and a few utilities that I added.

I can’t find any scheduled task running these files.

I have scanned the entire machine and cannot find these script files existing independently (not even hidden). It appears to me that some program is periodically generating and executing them - but I have no good way to figure out what program is doing it [I can only get access to it for short periods.]

I have looked at the files’ contents, but the scripts are completely innocuous on their own: the cmd script looks at an environment variable and then passes its 1st argument to the vbs script. The vbs script executes its 1st argument in a background task with a hidden window.

Using ProcessExplorer, I examined the cmd script’s command line: the “executable” being passed to the scripts is yet-another “Sierra…” named file that doesn’t even exist - so the whole stupid sequence does nothing but annoy the user with a HIPS warning each time it tries to execute.

Not being (easily) able to find the culprit, I have instead tried to suppress the - AFAICT unnecessary - HIPS warning. However, I can’t seem to get around the random component of the script path. I have tried wildcarding the name in the rule, but without success. I have tried the following:

   C:\Windows\temp\*\Sierra_multiPNP\Sierra.cmd

and *\Sierra_multiPNP\Sierra.cmd
and *\Sierra.cmd

and I have tried marking the cmd script as “allowed” and even as “windows system”, but with no luck. I even tried to give the cmd script explicit permission to run the vbs script (trying to squash the actual complaint), but the rule dialog requires actually selecting the file to run (not simply naming it) and the file keep getting erased before I can open Comodo and navigate that deeply through the rule setup.

Can anyone tell me how I might successfully suppress the HIPS warnings? Or better yet, has anyone seen this “Sierra” script ■■■■ before and can tell me who/what is responsible for it? Perhap some Dell bloatware that was not completely uninstalled?

Thanks,
George

The script belongs to Dell diagnostics and update service. Depends on your level of privacy concern ? It creates itself then after what ever function deletes itself. That’s suspect anyway. It’s simply Dell spyware. Just my opinion. Want to stop the alerts assign the installer or updater rule to Sierra.cmd but then it can override your security. Not that I’m saying it is or would. If you think about it all updates and drivers are already updated through Microsoft so why the need for constant communication with Dell servers ? Cause they are watching and monitoring you also. Information is power and they want all they can get. Most of all this data is being transferred through B.I.T.S (Background intelligent Transfer Service). All major PC manufacturers use this.

a script called "Sierra.cmd and Sierra_Inv.vbs
why dont you right click on the Sierra.cmd and click edit. do the same with the .vbs file too. That should give you more clues on what to do :)

while your at it, check to see what starts up on every boot
Windows Key + R and the type in MSCONFIG

The machine is a (couple years old) Dell laptop.
Due to the age, Does Dell still support and provide updates for it. If not, you might as get rid of it. There's no point of having a program running every once in a while, creating diagnostics reports for a dell model that's no longer maintained

The problem is that Microsoft can’t be depended on for TIMELY driver updates. They only push 3rd party stuff approximately whenever they feel like it.

When I checked the machine using Dell’s SupportAssist on Tuesday (10/6), it discovered a BIOS update from Dec 2019 and several driver updates - the oldest dating back to May. The machine is running Win10 Home, so Microsoft delivered updates can only be delayed for ~ 6 weeks.

I have 5 Dell machines myself, but I’m not seeing this happen on any of them. I originally set up the laptop for my sister, and I uninstalled all the obvious bloatware. I leave the diagnostic stuff just in case, but I normally disable automatic scans and updates: I prefer to run diagnostics manually and only when necessary.

There are a handful of unimportant services that install with SupportAssist but are not needed for running it. They should all be disabled, but perhaps one of them somehow got turned on again and is doing this. I have to look into it further.

Problem right now is the machine is 400 miles away and I’ll have to do it remotely when I can arrange some time with Sis to access it. 8-(

Thanks,
George

I have 5 Dell machines myself, but I'm not seeing this happen on any of them. I originally set up the laptop for my sister, and I uninstalled all the obvious bloatware. I leave the diagnostic stuff just in case, but I normally disable automatic scans and updates: I prefer to run diagnostics manually and only when necessary.

There are a handful of unimportant services that install with SupportAssist but are not needed for running it. They should all be disabled, but perhaps one of them somehow got turned on again and is doing this. I have to look into it further.


I take it that you have some understanding on how windows funictions :slight_smile: I recommend running this tool as this should help you narrow down the source of your issues and you can rule out some stuff

It called farbar recovery scanner

This program will display detailed information about the Windows Registry loading points, services, driver services, Netsvcs entries, known DLLs, drives, and partition specifications. It will also list some important system files that could be patched by malware.
The logs are easy to understand
Problem right now is the machine is 400 miles away and I'll have to do it remotely when I can arrange some time with Sis to access it. 8-(
I used to use team viewer, I'm quickly liking anydesk. its free and very responsive. You shoud give it a try. Just an idea