Let’s say I mark powershell.exe as unrecognized, because I want to get a HIPS prompt for it whenever it executes.
Then Microsoft pushes an update that modifies powershell.exe, changing its hash and possibly even its path.
What happens to the rule I made? Will the new powershell.exe still be treated as unrecognized?
Or do I have to check after every microsoft update, to see if my rules are still working?
I think it’s the other way around. Everything is unknown (under proactive config) unless hash is found in the white list, or file is signed by trusted vendor.
I don’t think location matters much - CIS works with hashes.
If the file’s hash changes, it “resets” back to unknown (unless signed by trusted vendor).
okay, so in this case, where the file in question is microsoft signed, it will revert to trusted.
Why not just create HIPS rules instead of changing rating? After all, that’s what you want.
Usefulness is arguable if you’d want applications to maintain such rating. Imagine an application that is able to change rating like that. It might not be a good idea.
let’s say I do like you say, and I set “always ask” HIPS rules for whatever processes I am paranoid about.
What happens to those rules when the file hash changes?
Filename is used. You can check by exporting configuration.
<PolicyItem UID="{E20272F6-EB6C-4816-84EB-FC1C971B8388}" Flags="2" Filename="%windir%\explorer.exe" DeviceName="C:\Windows\explorer.exe" Index="1" TreatAs="Windows System Application">
Alternatively, you can guess by observing predefined rules.
how to create a HIPS rule to prompt when cmd.exe is executed? Now that I gave it trusted status, it doesn’t prompt anymore when it executes, even though it has a “custom” HIPS ruleset that is supposed to ask for every action.
I tried executing it from windows explorer, and also from the Everything search tool, but no prompt.
You could use Paranoid Mode for that. 
Do note that you are already alerted when a trusted application attempts to execute unknown batch file. However, you are not alerted when Explorer executes unknown batch file because it’s treated as Windows System Application in default configuration. Proof: http://i.imgur.com/UTUGYds.png
not so crazy about paranoid mode.
the truth is, I don’t really need to be prompted every time cmd.exe executes. I just want to be prompted when it tries to do anything.
Why? Because I am trying to protect vulnerable processes from exploits. For a lot of such processes, such as powershell, I can make a simple block rule in autosandbox. But cmd.exe is used too much, so I can’t block it altogether.
If you or someone else has any great ideas for me, please share.
You don’t need to create special rules or change file rating for cmd, powershell, or any application in heuristic command-line analysis for certain applications list due to that setting and the new embedded code detection feature.