I’m probably missing something really obvious, but I can’t seem to find how to add a program to the HIPS (I would assume that’s where I would want to add it) allow/block list.
Every time I boot my system, CAVS alerts me that procexp100.sys is not on the safe list. Since I have SysInternals Process Explorer installed & set to run at bootup, I check the box ‘always perform this action’ (or ‘remember this action’ or however it’s phrased) and then click ‘allow.’
It never remembers and asks everytime I boot up. How do I get this added permanently to the allow list?
You can mark files as safe in: settings/HIPS application control/general/manage allow block list/show user marked safe files/mark safe
hope it helps
cheers
Ok, I guess it wasn’t blatantly obvious, in fact that seems to be a fairly round-about way to do things. Still, it gets me where I need to go! Thanks, Blas!
Now I just need to find where the dang file is hidden away… googling for it, I get plenty of results claiming that it can be found in C:\WINDOWS\system32\drivers, but it doesn’t show up there for me… :-\
Ah well, I’ll go ask on the SysInternals forum. Thanks again!
Further news…
I posted the problem on this thread on the SysInternals forum:
Recently I installed Comodo AV software, and it consistently asks whether to allow procexp100.sys to run. I always check the box marked 'remember this action' and click the 'allow' button. It never remembers however, so I need to manually add procexp100.sys to the allow list.
When I google the web to find out where procexp100.sys is located, I find plenty of information saying it should be in C:\WINDOWS\system32\drivers, but it’s not there!
I’m running WinXP Home SP2, & Process Explorer v10.2. Where would it have hidden procexp100.sys?
To which I received the reply:
The driver is extracted from the Procexp.exe image when Process Explorer is invoked. Then, Process Explorer loads the driver and deletes Procexp100.sys.
What specifically this means for configuring Comodo to not nag you about this, I cannot say.
???
This appears to complicate matters a bit… Any suggestions?
well its getting complicated for me and my limited knowledge too…lol
What I understand of their reply, is that procexp100.sys is some kind of temporary file, so it gets deleted after process explorer is loaded. If this is the case I think its not possible to mark it as safe. I also use process explorer, but I didn’t set it to load at bootup as I don’t need it right after booting. I replaced the windows task manager with p.e. so when I hit ctrl+alt+del it opens p.e.
So I think the only way to get rid of the alerts is to disable boot time loading, but I"ll check it out myself. Maybe I can find a solution.
Yeah, that’s how I read their reply too, I’m hoping one of the Comodo Heroes (or equivalent) may know what to suggest. Googling around I find suggestions on downloading some software that will supposedly extract it, but then I’m not sure what I would do next, or how it would affect Process Explorer in the long run…
I have it run at bootup because my system takes so long before everything loads (7-year-old P3 system), and I can watch the cpu graph in the sys tray to let me know when I can actually start using the thing! I also refer to it alot every day, continually trying to tweak for performance, for obvious reasons. I had it down to 25 processes loading at bootup, but adding CPF & CAV sent that number up to 34, and have had a noticeable impact on performance… Halo(!) just doesn’t run as smooth as it used too…
Anyway, back on topic, I would expect procexp100.sys to be blocked no matter when Process Explorer is run, whether bootup or manually later.
Would there be some way to set CAV to allow all processes started by Process Explorer?
If I put pe into the windows startwith folder it alerts me too, but even if I press “block” pe would start anyway…wierd.
Although my system is “just” 4 years old, at startup as all the processes are fighting to start at the same time and the av is scaning too, I cant use anything. To make this a bit smoother I use startup delayer. This way anything thats not related to security can be delayed to start 20-30 sec later. If I start process explorer with startup delayer, from 3 bootups the HIPS only alerted me one time about the procexp100.sys. Strange.
Don’t know if this helps, maybe its just the “bug” that HIPS doesn’t alerts about some processes ocassionally.
Did you say that you also get alerted when you start it manually? I have never got alerted this way hmm…
“Did you say that you also get alerted when you start it manually? I have never got alerted this way hmm…”
Good point, I don’t get the warning when starting Process Explorer manually, only when I have it set to load on bootup. It also doesn’t matter whether I click ‘allow’ or ‘block,’ because by the time I click, it’s already running! Weird indeed…
Startup Delayer looks interesting, though I have to marvel that adding another app to load at bootup could speed up the process - or rather, how stretching it out could create the illusion that it starts up faster… I think I’ll continue to let everything load simultaneously, it only takes about 3 & a-half minutes after login til the cpu is free.
I just wish there was a way to prevent that warning message that CAV pops up every time!
Windows Defender also alerts about the service ProcExp100.sys. This is only confusing, since usually WD is configured to only report such items in the Event Viewer. Since Process Explorer is now a Microsoft product, one might be forgiven for thinking WD would just ignore this process! It would seem that preventing intrusion by a nonexistent process is a rather delicate thing to organize properly!
naw…