How to change a previously made decision about Allow/Block

Hi all,

I’m new with Comodo Internet Security. Today I got a red alert from Defense+, notifying about an unsafe application trying to access some protected area.
The file was C:\Windows\System32\wscript.exe

I firstly blocked the attempt, then the alert kept popping up repeatedly. Another window was open and it seemed to be the usual periodic attempt to get updates by my computer’s manufacturer.
I allowed it and forgot to uncheck the “Remember my action” box… the manufacturer’s window showed my system information (strange I haven’t asked for it to show), then nothing else.

As I’m now in doubt, is there any way to change my decision rule for that alert (now the firewall should always allow that attempt)? I mean, can I remove the “memory” of it so if it pops up again I can decide to block it?
I have antivirus/antispyware running as well, any suggestion on what to do to check that everything was right?

Thanks in advance for your help!

Just an addition: attached the screenshot of Defense+ Events…
Files involved:

  • C:\Windows\System32\wscript.exe
  • C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPAsset\SIAssetExt.exe

I can guess that this HP Health Check was running in the background, it requested to run some scripts by using this wscript.exe, that got blocked by Comodo. When I allowed it, it completed the health check… however as I said above, it popped up my system information that I haven’t asked for. May it be just an outcome of the health check, so no need to worry about?

Thanks for helping out.

[attachment deleted by admin]

Simply go to Defense+ → Advanced → Computer Security Policy → Right-click the application of which rules you want to modify and click Edit. A small window will pop up in which you can change the access rights of the app in question. Click ‘Use a predefined policy’ and select ‘Trusted Application’.

The same goes for the firewall rules.

Hope this helped,

Best wishes

Simply go to Defense+ -> Advanced -> Computer Security Policy -> Right-click the application of which rules you want to modify and click Edit. A small window will pop up in which you can change the access rights of the app in question. Click 'Use a predefined policy' and select 'Trusted Application'.

The same goes for the firewall rules.

Thanks Sergeant Sykes for your feedback. Do you think it was a fake alarm invoked by a HP Health Check?
Should I select SIAssetExt.exe or wscript.exe as “Trusted Application”? Probably SIAssetExt.exe…
If I select wscript.exe as “Trusted Application”, I guess I may have problems in the future if wscript.exe is used by other (maybe malicious) apps to run their scripts, may I?

Thanks again
MMax

Defense+ will give you an alert if an UNKNOWN application will be trying to get whatever access to wscript.exe or SIAssetExt.exe.
If you know these files to be safe (because they’re a part of HP software, for example) then you shouldn’t have any doubts about marking them as trusted.

Defense+ will alert you each time an unknown app is trying to do sth so I don’t think it was a fake alert, D+ simply didn’t know what to do therefore you got the alert.

Regards

If you know these files to be safe

Thanks Sergeant Sykes. Now my issue is I am not sure they are safe. If I can suppose SIAssetExt.exe to be safe (as standing into a specific HP folder "C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPAsset"), I am not sure wscript.exe is safe.

I just found another thread here at https://forums.comodo.com/empty-t31709.0.html talking about this specific wscript.exe…

I’m not sure if anybody had the chance to investigate further about it. It may be convenient deciding allow/block on a case by case basis, depending on what other app is asking wscript.exe to launche a script… Any clues?

Thanks
MMax

You can upload them here: http://camas.comodo.com/cgi-bin/submit if you want to be extra sure they’re non-malicious.

Hi MMax,

What you could do is have look under “Protected Registry Keys” for wscript.exe and remove any entries

Defence+/Advanced/Computer Security Policy/Highlight the entry wscript.exe and select “Edit”/Now click on “Access Rights” and then on “Modify” next to “Protected registry keys”
You will now get Allowed and Blocked sections,where you can remove any entries so you will be alerted next time,

Remember to hit APPLY to close all windows,

I wouldn`t make wscript.exe a “Trusted Application” but that is your perrogative

:■■■■

Thanks a lot Sergeant Sykes and Matty_R for your support! (:KWL)

You’re very welcome. (:WIN)