Makes rule for files with changing names

andry23jsv · April 5, 2013, 10:19pm

I’ve a problem with a couple of files!
I use MS Security Essentials and everytime it downloads new virus definitions (2-3 time for a day) Comodo HIPS come up and ask for the follow permission: “C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.147.1163.0.exe” I allow it, BUT (here’s the problem) the numbers at the end of the file change everytime with new virus definitions.
I tried to set rule to allow whole folder, but it doesn’t work.

The same problem appears with Firefox and Flash Plugin (it changes its name every new version).

How can I fix it?

mouse1 · April 6, 2013, 7:17am

Under HIPS you will need to apply the installer/updater policy to such files (See stickies).

You should be able to apply it to a directory (if not it’s a bug, so pleas say). However it’s much better to use wildcards within the expected file name eg AM_Delta_Patch_1.147* or AM_Delta_Patch_*

Best wishes

Mouse

WxMan1 · April 7, 2013, 1:27pm

I avoid Installer / Updaters like the plague, albeit it IS necessary when utilized judiciously.

For Internet Explorer the following are examples of resource access permissions that implement wildcards.

Key for below permissions:

Environmental variables:

%SYSTEMDRIVE% = drive letter allocation for system installation

%SYSROOT32% = %SYSTEMDRIVE%\Windows\system32

[GUID] is some arbitrary value that remains constant for current user

Replace discrete value for [USER_NAME] with * if this is an issue for multiple log-ins.

? = matches any single character

= matches any number of characters

run executable:

%PROGRAMFILES%\Microsoft Silverlight\5.1.???.0\agcp.exe

%PROGRAMFILES%\Microsoft Silverlight\5.1.???.0\Silverlight.Configuration.exe

%SYSTEMDRIVE%\Documents and Settings[USER_NAME]\Local Settings\Temporary Internet Files\Content.IE5*\install_flashplayer11x32axau_gtbd_chrd_dn_aih[1].exe

protected files / folders:

%SYSROOT32%\Macromed\Flash*

%SYSTEMDRIVE%\Documents and Settings[USER_NAME]\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys#*

%SYSTEMDRIVE%\Documents and Settings[USER_NAME]\Application Data\Macromedia\Flash Player#SharedObjects[GUID]*

%SYSTEMDRIVE%\Documents and Settings[USER_NAME]\Local Settings\Temporary Internet Files\Content.IE5*\install_flashplayer11x32axau_gtbd_chrd_dn_aih[1].exe

For the Adobe updates, the following have been implemented:

I’ve created a File Group ‘Adobe Flash ActiveX’ containing:

%SYSROOT32%\Macromed\Flash\FlashUtil11?ActiveX.exe
%SYSROOT32%\Macromed\Flash\FlashUtil32_11_2_202???ActiveX.exe
%SYSROOT32%\Macromed\Flash\FlashUtil32_11_4_402???ActiveX.exe
%SYSROOT32%\Macromed\Flash\FlashUtil32_11_5??????ActiveX.exe
%SYSROOT32%\Macromed\Flash\FlashUtil32_11_6??????_ActiveX.exe

File Group ‘Install Flash’:

%SYSTEMDRIVE%\Documents and Settings[USER_NAME]\Local Settings\Temporary Internet Files\Content.IE5*\install_flashplayer11x32axau_gtbd_chrd_dn_ai[1].exe

%SYSTEMDRIVE%\Documents and Settings[USER_NAME]\Local Settings\Temporary Internet Files\Content.IE5*\install_flashplayer11x32axau_gtbd_chrd_dn_aih[1].exe

%SYSTEMDRIVE%\Documents and Settings[USER_NAME]\Local Settings\Temp\install_flashplayer11x32axau_gtbd_chrd_dn_aih[1].exe

%SYSTEMDRIVE%\Documents and Settings[USER_NAME]\Local Settings\Temp\install_flashplayer11x32axau_gtbd_chrd_dn_aih[1]_?.exe

I’ve created custom policy for ‘Adobe Flash ActiveX’

run executable:

%SYSTEMDRIVE%\Documents and Settings[USER_NAME] \Local Settings\Temp?.dir\InstallFlashPlayer.exe

%SYSTEMDRIVE%\Documents and Settings[USER_NAME] \Local Settings\Temp{???-???-???-???-???}\InstallFlashPlayer.exe

%PROGRAMILES\Internet Explorer\iexplore.exe

Windows Messages:
%SYSROOT32%\csrss.exe
%ProgramFiles%\Internet Explorer\iexplore.exe

Protected registry:
HKUS\S-1-5-21-[GUID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Protected files / folders:

%SYSROOT32%\Macromed\Flash
%SYSROOT32%\Macromed\Flash\FlashInstall.log
%SYSROOT32%\Macromed\Flash\FlashUtil11?ActiveX.exe
%SYSROOT32%\Macromed\Flash\FlashUtil32_11_2_202???ActiveX.exe
%SYSROOT32%\Macromed\Flash\FlashUtil32_11_4_402???ActiveX.exe
%SYSROOT32%\Macromed\Flash\FlashUtil32_11_5??????ActiveX.exe
%SYSROOT32%\Macromed\Flash\FlashUtil32_11_6??????_ActiveX.exe
%SYSTEMDRIVE%\Documents and Settings[USER_NAME]\Local Settings\Temp*\InstallFlashPlayer.exe

The ‘Install Flash’ File Group is implemented exclusively in the firewall rule configuration (it has no D+ resource access permissions defined); ‘Adobe Flash ActiveX’ FIle Group is implemented in both D+ & Firewall configuration.

I implement similar strategy for other notorious pop-up offenders, e.g. Java and Windows updates. For the former, in addition to any wildcards pertainent to paths, I implement %JAVA% environmental variable. This mitigates the nightmare of modification to existing rules when the Java version changes. Simple matter of changing the environmental variable value, and CIS runs fat dumb and happy (and not knowing anything different). The latter because I excised SVCHOST from CIS default inclusion in the ‘Windows System Application’ File Group. IF SVCHost gets hacked somehow - God forbid - and one is in a world of hurt in that ‘Windows System Application’ has carte blanche GOD permissions to do anything and go anwhere. A custom D+ policy for SVCHost has been implemented, and it has its own set of firewall rules (that I zealously maintain to ensure wherever its phoning home to, or whatever its doing, is legit).

andry23jsv · April 10, 2013, 9:46am

Thanks a lot!!

I create some rules in your way…now it works fine ;D ;D

But, MAYBE, there’s a bug: when I create a rule in D+ and/or in FW, and then I use “clean” button, it says that the rules created with * or ? aren’t valid.

WxMan1 · April 10, 2013, 2:38pm

“clean” button? You mean “purge”?

Furthermore, if you’re implementing environmental variables, e.g., %SYSROOT32% you have to ensure they’ve been defined. For example, %JAVA% is not defined by default.

You create environmental variables: right click My Computer, properties, advanced, environment variables. FWIW, non-standard environment variables I created as system variable type. If they’d be of user-type I s’posing should work the same way.

You need to be congnizant of the fact that when a new circumstance arises for which the existing rules are insufficient, answering the qwexion ‘allow’ & ‘remember this’ will create a situationally specific rule. It is upon the users recognizance to incorporate the new rule into existing filegroup or adjust the wildcards as necessary.

For example the FlashUtil activeX file-group I created (per above post) has a series of entries in it. I probably could get rid of all of them except the most recent for v6. That’s how one can see the evolution of these changing filenames. So in my case an alert occured for each one of these new versions. This is also true for associated firewall rules.

The FlashUtil IP address for each new version were duplicate to those already defined for the FlashUtil file-group. So it was a simple matter of including the new version of the executable into the file-group, and the existing firewall rule-set worked just fine (until the major version number changed).

andry23jsv · April 10, 2013, 4:32pm

Oh yes…purge button!I didn’t now because I use CIS in italian.

I don’t use environmental variables, I create rules with exactly folder and with * at the end of file.
This is an example: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_*

It works, because CIS doesn’t pop-up about it, but if I click on purge, it seems not valid (like an uninstalled program)