I was running Office 365 Proplus on Windows 10 1803
Comodo Firewall 10, Firewall config
I got a HIPS block for OfficeClickToRun.exe.
This surprised me, because the file is internally signed by Microsoft.
Later, I saw that it is doing something funny with schtasks.exe.
The question is whether this block is expected behavior or not?
I will paste details on 2 logged events that seem related to the block.
(The logs are from a different software, at a later time, so some details might be irrelevant)
You don’t need to see any reference to cmd.exe, the way embedded code detection feature of CIS works is when an application executes cmd with a command passed to its command line, it turns it into a script. In this case it went something likes this: cmd /c schtasks /change /tn “Microsoft\Office\Office Automatic Updates 2.0” /enable
I’m running Proactive with a few tweaks, but have never touched the default settings in those field, so only Heuristic Command-Line Analysis is checked for that
When Office Click to Run does its thing every week or so, I get the CIS warning about modifying a Protected Registry Setting . . . treat it as Installer / Updater and that’s it.