Office 365 and Comodo HIPS

shmu26 · September 17, 2018, 5:16pm

I was running Office 365 Proplus on Windows 10 1803
Comodo Firewall 10, Firewall config
I got a HIPS block for OfficeClickToRun.exe.
This surprised me, because the file is internally signed by Microsoft.
Later, I saw that it is doing something funny with schtasks.exe.
The question is whether this block is expected behavior or not?
I will paste details on 2 logged events that seem related to the block.
(The logs are from a different software, at a later time, so some details might be irrelevant)

Date/Time: 2018-09-17 10:02:54.605

PID: 3416
Process Path: C:\Windows\System32\schtasks.exe
SHA1: 815A050FC4BD12C6CA0B62D38D0FB6F8A95F70A8
Signer:
Command Line: schtasks.exe /change /tn “Microsoft\Office\Office Automatic Updates 2.0” /enable
Parent: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
Parent SHA1: 5A3D059789DF052DC49B358D2B2E7F8ADEBB71B5
Parent Signer: Microsoft Corporation
Expression: -
Category: Alert Dialog
User/Domain: SYSTEM/NT AUTHORITY
Integrity Level: System
System File: True

Date/Time: 2018-09-17 10:02:31.831

PID: 920
Process Path: C:\Windows\System32\schtasks.exe
SHA1: 815A050FC4BD12C6CA0B62D38D0FB6F8A95F70A8
Signer:
Command Line: schtasks.exe /change /tn “Microsoft\Office\Office Automatic Updates” /enable
Parent: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
Parent SHA1: 5A3D059789DF052DC49B358D2B2E7F8ADEBB71B5
Parent Signer: Microsoft Corporation
Expression: -
Category: Alert Dialog
User/Domain: SYSTEM/NT AUTHORITY
Integrity Level: System
System File: True

DecimaTech · September 17, 2018, 5:42pm

Yes if you have embedded code detection enabled for cmd.exe

shmu26 · September 17, 2018, 5:57pm

Yes, I did have it enabled, if I remember right.
But where do you see cmd.exe in the command line?

DecimaTech · September 17, 2018, 6:47pm

You don’t need to see any reference to cmd.exe, the way embedded code detection feature of CIS works is when an application executes cmd with a command passed to its command line, it turns it into a script. In this case it went something likes this: cmd /c schtasks /change /tn “Microsoft\Office\Office Automatic Updates 2.0” /enable

shmu26 · September 17, 2018, 7:15pm

Interesting.
Is this unique to cmd.exe, or are there other processes for which embedded code detection can cause issues like this?

Ploget · September 17, 2018, 8:02pm

Perfectly normal with Office 365

Been running it now for 2 + years and same warning every time when they update in the morning. Treat as Installer or Updater . . . .

Find it quite reassuring really 8)

DecimaTech · September 17, 2018, 8:19pm

Depends on what other applications you have enabled embedded code detection for.

shmu26 · September 18, 2018, 4:19am

@Ploget, do you have embedded code detection enabled for cmd.exe, or is that not the issue here, in your opinion?

Ploget · September 18, 2018, 8:00am

No I don’t have that enabled for cmd.exe

I’m running Proactive with a few tweaks, but have never touched the default settings in those field, so only Heuristic Command-Line Analysis is checked for that

When Office Click to Run does its thing every week or so, I get the CIS warning about modifying a Protected Registry Setting . . . treat it as Installer / Updater and that’s it.

DecimaTech · September 18, 2018, 5:55pm

The question then becomes if OfficeClickToRun.exe is rated trusted in the file list, if not then that could be why you had HIPS blocking.