I’m running CIS with all of its security features enabled (HIPS, Sandbox, Firewall, etc.). As a developer, I’m working with IDEs (mostly PyCharm) and Unreal Engine on daily basis. The problem I have is that both PyCharm and UE generate unique .bat and .exe files quite frequently. For example, if I assign a virtualenv to my PyCharm project, it generates a new pycharm-virualenv-activate.##.bat upon each run. HIPS doesn’t like it and asks me for my permission each time such a file is executed.
Unreal on the other hand puts an UnrealLightmass executable into a unique path upon every lighting build request. Firewall component keeps asking me I want to allow it to access 127.0.0.1 on every build (and all of those executables have the same checksum!).
These are just two most bothersome examples out of many.
I tried to find a solution to those issues, but…
Regarding PyCharm-generated batch files, I thought that I can simply allow for executing all files by pycharm64.exe process in HIPS. But no. CIS does not allow this. I can only set it to Ask or Block for some reason (why exactly?). I don’t want to completely disable HIPS just to be able to work without interruptions.
In addition, with Containment, you could make use of ‘file source tracking’ feature to create more granular Ignore rules. (just in case you’re not aware of this)
Thanks. This came very handy not only in issue already discussed here, but also for restricting some components of several overly-intrusive applications.
One question:
When I set a particular file to Action:Block, Reputation:Any, Enable Rule:True (in Auto-Containment), this file can still be executed without restrictions by another process, unless I explicitly block it from execution by putting it on Blocked Files/Folders list in Run an Executable (HIPS) of the parent process (or just completely block Run an Executable access of this program).
Is this normal?
I’d rather expect that an executable marked as Blocked in the Auto-Containment list should always be blocked from execution, regardless of the process that attempts to run it.
What am I missing?
They’re a mixed bunch of .exe and .bin files.
Basically when I manually launch executable A, it automatically starts processes B, C (both are .bin) and D (.exe). D on the other hand automatically starts process E (.exe). I found that processes D and E are not required for the proper functioning of A, at least for what I use the program for, so I marked them as untrusted and put them on Auto-Containment list as blocked applications. However A would still launch D unless I put D in A’s “Run an Executable->Blocked Files/Folders” list (or set A to be allowed to run B and C only).
The application is Mirillis Action!, a screen recording program. Mirillis is by default on Comodo’s Trusted Vendors list.
It works like this:
Action.exe (A) automatically executes three processes: Action_x86.bin (B), Action_x64.bin (C), action_launcher_x64.exe (D).
Action_launcher_x64 (D) starts action_svc.exe (E) and this in turn starts action_logon.exe (F).
I’m not sure what is the purpose of action_launcher_x64.exe apart of starting action_svc.exe. I’m also not sure about the purpose of action_svc.exe itself. Action_logon.exe is probably used to allow users to login to facebook or YouTube servers in order to upload recorded video content, but it’s also only my theory. I don’t need any of this functionality, so I blocked all three processes.
After Action_x86.bin and Action_x64.bin are launched, they immediately start accessing memory of all processes running in the system. Those two processes attempt to connect to multiple Akamai, Cloudflare and Amazon AWS servers and, I’m not sure how they do it, but every process that these two processes “touch” also attempts to establish network connection to those servers(!). Even Windows Task Manager, if it happens to be open.
Very suspicious and it is the reason why I decided to block as much of non-essential program’s components as possible.
Action_x86.bin uses a windows hook to action_x86.dll. Its other actions can be completely blocked on 64-bit system.
Action_x64.bin requires a hook to action_x64.dll, interprocess memory access to Action.exe, action_launcher_x64.exe (blocked anyway) and, in order to be able to record the desktop, to System32/dwm.exe
Okay, but back to the subject. When I marked action_launcher_x64.exe in Auto-Containment as Blocked, it could still be launched by Action.exe. Only putting it on Run an Executable->Blocked Files/Folders of Action.exe worked (or putting Run as Executable to block).
However, I tried to reproduce it just a moment ago but I see that Comodo asks for permission for Action.exe to run action_launcher_x64.exe now. I think the only change I did since I first mentioned the problem (apart of removing the launcher exe from parent’s Blocked Files/Folders for the sake of testing), is that I removed Mirillis from Trusted Vendors list. So maybe this is why Comodo no longer silently allows this executable to run?
It does look the same, but I have it below the rule for Action.exe.
So the order of auto-containment rules does matter, like in firewall rules? Darn, I should have realized it when I noticed the presence of Move Up/Down in the context menu. :-\
Yes anywhere a rule can be set they are processed in order from top to bottom with top most taking priority. However in this case you can try editing the ignore rules and enable the option don’t apply the selected action to child processes located in the options tab of the ignore rule.
Ah, that’s a good advice. Thanks. :■■■■
If I select it for an executable, then does the order of rules matter? Or Comodo, when it runs into this flag, checks the rules again for each process the parent is trying to start?
One more question.
I’ve been wondering about this:
Those two processes attempt to connect to multiple Akamai, Cloudflare and Amazon AWS servers and, I'm not sure how they do it, but every process that these two processes "touch" also attempts to establish network connection to those servers(!). Even Windows Task Manager, if it happens to be open.
Action! requires administrator privileges to run. I tried to force it to run as limited user with Process Explorer, but the result was an infinite loop of opening and closing processes (Action.exe IIRC), which I couldn't stop, and OS restart was required to interrupt it.
Anyway, I have never in my life experienced a situation, when a single process, after being launched, immediately forced every other process running in my system to establish a network connection to servers indicated by that offending process. Does this qualify as malware?
It feels like it to me.
If I could, I would gladly switch to OBS Studio which is GNU/GPL and is great in general, however:
[ol]- I already paid for the license and I wouldn’t want my money to go down the drain.
OBS Studio drops frames when it records a 30+ fps videos on Windows 7 with Aero enabled (seems to be a known bug).[/ol]
So I’m stuck with Action until I switch to GNU/Linux after W7’s lifecycle ends.
At least I do have it contained now. :-\