Today I wanna use the “Protected Files” function to protect some important files. You can find this function via “Advanced settings – HIPS – Protected Objects – Protected Files”. In my test, I first create a file group which contains some .doc&.docx files that to be protected. Then I added this group to the “Protected Files” section. I use Microsoft Word to open a .docx file that is in the protected files, and it shows READ ONLY in the Word application. I think it works as expected so far.
However, what I really want to achieve is protecting these files from deleting or modifying by other applications rather than the Word application. In other words, the editing or modification of the protected files should be allowed by specified apps.
To this end, I tried to create a HIPS rule for Word application and add the above-mentioned “Protected Files” in its rules edit windows “Access rights – Protected files/folders – modify – Allowed files/folders”. After that, I reopened the file with the Word application, it still shows as READ ONLY. It does not work as expected.
I tried to learn some tips from the help file of CIS. You can find it here.
After following the instructions, this issue persists. Besides, strangely I can ensure that official help instruction on the Protected Files, especially the given example at the end is totally wrong from two aspects. The first one is the logic of the demonstrated rule creation is really confusing, why the target .odt file is regarded as the parent process and the parent app .exe regarded as the target?? The second reason is the created rule doesn’t work. You can test it. I have no idea how to realize my expectation of Protected Files. I appreciate it very much if you could give me any advice.
P.S. I hope you can revise the help file regarding the mentioned “Protected Files” part.
My knowledge of HIPS isn’t as extensive as I’d like but a HIPS pop-up alert for any application if it’s set in Paranoid Mode rather than Safe Mode as HIPS allows access for programs/processes deemed as Safe in Safe Mode.
By the way, you can protect your entire drive with HIPS under protected files adding ?:* will cause HIPS to protect all files on all volumes and drives. I used to do that but found some delays and hiccups now and then on my old PC. I find Containment set to Restricted by default the best way to go with protecting your data and you can use Protected Data in HIPS in conjunction with that to make any files invisible to those running in the container.
It may be possible to do what your asking for you need to change your HIPS setting to Paranoid Mode for that, from what I understand.
I am assuming that you are attempting to protect certain files against malicious action (protecting Doc’s against ransomware). Attempting to make a specific HIPS rule to meet that end can be termed Reactive Protection, something that is needed to bolster inadequate protection by the main AM application (preventing unknown malware from doing nasty things). Folks currently using newer products like Checkpoint Harmony and DeepInstinct are realizing that Reactive rules need to be added.
Fortunately with both Comodo’s Containment AND Script Analysis active one already has Proactive Protection- unknown malware will be automatically blocked from any nastiness before it can occur, so any obsession over a Reactive Rule is really pointless.
I want to use this feature to safeguard valuable files (spreadsheets, databases, documents) against accidental or deliberate sabotage. Such sabotage is not only from malware/ransomware but also from artificial.
Hi @ilgaz, here is my feedback, correct me if I am wrong. I cannot achieve the expected result by following the steps you gave. Although the given steps were based on the Xcitium platform, I tested it on CIS as I don’t have an XCS installed currently. I believe XCS and CIS share the same function in this scenario for “Protected Files”.
I think the 4th step is wrong. You said
If I remember correctly, the order of the HIPS rules from top to bottom determines the processing sequence and priority level. The rule on the top (the first rule in the HIPS rules list) has the highest priority, while the rule on the bottom (the last rule, i.e., the “All Applications” rule) has the lowest priority. Hence, I think the created rule for WINWORD.EXE should be located above the “All Applications” rule. I have tested and it works after moving it above the “All Applications” rule.
Hi, @ilgaz. As your instructions are based on the XCS platform, I tested it on XCS and it works great. However, I found that this instruction works on CIS only if putting the created rule above the “All Applications” rule. This is quite the opposite of XCS (which should be under the “All Applications” rule). Whether this opposite result indicates that the XCS has changed the handling sequence of the HIPS rules (from bottom to top)?
HIPS rules work in different manner. It checks rules from top to bottom to build final config, if there are duplicated items for the same object, last rule overrides previous ones. So in general we can say the priority is reversed and allow rule should be on the bottom.