Reopen - Exes are auto-contained before HIPS popup select (both enabled)

My apologies the request for marking as fixed was premature.
Unfortunately, the issue continues to reoccur :-

Screen video attached.

Check your HIPS rule for windows explorer and if you are using the internet security configuration then explorer is treated as the windows system application ruleset. Which is allowed to execute any application.

Yes the settings are precisely as per your shared screenshots except in allowed / exclusions the count is 0. However I don’t understand the connection between the comment and the issue.

As per what I expect to happen

  • Explorer = Windows System Application meaning no need to contain so CIS allows execution of Explorer
  • Explorer → Starts Unknown Exe
  • Action “Run an executable” is set to “Ask”; Exe is not in Allowed/Blocked so HIPS popup should appear inquiring if Auto Containment / Blocked / Allowed as said executable
  • Instead what happened is exe got auto contained

Is your rule for explorer set to Windows System Application or custom? If it is set as Windows system application under the Treat As column in HIPS rules then it will be allowed to execute anything without asking.

Its set to “Windows System Application”, I’ve also highlighted what I meant by “in allowed / exclusions the count is 0” its the red highlighted box, sorry if it wasn’t clear.

I changed the entry to Custom, Now explorer gives a popup for every unknown executable execution / com component access etc and Allow/Block/Treat As option popups are shown.

My interpretation is what we’ve done by the change is give precedence to HIPS as if Auto Containment is disabled.

In fact I turned off Auto Containment and reverted HIPS rule for explorer to Windows System Application and it is exactly the above mentioned behavior i.e. Explorer gives a popup for every unknown executable execution / com component access etc and Allow/Block/Treat As option popups are shown.

How about we just close (preferably even remove from the forum) both the posts since you believe CIS works per intended and I found it a little odd ?

I would much rather prefer the CIS production, development team’s to concentrate on the other priorities especially pending items on the Wishlist. I’ll live with turning off Auto Containment with HIPS enabled on my system.


I see your confusion, when you have use ruleset selected then the rules in the bottom part of the rules window are disabled/ignored and are overridden with what is selected in the use ruleset drop down list. Hence why you can’t click on modify or change each access rights ask selection as that area is disabled, once you change to use a custom ruleset then you can modify those access rights names action and exclusions. Those are grayed out and don’t become clickable blue links until you select use a custom ruleset radio button.

When HIPS and auto-containment are both enabled, then HIPS asks first to allow execution which then gets auto-contained if you answer allow. If you click block then application is not run and will not be put into containment.

Actually future not confused and sorry I didn’t share with you a screengrab of the “Windows System Application” ruleset. Its attached along with.

I know you are a longtime CIS user, the same with me also and earlier from when it was just Comodo Firewall v2 so I had presumed you didn’t need each low level specific.

I hadn’t realized you were also wanting the contents of the “Windows System Application” ruleset.

Kindly ignore the previous image and my comment I’ve also highlighted what I meant by “in allowed / exclusions the count is 0” its the red highlighted box, sorry if it wasn’t clear. from the previous post. My apologies for the confusion again and giving you an impression that I didn’t get the relation between Custom Rules and Pre-Defined rulesets and the Enabled/Disabled statuses.

This is precisely what doesn’t happen

  1. The explorer rule is checked by CIS and because its the defaults set for “Windows System Application”.
  2. I haven’t modified CIS default ruleset So CIS allows explorer to start the execution of the unknown executable as per the Access Rights > Run an Executable > Ask * rule defined in “Windows System Application”
  3. When the executable runs now CIS checks for the executable in HIPS
  4. There is no rule in HIPS for this executable so (I assume) CIS goes to File Rating
  5. In File Rating there is no entry/rule so no decision can be taken here
  6. CIS goes to AutoContainment where it encounters the Virtualization rules and thus runs the executable as contained.

I would have expected between 4 & 5 we would have got a HIPS alert for the new executable (i.e. outcome of Step 2 which is ASk) which doesn’t happen - This is what I meant as what I found odd.

Ok yeah once something is contained you won’t get HIPS alerts for any action carried out by the contained app. But you can control some actions of contained apps using HIPS rules as long as HIPS is enabled. e.g. have a HIPS rule for cmd.exe and set the access right for run an executable to block, then run cmd.exe in containment and try to execute another application, it will be blocked with an access denied error message.

But that’s not what I meant, you referring to action after the exe is contained.

What I mean is before CIS marks the executable to go to AutoContainment I would think it should have got caught by the Ask policy on exe’s and we are shown the HIPS popup to select an option from the Allow / Block / Treat As popup especially because I have marked don’t use TVL so it shouldn’t be using File rating listings.

Note I am aware within a container HIPS alerts are not shown. I know there are wishlist’s items

The run an executable access right is for executing other executables and not for itself to be executed. So if you had set block or ask for the unknown for the run an executable access right, it would still be allowed to be executed by other processes in which you would get an alert for the process that is attempting to execute the unknown application. Windows explorer is “you” the user, so anytime you use your mouse to launch an executable, explorer.exe would be the parent process that executes whatever application you’re attempting to run.

Because explorer is set as WSA then you won’t get a HIPS execution alert for any executable regardless of rating and if the launched executable matches an auto-containment rule to run in containment, then it is run in the container and no further HIPS alerts are shown for that launched executable or for any executable that gets executed by that initial executable.

The only time when you would get an alert to be asked to allow execution is if explorer is not set to specifically allow or block the target executable. This also applies to other processes that attempt to execute another executable. Now once you do get that alert then clicking allow will then put it in containment assuming a matching containment rule is found, if no rule is found then it continues to run normally and you would then get HIPS alerts for any action monitored by HIPS (assuming no HIPS rules are created for said running application to allow/block specific action.)

Thank you for your patience 8)

I agree to this understanding.

This is where I feel its incorrect and contrary to your next quote block

We agree explorer is WSA and run an executable is set to Ask (As defined in the Ruleset) :-TU

So I expect to get the HIPS Alert for the Unknown especially since you mention File Rating is not considered ?

It shouldn’t even go to Auto contain at this point. Shouldn’t HIPS rules be given priority ? :o

Again this affirms my doubt

We agree explorer is set to WSA (HIPS Ruleset not modified) and run an executable is set to Ask :-TU

So I expect to see that HIPS popup for the unknown application which has been started from explorer i.e. “Now once you do get that alert”

But I don’t see this alert showing when Auto Contain is also enabled :frowning:

LOL I completely forgot to mention the Exclusions that can be configured for each access right…If you look to the right of Ask you will see a modify link under the exclusions column and you will notice it reads 1\0 for the WSA ruleset. That tells you the number of exclusion items for allowed (first number) and blocked (second number) files/folders. Clicking on modify will bring up a window that contains two sections, one is allowed files/folders and the other blocked files/folders. Whatever is listed here will override the ask/allow/block action.

So in the case of WSA it contains under the allowed files/folders tab, the wildcard character * which means all executables located in any file/folder path is allowed to be executed. This minor detail separates the difference between the Allowed Application ruleset and WSA ruleset which at first glance looks exactly the same. Except that WSA has that global allow exclusion. This is why you don’t get an alert to run an executable by explorer when running an unknown application. Due note that even if the action was set to block, then whatever is listed in the allowed exclusions would still be allowed.

Superb :-TU

That explanation ties together all the threads and clarifies all doubts and yes :embarassed: of me to not have picked up on that subtle specific.

Good to move to the Resolved sub-forum. You deserve a high five too for being uber patient.