Microsoft Malicious Removal Tool (MRT.exe) is treated as “Unrecognized” despite being rated as “Trusted” in local host File Rating database.
C:\Windows\System32\MRT.exe 122905848KB 2/26/2015 21:14:44 MD5 000A77BDB94C42A90137E8368D3A47AA
Cannot submit larger %windir% files due to file size limit when submitting files to Comodo.
Limit should be removed\excepted for any Microsoft digitally signed files from System32 and SysWOW64 paths.
Can you reproduce the problem & if so how reliably?:
Yes. Reproducible every time - at will.
If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1: Configure CIS for anti-executable\default-deny using the following settings:
A. Security Settings > File Rating > File Rating Settings > De-select “Trust applications signed by Trusted Vendors.”
B. Security Settings > File Rating > File Rating Settings > De-select “Trust files installed by Trusted installers.”
C. Security Settings > Defense+ > Auto-sandbox > Create rule as follows: Block - All Applications - Unrecognized
When MRT.exe attempts to write to C:\Windows\debug\mrt.log or create a new folder C:\Windows\Temp\MPGEAR.DLL it will generate an “Unrecognized” HIPS alert. Also, when MRT.exe attempts to connect to the network it will generate an “Unrecognized” firewall alert.
This can easily be verified by the following steps:
1: Open cmd.exe
2: Type MRT.exe
One or two sentences explaining what actually happened:
Microsoft Malicious Removal Tool (MRT.exe) is a “Safe” application. When it performs its legitimate duties on the system, CIS treats it as “Unrecognized.” This results in erroneous HIPS and firewall alerts.
One or two sentences explaining what you expected to happen:
I did not expect any CIS alerts for Microsoft Malicious Removal Tool (MRT.exe) as it is a “Safe” system application.
If a software compatibility problem have you tried the advice to make programs work with CIS?:
Any software except CIS/OS involved? If so - name, & exact version:
Any other information, eg your guess at the cause, how you tried to fix it etc:
I fixed the issue by creating both HIPS and firewall “Windows System Application” rules for MRT.exe.
B. YOUR SETUP
Exact CIS version & configuration:
CIS 18.104.22.16858 - Proactive Protection
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
D+\HIPS, Autosandbox\BBlocker, Firewall & AV; All
Have you made any other changes to the default config? (egs here.):
Yes. CIS configuration attached.
NOTE: Issue not configuration related; I tried different configuration\settings - it did not correct issue.
THE ISSUE IS NOT SYSTEM DEPENDENT; I have tried on different machines - Intel, AMD, i3, i5, A8, A10, desktop, laptop.
Have you updated (without uninstall) from CIS 5, 6 or 7?:
[b]if so, have you tried a a a clean reinstall - if not please do?[/b]:
Have you imported a config from a previous version of CIS:
[b]if so, have you tried a standard config - if not please do[/b]: Yes. Issue is independent of configuration\settings.
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 8.1 x86-64 OEM (Toshiba\AMD), “Always notify,” Administrator, No VM used.
NOTE: CLEAN INSTALL Windows 8.1, < 1 week. No “bloat\crapware” installed.
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
C. ATTACH REQUIRED FILES
A. CIS configuration.
[attachment deleted by admin]