Script Analysis Settings


When in

  • Advanced Protection Configuration,
  • Script Analysis Settings,
  • Runtime Detection,

I activate

  • Embedded Code Detection for cmd

this error appears systematically.

It seems that the command is not well set up.

I don’t remember why, but I have everything turned on but cmd.

I turned them on one by one to see if it had any impact. I had no problem.

cmd.exe was the last one. I had to turn it off.

I had everything at default setting (most were turned off) and turned cmd on but I didn’t noticed any error after switching it on.

I also just turned CMD on without any errors.

Could you please keep cmd on for now ?

For the moment I have only seen the error with a program from HP. I will put cmd on again and see if I have the problem with another program.

I will leave it on for a while to see if I get an error too but I think the error only happens when an executable calls cmd to execute some self-created (random) unknown batch script.

When you see the error again then try to set the HP executable File Rating to Trusted and also add a HIPS application rule for the HP executable and set it to the defined rule “Windows System Application” and then check if the error occurs again.

Bizarre, vous avez dit bizarre … (Louis JOUVET)


  • Laptop 2 : HP - W10 Famille - 20H2 - 19042.1237/ CIS PRO :
    Embedded Code Detection is on for every program. There are no HIPS alerts.

  • Laptop 1 : HP - W10 Famille - 21H1 - 19043.1237 / CFW :
    When Embedded Code Detection is on for cmd.exe there are HIPS alerts quickly for only one HP program.
    When I validate the first alert, there is a second one that I validate, then a third one that I validate, then a fourth one that I validate, then a fifth one and there I stopped.
    It’s surprising this sequence.
    HIPS rules have been created (set of predefined rules) and since then there is no more HIPS alert.

Strange, you said strange …

This isn’t a bug, but how embedded-code detection works for various script interpreters such as powershell and in your case the windows command prompt. You have a program that is executing system commands and CIS is turning them into script files to be intercepted by each CIS component.

The generating fact is that this file
was not recognized (screenshot HIPS1).

Why is this?
Is the file name incorrect ?
Is the content of the file incorrect ?

What was the file rating of the HP program at the time when screenshot HIPS1 was made, Trusted or Unrecognized?

The rating of the HP program is “Trusted”.

The file
is in the folder \tempscrpt

Ok, thank you.

I think it is desirable to have an option to disable embedded-code detection for various script interpreters to suppress these HIPS Alerts for Trusted applications, unless there is a good reason to keep performing embedded-code detection for Trusted applications.

Maybe someone create a wish for it…

The .bat file must have something specific, because when I submit it there is a Comodo error,

but Comodo on VirusTotal does not flag it.

The real problem is that these kind of .bat files shouldn’t be created by CIS when executing Trusted applications.
I can’t think of a reason why CIS should do embedded code detection on Trusted applications and create these confusing .bat files.
Hopefully someone can shed light on this.

Because then a trusted file can be used to launch/install/run file less malware, i.e cmd.exe. That’s why it has to monitor trusted files as well. Otherwise your not covering the attack vector of executing of malicious commands.

I understand but how about the following.
Trusted applications are normally digitally signed so their entire code is treated as safe. Now when a Trusted application creates an own script file from within its own code for its own needs or purpose would that script file then be unsafe per definition? When CIS monitors the script and, outside the trusted application, doesn’t detect any tampering with the script then the script should execute normally without any HIPS Alerts popping up to my believe.

I submitted the file to Valkyrie (screenshot 1)
The result is “No threat found” but not “Clean” as the other files.

In my dashboard this file is defined as “Unknown file”. This may explain the CIS result (screenshot2).

Since the HP program is Trusted and so is the .bat file HIPS shouldn’t bother you with this .bat file at all.

Hi domo78,

We are checking on this.