Some protected files become unprotected when they are used in HIPS rule [M1447]

A. THE BUG/ISSUE (Varies from issue to issue)

Can you reproduce the problem & if so how reliably?:
Yes, every time.

If you can, exact steps to reproduce. If not, exactly what you did & what happened:

  1. Apply to some program (“Total Commamder” or any other) the HIPS ruleset “Isolated Application”

  2. Click OK to apply the configuration changes

  3. Try to modify the folder “C:\VTRoot” by the program with the ruleset “Isolated Application”
    That activity must be blocked by CIS. This behaviour is correct.

  4. Create new HIPS rule:
    Set the path to any application, e.g. c:\Windows\System32\calc.exe
    Select the option “Use a custom Ruleset”
    Click the link “Modify” in the item “Protected Files/Folders”
    Add to the tab “Blocked Files” the group “Important Files/Folders”

  5. Click OK to apply the configuration changes

  6. Try to modify the folder “C:\VTRoot” by the program with the ruleset “Isolated Application”

Make sure that the folder “C:\VTRoot” is not protected.

  1. Create 4 folders:

C:\test1
C:\test2
C:\test3
C:\test4

  1. Create the file group “Test” and add to it these entries:

C:\test1*
C:\test2*|
C:\test3*
C:\test4*|

  1. Open the panel “HIPS” > “Protected Objects” > “Protected files” and add the group “Test” to it.

  2. Click OK to apply the configuration changes

  3. Try to modify by the program with the ruleset “Isolated Application” any of these folders:

C:\test1
C:\test2
C:\test3
C:\test4

That activity must be blocked by CIS. This behaviour is correct.

  1. Create new HIPS rule:
    Set the path to any application, e.g. %windir%\system32\mspaint.exe
    Select the option “Use a custom Ruleset”
    Click the link “Modify” in the item “Protected Files/Folders”
    Add to the tab “Blocked Files” the group “Test”

  2. Click OK to apply the configuration changes

  3. Try to modify by the program with the ruleset “Isolated Application” any of these folders:

C:\test1
C:\test2
C:\test3
C:\test4

Make sure that the folders “C:\test1”, “C:\test2” and “C:\test4” are still protected, but the folder “C:\test3” doesn’t.

One or two sentences explaining what actually happened:
Some protected files have become unprotected after creating a HIPS rule to block them.

One or two sentences explaining what you expected to happen:
NA

If a software compatibility problem have you tried the advice to make programs work with CIS?:
NA

Any software except CIS/OS involved? If so - name, & exact version:
NA

Any other information, eg your guess at the cause, how you tried to fix it etc:

This bug happens when a protected file group contains entries with and without symbol “|”. The entry without it becomes unprotected when it locates below the entry with this symbol.

E.g. the group “Important Files/Folders” contains by default these entries:

%windir%*|
<…>
C:\VTRoot*
<…>

Thus the entry C:\VTRoot* becomes unprotected.

B. YOUR SETUP
Exact CIS version & configuration:
CIS 8.1.0.4426
Configuration: Proactive Security

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:

Antivirus:
Stateful
“Do not show antivirus alerts”: disabled

HIPS:
Safe Mode
“Create rules for safe applications”: disabled

Auto-Sandbox: Enabled, default rule set
Firewall: Safe Mode

Have you made any other changes to the default config? (egs here.):
No changes

Have you updated (without uninstall) from CIS 5 or CIS6?:
No

Have you imported a config from a previous version of CIS:
No

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Win7x64SP1 (VMware), Admin, UAC is enabled

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=None b=None

[attachment deleted by admin]

Thank you for the very detailed bug report. I really appreciate you adding the video it helps the devs a lot

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Should be fixed with CIS 8.2.0.5027 so moving to resolved. If you feel that this is not fixed please PM a moderator. Thanks.