System is trying to

At shut-down and sometimes during start-up of my PC, I get a HIPS message that

“System” could not be recognized and it is about to modify the contents of C:\Windows\System32\LogFiles\HTTPERR. You must make sure “System” is a safe application before allowing this request.

Should I “Allow” or “Block/Terminate” this request?

Windows 7 64bit
CIS 7.0.317799.4142

I

What HIPS configuration are you in? Proactive, or what? What HIPS rules do you have defined for 'Windows System Application?

On my WinXP SP3 system ‘Windows System Application’ is one of the default filegroups. It has been carried along in my CFGX since pterodactyls flew in the air of planet Comodo way back in 2010.

Windows System Application:

System
%SYSROOT32%\svchost.exe
%SYSROOT32%\services.exe
%SYSROOT32%\smss.exe
%SYSROOT32%\winlogon.exe
%SYSROOT32%\spoolsv.exe
%SYSROOT32%\lsass.exe
%SYSROOT32%\wbem\WMIAdap.exe
%PROGRAMFILES%\COMODO\COMODO Internet Security\cavscan.exe

Where SYSROOT32 is env var = C:/windows/system32, and PROGRAMFILES = C:/Program Files.

The filegroup has execute permissions ‘ask’ for anything not ‘*’
All other resoureces are 'ask’ws

In answer to your questions, as best as I can tell, I have the following configurations.

What HIPS configuration are you in? Safe Mode

What HIPS rules do you have defined for 'Windows System Application? Mainly “Ask”

Windows System Application:

System
%SYSROOT32%\svchost.exe - Ask
%SYSROOT32%\services.exe - Ask and Allow
%SYSROOT32%\smss.exe - Don’t know
%SYSROOT32%\winlogon.exe - Don’t know
%SYSROOT32%\spoolsv.exe - Ask
%SYSROOT32%\lsass.exe - Don’t know
%SYSROOT32%\wbem\WMIAdap.exe - Ask
%PROGRAMFILES%\COMODO\COMODO Internet Security\cavscan.exe - Don’t know

Where SYSROOT32 is env var = C:/windows/system32, and PROGRAMFILES = C:/Program Files.

I

All those files listed are components of the ‘Windows System Applications’ file-group.

The filegroup itself has the stock default ruleset of ‘Windows System Application’

I’ll have another look tomorrow, it’s getting late here and the land of nod calls.

I

OK, found the ruleset of ‘Windows System Application’

As I have not altered anything here, it must be as Comodo set it up. Everything set as “Allow” except “Run as executable” which is set as “Ask”.

I searched the net and found this, I added a new entry in “HIPS Rules” and selected in “Running Processes” the process named “System” and ruleset “Windows System Application” on these forums https://forums.comodo.com/defense-sandbox-help-cis-b136.0/-t77404.0.html

Can I just add the same rule to my HIPS Rules?

I

I have a HIPS rule for ‘Windows System Applications’ - select from filegroup - and implement default ruleset for the filegroup (not custom rules radio button), i.e., ‘Windows System Application’.

Rule added and now all OK.

Many thanks for your help

I