Widcards (*) in HIPS rules are not working (anymore). I was under the impression this worked correctly with previous versions, but I can’t get wildcards in HIPS to behave correctly.
Wildcards in firewall rules do work as expected.
Use case: an executable can exist in mutiple subfolders (based on version) and I want to create a custom rule that covers all executables by using a wildcard (*) for the subfolder. When a new version is installed (version number not known upfront) the rule with the wildcard should also apply to the executable in the new version based folder.
Observed behavior: when an executable runs in a folder that should be covered by the wildcard rule, Comodo alerts the executable rather than treat it as defined in the rule.
Expected behavior: Comodo treats the executable as defined in the wildcard rule
Are you still having this issue? I had a similar issue, only it wasn’t with HIPS which I don’t use, but with scan exclusions in the anti-virus scanner. The issue seems to have gone away at some point awhile back. I wondered if the issue went away with you as well with HIPS.
I can’t reproduce this behavior.
Could you post your configuration or, at least, screenshot of rule in question and rule for all applications, also what is HIPS mode you are using?
HIPS is in Safe Mode with all monitoring settings On.
This is an example rule that does not work:
C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\*\OfficeClickToRun.exe
OfficeClickToRun.exe is the installer of Office 365 updates, but with each update it runs from a different subfolder. That’s where I use the wildcard.
The * replaces the subfolder which is normally a version number in the format 16.0.19231.20172
But the wildcard rule does not work. For every update, Comodo alerts with a new notification asking what to do with the file.
In addition to my previous comment. It’s irrelevant if my example rule is needed or not. This is just an example, and I have other rules as well.
If HIPS rules support wildcards, they should work correctly.
It seems to me you deleted/modified the trusted vendor database because the file in question is signed with a valid Microsoft certificate.
Also, the problem is most likely due to an incorrectly written rule.
I’ve been using HIPS rules in specific situations for years and have never had any issues with them not working.
Hi, thank you for your tests.
Unfortunately, that is not what happens here. The problem is also not limited to a single computer.
This happens both on updated Comodo installations from previous versions, and clean installations on a brand new computer.
I see in the HIPS Event log that the file is blocked, but the log does not provide additional information why it is blocked.
I have very little time atm for extensive testing, but I will try to gather some more information about this problem when new updates are released.
One thing that is different is that by default I have more HIPS rules in safe mode than your screenshot, but none of them seem to be related to this problem.
