Advice Request Anyone has a list of Windows processes that are safe to always allowed by HIPS?

[ItsReallyMe]

I am using Comodo firewall HIPS, sometimes it make my PC stucked for few minutes or sometimes I have to force shutdown the PC and sometimes giving a black screen, probably blocking some critical processes from running, I just started using HIPS!

 

[ErzCrz]

I am using Comodo firewall HIPS, sometimes it make my PC stucked for few minutes or sometimes I have to force shutdown the PC and sometimes giving a black screen probably blocking some critical processes from running, I just started using HIPS!

Have you altered the protected objects? I've sometimes noticed a slight lag with my occasional more paranoid setup.

Under protected files added ?:\* will cause HIPS to protect all files on all volumes and drives. For protected registry keys while not necessary, I added *\Software\* and *\System\*. Under protected COM interfaces, added *\RPC Control\ntsvcs monitors access to the service control manager, LocalSecurityAuthority.* allows me to control process token privileges, and {*} and *.* will cover many COM interfaces by CLSID and ProgID.

But that's when I'm overly paranoid or experimenting with protection without using containment.

Anyway, if you've altered the default Safe Mode settings, that may be the issue.

Erzcrz

 

[ItsReallyMe]

Have you altered the protected objects? I've sometimes noticed a slight lag with my occasional more paranoid setup.

Under protected files added ?:\* will cause HIPS to protect all files on all volumes and drives. For protected registry keys while not necessary, I added *\Software\* and *\System\*. Under protected COM interfaces, added *\RPC Control\ntsvcs monitors access to the service control manager, LocalSecurityAuthority.* allows me to control process token privileges, and {*} and *.* will cover many COM interfaces by CLSID and ProgID.

But that's when I'm overly paranoid or experimenting with protection without using containment.

Anyway, if you've altered the default Safe Mode settings, that may be the issue.

Erzcrz

Have you altered the protected objects? I've sometimes noticed a slight lag with my occasional more paranoid setup.

Under protected files added ?:\* will cause HIPS to protect all files on all volumes and drives. For protected registry keys while not necessary, I added *\Software\* and *\System\*. Under protected COM interfaces, added *\RPC Control\ntsvcs monitors access to the service control manager, LocalSecurityAuthority.* allows me to control process token privileges, and {*} and *.* will cover many COM interfaces by CLSID and ProgID.

But that's when I'm overly paranoid or experimenting with protection without using containment.

Anyway, if you've altered the default Safe Mode settings, that may be the issue.

Erzcrz

thanks for the reply, I removed :\* and unblocked some critical MS processes blocked by HIPS! and now PC is not getting stucked anymore . Do you unblock the process TrustedInstaller.exe, conhost , taskhostw, explorer.exe, sgrmbroker , dasHost, etc. for HIPS component always because its being blocked by HIPS?

 

[ErzCrz]

thanks for the reply, I removed :\* and unblocked some critical MS processes blocked by HIPS! and now PC is not getting stucked anymore . Do you unblock the process TrustedInstaller.exe, conhost , taskhostw, explorer.exe, sgrmbroker , dasHost, etc. for HIPS component always because its being blocked by HIPS?

It's been awhile since running that paranoid setup but I don't recall having to unblock those. Containment covers everything anyway but I run CIS as Proactive which defaults HIPS to Safe Mode standard setup. TrustedInstaller.exe, conhost , taskhostw, explorer.exe, sgrmbroker and dasHost are trusted applications so you can whitelist those if it's causing an issue. I get blocks for dashost and explorer outbound firewall but that's related to the default Alert Incoming Firewall setup as opposed to stealth ports. Have you got a screenshot of what's showing in your logs?

 

[Andy Ful]

There are no safe Windows processes. The attackers often use them as targets for code injections. So, one has to find a balance between whitelisting and HIPS restrictions (not an easy task).

 

[ErzCrz]

There are no safe Windows processes. The attackers often use them as targets for code injections. So, one has to find a balance between whitelisting and HIPS restrictions (not an easy task).

Fair point. I would only do any whitelisting if it was causing issue but as you say, it's a fine line/balance. By default HIPS in Safe mode trusts a handful of system files and I have no issue using the default setup with those since containment would block anything new anyway.

 

[wat0114]

I am using Comodo firewall HIPS, sometimes it make my PC stucked for few minutes or sometimes I have to force shutdown the PC and sometimes giving a black screen, probably blocking some critical processes from running, I just started using HIPS!

Comodo firewall with HIPS enabled - especially in Paranoid mode - can absolutely cripple your device if required processes are not allowed. You're probably far better off running Comodo using @cruelsister settings, which has HIPS disabled and instead uses virtualized containment on unrecognized processes. It's a setup that has a proven, successful track record.

If you insist on using the HIPS option, you might want to run it Learning mode on several reboots and normal daily use of your applications and Windows tasks within your Windows account.

 

[ItsReallyMe]

It's been awhile since running that paranoid setup but I don't recall having to unblock those. Containment covers everything anyway but I run CIS as Proactive which defaults HIPS to Safe Mode standard setup. TrustedInstaller.exe, conhost , taskhostw, explorer.exe, sgrmbroker and dasHost are trusted applications so you can whitelist those if it's causing an issue. I get blocks for dashost and explorer outbound firewall but that's related to the default Alert Incoming Firewall setup as opposed to stealth ports. Have you got a screenshot of what's showing in your logs?

Spoiler

 

[ErzCrz]

Thanks. I think it would be worth just removing those from the Blocked applications and then running a Rating Scan which only takes a minute and any considered trusted will be added to Trusted Files list. Should there be another block for those, they'll re-appear in your list above Run a Rating Scan, Virus Scan, Scan My PC | Internet Security| Comodo Internet Security v6.2 but I would run HIPS in "Safe Mode" in any case for less issues if you aren't doing that already.

 

[Brahman]

Hips is too much a pain in the A##, especially with windows 11. If you are so paranoid, use The Cruelsister Variation with "only selected vendors list" ( setting>file rating> vendor list> remove all, click OK, then file rating> file list. select all> click "look up"> on completion click Ok, all the existing digital signatures will be added to vendor list automatically. Now go to settings> filie rating> file rating settings> disable "cloud look up". Now nothing will run except that's already in the vendors list, everything else will be automatically sandboxed)

 

[cruelsister]

I am using Comodo firewall HIPS

Of all the security modules contained in CF (VirusScope, Containment, FW, Script Analysis), the HIPS is the least important and perhaps the most annoying. Trust me in that it is no great burden to create malware that will own a system utilizing HIPS (any HIPS) as the primary protection.

 

[ItsReallyMe]

turn off the hips module to see if the problem goes away, if it doesn't you know the problem is not caused by hips
if it is caused by hips, then clear the hips rules and keep trying until you isolate the one that causes the issue
with hips, you learn by doing, and through practice you will get better at it, that said, comodo hips will give a lot of alerts that will make no sense to you at first and much is not documented in the 1000 page comodo manual, learning hips takes time and effort, but a much more efficient method is to learn and memorize the lolbins abused by attackers, those are the process you need to pay attention to in hips notifications
hips is not rocket science, it just takes analytical, methodical mind set and practice (the same a general IT troubleshooting)
use whatever solution you like as then you are apt to keep using it and thereby protect your system

where can I learn and memorize the lolbins abused by attackers? you have some links?

 

[ItsReallyMe]

there used to be some comprehensive online lists but it looks as if they're no longer there, but here are good lists as well

LOLBAS

lolbas-project.github.io

LOLBAS/OSBinaries at master · api0cradle/LOLBAS

Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) - api0cradle/LOLBAS

github.com

LOLBins : PyQT5 App For LOLBAS And GTFOBins

LOLBins is a PyQT app to list all Living Off The Land Binaries and Scripts for Windows from LOLBAS and Unix binaries.

kalilinuxtutorials.com

on the github page, just fyi the .md just means markdown which is a text file that can easily be converted to html - which makes sense since it is displayed on the github webpage in your browser, click on those and the page maintainer gives examples of abused command lines
other related resources

https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

https://apps.nsa.gov/iaarchive/library/ia-guidance/security-tips/application-whitelisting.cfm

https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/application-whitelisting-using-srp.cfm

https://apps.nsa.gov/iaarchive/library/ia-guidance/archive/application-whitelisting-trifold.cfm

Thanks!

 

[ItsReallyMe]

Anyone know how to reset HIPS rules i selected and make it again ask for my permission to allow or block?

 

[ItsReallyMe]

Thanks. I think it would be worth just removing those from the Blocked applications and then running a Rating Scan which only takes a minute and any considered trusted will be added to Trusted Files list. Should there be another block for those, they'll re-appear in your list above Run a Rating Scan, Virus Scan, Scan My PC | Internet Security| Comodo Internet Security v6.2 but I would run HIPS in "Safe Mode" in any case for less issues if you aren't doing that already.

How do you treat runtimebroker.exe and dllhost in HIPS?

 

[ErzCrz]

How do you treat runtimebroker.exe and dllhost in HIPS?

You can set a firewall rule to block outgoing as it's one of those LOLbins but I wouldn't block runtimebroker unless it was determined to be unsafe. What you can do is create a custom rule for each of these so it ask's with a pop-up for each action but really, no necessary tweaks beyond the defaullt safe mode if your using containment.

Safe mode HIPS works off whether a file is certified safe in the file list.

Safe Mode: While monitoring critical system activity, HIPS automatically learns the activity of executables and applications certified as 'Safe' by Comodo. It also automatically creates 'Allow' rules for these activities, if the checkbox 'Create rules for safe applications' is selected. For non-certified, unknown, applications, you will receive an alert whenever that application attempts to run. Should you choose, you can add that new application to the HIPS rules list by choosing 'Treat as' and selecting 'Allowed Application' at the alert with 'Remember my answer' checked. This instructs the HIPS not to generate an alert the next time it runs. If your machine is not new or known to be free of malware and other threats then 'Safe Mode' is recommended setting for most users - combining the highest levels of security with an easy-to-manage number of HIPS alerts.

 

[ItsReallyMe]

You can set a firewall rule to block outgoing as it's one of those LOLbins but I wouldn't block runtimebroker unless it was determined to be unsafe. What you can do is create a custom rule for each of these so it ask's with a pop-up for each action but really, no necessary tweaks beyond the defaullt safe mode if your using containment.

View attachment 263830

Safe mode HIPS works off whether a file is certified safe in the file list.

Safe Mode: While monitoring critical system activity, HIPS automatically learns the activity of executables and applications certified as 'Safe' by Comodo. It also automatically creates 'Allow' rules for these activities, if the checkbox 'Create rules for safe applications' is selected. For non-certified, unknown, applications, you will receive an alert whenever that application attempts to run. Should you choose, you can add that new application to the HIPS rules list by choosing 'Treat as' and selecting 'Allowed Application' at the alert with 'Remember my answer' checked. This instructs the HIPS not to generate an alert the next time it runs. If your machine is not new or known to be free of malware and other threats then 'Safe Mode' is recommended setting for most users - combining the highest levels of security with an easy-to-manage number of HIPS alerts.

Thanks! Do you think its safe to treat System as windows system application or allowed app?

I am getting this notification every time windows or windows store updates!

 

[wat0114]

I am getting this notification every time windows or windows store updates!

Because many Windows paths, especially where updates are concerned, are dynamically changing all the time with every update, you probably need to make use of wildcards for these types of Path rules. For this example, the last portion could be:

WindowsUpdate.*.etl

Just a few more example which I've used in the past when using SRP (same can be applied to HIPS):

C:\Users\myusername\AppData\Local\Temp\*-*-*-*-*\dismhost.exe
C:\Users\myusername\AppData\Local\Temp\*-*-*-*\*.dll

...and some more:

C:\WINDOWS\Temp\*-*-*-*-*\mpengine.dll
C:\WINDOWS\TEMP\*-*-*-*-*\MpUpdate.dll
C:\WINDOWS\Temp\*-*-*-*\mpgear.dll
C:\WINDOWS\Temp\*\*\ConfigureDefender_x64.exe
C:\WINDOWS\TEMP\__PSScriptPolicyTest_*.*.ps1
C:\Windows\TEMP\ns?????.tmp\System.dll

As you can see, I took a rather ridiculous - though I would argue also effective - approach with granularity in my Path rules. And it can go much deeper than this if you are looking for extensive granularity in your path rules, especially in userspace directories, in an effort to strengthen security., and you don't mind spending a great deal of time doing so. Good luck.

BTW, in the end I was finally liberated by switching to Hard_Configurator. You might eventually find switching to the Cruel Sister setup will do the same for you.

 

[ErzCrz]

Thanks! Do you think its safe to treat System as windows system application or allowed app?

-----

I am getting this notification every time windows or windows store updates!

You can just click "allow" or do whitelisting as @wat0114 said and you can always go with @cruelsister 's setup as she's already indicated earlier about HIPS being the least important.

Of all the security modules contained in CF (VirusScope, Containment, FW, Script Analysis), the HIPS is the least important and perhaps the most annoying. Trust me in that it is no great burden to create malware that will own a system utilizing HIPS (any HIPS) as the primary protection.

Malware would have to get in the system and out of Containment before it could do anything.

 

[wat0114]

@ItsReallyMe

I just remembered something about the way Comodo handles current rules containing wildcards to new alerts, which could still be an issue, and you may want to know about it:

Comodo Auto-Containment - comparable to Sandboxie ?

Ultimately if you are determined to run Comodo with HIPS enabled, Safe mode is likely your best bet.