Containment running inside Comodo

Products Endpoint Protection
#1

If I create procedure or script to run on a machine, shouldn’t it automatically be excluded from Containment since the script is running from C:\ProgramData\Comodo\Cis empscrpt?

This is an example of a PowerShell script I am trying to run and it gets blocked:
Data: Unknown Application Running Inside Container Monitor : Unknown application running inside container: C:\ProgramData\Comodo\Cis empscrpt\C_powershell.e xe_23FED9C78D81CD1D1EB8BC375239CC3E44399EE2.ps1

I have checked Itarian - System Templates - File Groups Variables and I have the following exclusion:
C:\ProgramData\Comodo*

Thanks!

#2

Hi @uandit,

Please check your Inbox for the private message and follow the steps provided.
Let me know if your issue is not resolved.

Kind Regards,
PremJK

#3

Thank you @PremJkumar I have folloewd the steps you provided in the private message. I will be testing as time allows. I very much appreciate your help.

#4

Can you post the steps required, so that when we also have the same issues that there is reference point to try before asking for help ?

Similar to this question ? https://forum.itarian.com/forum/products/endpoint-protection/75121-exclusions

mcfproservices

#5

Hi @mcfproservices,

Thanks for your idea. I will create a post explaining the steps with a video and share the link.

Kind Regards,
PremJK

#6

Hi,

Please create Ignored rules in a Windows profile

Windows Profile -> Containment -> Rules -> Add Rule

Action -> Ignore

Under Criteria Tab,
File, Types = Files and Target = C:\ProgramData\Comodo\Cis empscrpt\C_powershell.exe_*.ps1

You need to create an Ignored rule which allows starting embedded PS code in a real environment.
In case embedded code has constant content you can use the exact path.

In case embedded code has variable content, you need to use the mask :
C:\ProgramData\Comodo\Cis empscrpt\C_powershell.exe_*.ps1

Add Process, Types = Files, Reputation = Trusted and Path here should be the address of the process which initiates it
In the attached reference video, we used C:\Windows\System32\gpscript.exe for an example

Under Options Tab,
Select the option "Do NOT apply the selected action to child processes

Now move the newly created rule to top order and save the profile.

Please check the attached video for your reference.
https://we.tl/t-sOuQnGKhgM

Kind Regards,
PremJK

chrome_cWyRnjugaN.png
chrome_cWyRnjugaN.png1566×759 53.4 KB

chrome_X26Np7KW5u.png
chrome_X26Np7KW5u.png752×543 18.9 KB

chrome_VPy8Ombfbv.png
chrome_VPy8Ombfbv.png744×705 21.8 KB

chrome_ohx5EggtQ8.png
chrome_ohx5EggtQ8.png769×510 20.9 KB

chrome_bVWlw77haZ.png
chrome_bVWlw77haZ.png754×485 24 KB

chrome_RfGz8BJH6A.png
chrome_RfGz8BJH6A.png1563×766 53.5 KB