If I create procedure or script to run on a machine, shouldn’t it automatically be excluded from Containment since the script is running from C:\ProgramData\Comodo\Cis empscrpt?
This is an example of a PowerShell script I am trying to run and it gets blocked:
Data: Unknown Application Running Inside Container Monitor : Unknown application running inside container: C:\ProgramData\Comodo\Cis empscrpt\C_powershell.e xe_23FED9C78D81CD1D1EB8BC375239CC3E44399EE2.ps1
I have checked Itarian - System Templates - File Groups Variables and I have the following exclusion:
C:\ProgramData\Comodo*
Thank you @PremJkumar I have folloewd the steps you provided in the private message. I will be testing as time allows. I very much appreciate your help.
Windows Profile -> Containment -> Rules -> Add Rule
Action -> Ignore
Under Criteria Tab, File, Types = Files and Target = C:\ProgramData\Comodo\Cis empscrpt\C_powershell.exe_*.ps1
You need to create an Ignored rule which allows starting embedded PS code in a real environment.
In case embedded code has constant content you can use the exact path.
In case embedded code has variable content, you need to use the mask :
C:\ProgramData\Comodo\Cis empscrpt\C_powershell.exe_*.ps1
Add Process, Types = Files, Reputation = Trusted and Path here should be the address of the process which initiates it
In the attached reference video, we used C:\Windows\System32\gpscript.exe for an example
Under Options Tab,
Select the option "Do NOT apply the selected action to child processes
Now move the newly created rule to top order and save the profile.
Please check the attached video for your reference.
