I am trying to figure out the best way to do this…
I am seeing programs on endpoints that launch powershell scripts and CCS embedded code execution seems to be detecting it and creating PowerShell scripts in this path -
C:\ProgramData\Comodo\Cis empscrpt. However HIPS module is blocking these scripts from running because they are untrusted.
I would like the embedded code execution to be enabled, and I want CCS to detect if this code is malicious, but I also do not want HIPS alerts and popups to the end user every time HIPS blocks a script ran from this location just because the script is untrusted. What is the best way to accomplish this?
Is it wise to create a HIPS rule to set all scripts in this location to run as “Allowed Applications”? Will CCS still detect if the script is malicious and block it from executing, even if I have this HIPS rule to treat them as allowed applications?