Question on Protected Files

Hi,

As I can not find the correlated introduction of “Protected Files” on the wiki website of Xcitium, I post my question here.

Today I wanna use the “Protected Files” function to protect some important files. You can find this function via “Advanced settings – HIPS – Protected Objects – Protected Files”. In my test, I first create a file group that contains some .doc&.docx files that I want to protect. Then I added this group to the “Protected Files” session. I use Microsoft Word to open a docx file that is in the protected files and it shows READ ONLY in the Word window. I think it works as expected so far.

However, what I really want to achieve is protecting these files from deleting or modifying by other applications rather than the Word application. In other words, the editing or modification of the protected files should be allowed by specified apps.

To this end, I tried to create a HIPS rule for Word application and add the above-mentioned “Protected Files” in its rules edit windows “Access rights – Protected files/folders – modify – Allowed files/folders”. After that, I reopened the file with the Word application, it still shows as READ ONLY. It does not work as expected.

Since there is no instruction on your wiki website, I tried to learn some tips from the help file of CIS. You can find it here.

After following the instructions, this issue persists. Meanwhile, I can ensure that official help instruction on the Protected Files especially the given example is totally wrong. You can test it.

I have no idea how to realize my expectation of Protected Files. I appreciate it very much if you could give me any advice.

hi @Redstraw

I will check for the possibilities and get back to you with the solution.

Thank you

Hi @nivedithab
Is there any progress on this concern? Thank you for your time.

hi @Redstraw

I have already raised the request to the backend team, They are looking into it. I will get back to you once received feedback from them.

Will you post the results here when you have them? Because I have the same question.

hi @allen
once I receive feedback from the team on the feature request , will update here.

Hi @nivedithab

Correction. In your words, the so-called “feature request” is not to request to develop a new feature but to implement the request based on the existing function. For instance, giving some tips on how to create the rules.

Thanks again!

Yes @Redstraw
I understand your request and have already forwarded the same to the specialist team to look into it and get back with corresponding solution.

1 Like

Hi @Redstraw

I received update form team that they are looking into this request and they shall update on this once they found the solution. I will keep you posted. Thank you for your understanding and patience

Hi @nivedithab
Thanks for your continue follow-up. I am looking forward your exciting solution.

1 Like

hi @Redstraw

Please find the below steps to achieve the scenario you requested and let us know your feedback after testing

  1. Add file path(s) to Protected Files

  2. Edit HIPS rule for All Applications to block access to specified file path(s):


  3. Create rule for WINWORD application to allow modification of specified file path(s):
    Word path: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE


  4. Move rule under the rule for All Applications:

  5. Save settings.

This way modification access will be blocked for all apps except WINWORD.EXE

Hi @nivedithab, thank you for your detailed instructions. I have tested it on XCS and it works great.

I have another question on step 4. If I remember correctly, in COMODO Internet Security
(not XCS) the order of the HIPS rules from top to bottom determines the processing sequence and priority level. The rule on the top (the first rule in the HIPS rules list) has the highest priority, while the rule on the bottom (the last rule, i.e., the “All Applications” rule) has the lowest priority. Hence, the created rule for WINWORD.EXE should be located above the “All Applications” rule in CIS. I have tested and it works after moving it above the “All Applications” rule in CIS.

However, according to your instructions and the test result on XCS. The rule only works when putting the created rule under the “All Applications” rule. Whether this opposite result indicates that the XCS has changed the handling sequence of the HIPS rules (from bottom to top)?

hi @Redstraw

HIPS rules work in different manner. It checks rules from top to bottom to build final config, if there are duplicated items for the same object, last rule overrides previous ones. So in general we can say the priority is reversed and allow rule should be on the bottom.

Thank you

hi @nivedithab
Thank you for the clarification. I will back to ask for help if I have any further questions.

2 Likes