COMODO blocks Windows Updates with error 0x80070005
- Thread starter TheMalwareMaster
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
Not in the Firewall Security config (Autocontainment is disabled by default).
Yes. However, there is no reason to believe that with HIPS OFF, this rule will work differently in the sandbox and start to protect files in the virtualized %windir%.
There are more special rules which end on |.
All those special rules are crafted for containment operation.
Tamper with these special rules at own risk.
The default Autocontainment settings in the Proactive Security config, with disabled HIPS and removed rule %windir%\*|, allow running my test.exe with Administrator or System privileges, but prevent running it with Trusted Installer privileges. So, the contained test.exe cannot get Trusted Installer privileges and cannot do any harm in the %windir% folder.
All of this suggests that in @cruelsister's settings (Proactive config with disabled HIPS), the rule %windir%\*| can be deleted. To be sure if there are no side effects, this should be discussed on the Comodo forum in the context of Windows Update failures.
TheMalwareMaster
Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Forum Veteran
Of course, uninstalling COMODO make updates work again, but that is not a solution!
Why do you think so?
To my knowledge CF setting uses "run restricted" containment level and the special rules ending with | are being used in that case.
Removing the special rule weakens CF settings.
If I recall correctly, HIPS is OFF in @cruelsister's Comodo Firewall settings.
As you can see from my posts, the rule %windir%\*| works as intended only when HIPS is ON. Otherwise, it does not protect system executables in %windir% (which is a main reason for using it). This is expected behavior for a HIPS rule (when HIPS is disabled).
Deleting this rule seems to improve the Windows Updates when Microsoft Defender is enabled.
Bearing in mind the reports in this thread, using the %windir%\*| rule can cause problems with Windows Updates when Microsoft Defender is enabled. I do not insist on what to do. The problem (probably related to Windows 25H2) should be discussed with the Comodo staff. I did not encounter such problems with Windows Updates on Windows 23H2.
Last edited:
Don't ignore the functionality of the | character in the rule which is meant for containment operation even with HIPS turned off.
Why do you think so? Is there some info about it? I only found this:
From that post, it does not follow that the rule can work when HIPS is OFF.
In the same thread we can see:
So HIPS must be ON, and Autocontainment cannot be set to "Run virtually". Furthermore, the rule can be useful when Autocontainment is set to partially limited.
Two of the predefined Comodo configurations (Comodo - Internet Security and Comodo Proactive Security) use Autocontainment as "Run virtually", so the rules with pipes ("|") do not work for contained processes even when HIPS is ON.
Last edited:
The | character usage is undocumented, not explained in CIS User Guide and on Comodo forum info about | is very hard to find.
Below is a link to info about all wildcard characters including the | character used by CIS.
One user attempted to test / verify the | function but the test failed.
The | character has been used in CIS rules since version 5 and may be still in use by current CIS versions.
It's a good kept secret how this | character exactly works
I would strongly recommend to not remove it from the standard rules that get installed by CIS.
Here's is the link with all collected / available info around | character (and other characters like ? and * as well).
CIS Wildcard Help
Edit: I just saw you found the same info
Below is a link to info about all wildcard characters including the | character used by CIS.
One user attempted to test / verify the | function but the test failed.
The | character has been used in CIS rules since version 5 and may be still in use by current CIS versions.
It's a good kept secret how this | character exactly works
I would strongly recommend to not remove it from the standard rules that get installed by CIS.
Here's is the link with all collected / available info around | character (and other characters like ? and * as well).
CIS Wildcard Help
Edit: I just saw you found the same info
I strongly recommend asking the Comodo staff before posting such a strong recommendation.
It is an open question whether this rule can bring more gain than trouble.
Edit.
There are some cons of temporarily deleting the HIPS rules with pipes. They cannot be recovered manually, because the rule editor does not accept pipes!
The awkward solution is exporting the Comodo configuration and then importing it with a custom name. After activating the imported configuration, the rule with a pipe can be deleted. This custom configuration can be temporarily used if necessary.
Last edited:
Make sure your not running a windows full of lolbin which would break wintrust so I suggest to use virustotal to see if windows files are properly signed.
It could be a malicious update or an attempt to downgrade your system. numerous way like this one exist for windows.
It could be a malicious update or an attempt to downgrade your system. numerous way like this one exist for windows.
What is "Helen" for error-0x80070005?
The solutions posted in this thread are strange. I do not have an idea why they work. So, I tried something closer to standard procedure.
I used VirtualBox VM (Windows 11 Home 25H2) + Comodo Firewall (Proactive config + HIPS OFF) + Microsoft Defender (default settings) to install the latest Preview Update (KB5070311) (26200.7309). The update failed as usual with error 0x80070005. Instead of using the solutions mentioned in this thread, I did as follows:
Conclusion.
In my case, the "Helen" (primary source of trouble) was probably some artifact left after previous updates/upgrades to Windows 25H2.
The solutions posted in this thread are strange. I do not have an idea why they work. So, I tried something closer to standard procedure.
I used VirtualBox VM (Windows 11 Home 25H2) + Comodo Firewall (Proactive config + HIPS OFF) + Microsoft Defender (default settings) to install the latest Preview Update (KB5070311) (26200.7309). The update failed as usual with error 0x80070005. Instead of using the solutions mentioned in this thread, I did as follows:
- Windows restart.
- Windows Updates healing.
- Windows restart.
- Windows Update ---> failed with error 0x800f0991 (different from initial error)
- Windows restart.
- Windows Update healing.
- Windows Update ---> installed successfully.
Code:
net stop wuauserv
net stop cryptSvc
net stop bits
net stop msiserver
del C:\Windows\SoftwareDistribution.old
ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
del C:\Windows\System32\catroot2.old
ren C:\Windows\System32\catroot2 catroot2.old
net start wuauserv
net start cryptSvc
net start bits
net start msiserver
netsh winsock resetConclusion.
In my case, the "Helen" (primary source of trouble) was probably some artifact left after previous updates/upgrades to Windows 25H2.
Last edited:
It seems that a similar (as in my case) issue could have happened a few years ago to some users with Comodo Firewall + Kaspersky:
forum.kaspersky.com
Kaspersky alone ---> Windows Update OK
Comodo Firewall (no Kaspersky) ---> Windows Update OK
Comodo Firewall + Kaspersky ---> error 0x80070005
KFA e COMODO Firewall - Erro 0x80070005 Windows Update
Quando instalado o KFA 2019 e o COMODO Firewall, o Windows Update na instalação de atualizações cumulativas dá o erro 0x80070005. Apenas com o KFA 2019 instalado o erro não aparece e a instalação é feita normalmente, apenas com o COMODO Firewall o erro também não aparece. E com o COMODO Firewall ...
forum.kaspersky.com
Kaspersky alone ---> Windows Update OK
Comodo Firewall (no Kaspersky) ---> Windows Update OK
Comodo Firewall + Kaspersky ---> error 0x80070005
TheMalwareMaster
Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Forum Veteran
Issue came back on 1 machine out of 2. What was the other proposed solution? Removing windir under protected HIPS files?
You have a few solutions to try. If you want to delete the %windir% rule, temporarily use a custom configuration as explained here:
I strongly recommend asking the Comodo staff before posting such a strong recommendation.
It is an open question whether this rule can bring more gain than trouble.
Edit.
There are some cons of temporarily deleting the HIPS rules with pipes. They cannot be recovered manually, because the rule editor does not accept pipes!
The awkward solution is exporting the Comodo configuration and then importing it with a custom name. After activating the imported configuration, the rule with a...
You can also try the last solution:
You may also like...
-
Help: Comodo 2025 - cmdguard.sys - boot fail with newer Nvidia drivers- Started by Something-x2
- Replies: 33
-
Windows 11 24H2 and 25H2 get bit new updates with new feautres and fixes in KB5074105- Started by Parkinsond
- Replies: 26
-
Windows 11 Patch Tuesday December 2025 (KB5072033, KB5071417)- Started by silversurfer
- Replies: 11
-
Windows 11 Patch Tuesday October 2025 (KB5066835, KB5066793)
- Started by silversurfer
- Replies: 2
-
