Why CruelSisters disable the HIPS?
- Thread starter camo7782
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
HIPS work on static systems... very static systems. Even updating an app could cause 50 alerts because 50 files are modified or dropped on certain modes. IIRC safe mode alerts you if things like firewall settings are changed or the HOSTS file is modified which is all you need.
IIRC = If I recall correctly.
It's very safe, but ask for answers for everything and you have to know how to respond if you don't answer well, you can stop working certain applications.
I've used it in the past in paranoid mode, but it's tedious.
RoboMan
Level 38
Verified
Honorary Member
Top Poster
Content Creator
Well-known
High Reputation
Forum Veteran
The reason is simple: she enabled auto-sandbox. There's no need for overkilling it with HIPS.
it seems she run unknow apps into sandbox, what if a safe app is infected?
RoboMan
Level 38
Verified
Honorary Member
Top Poster
Content Creator
Well-known
High Reputation
Forum Veteran
If a legit signed app is infected, not anti-executable, HIPS or antivirus will save your ass.
She tested the malware in a virtual machine. Furthermore, she is an IT professional. She also created her own malware samples (not published) to show that most AVs have very weak protection against scriptors.
Many AVs may have a problem with detecting never-seen & signed malware. But usually, the signed malware which can hit home users will be detected by signatures. That is why the AV alongside CF is welcome. The user can also throw out most entries from CF Trusted Vendor LIst and keep only those entries which are required for system/software updates.
Last edited:
@cruelsister is a member, but most use her recommendations for setting up and configuring Comodo Firewall.
...
So her amlware was able to bypass CF with her settings too?
How do I do that?
Some samples with EV certificate could. But, this kind of malware is used in targetted attacks on organizations, not home users.
It was possible some time ago:
So, it is probably possible now.
ok but this is about the full Comodo, not Firewall only.It was possible some time ago so, it is probably possible now.
Found! So new vendors not in the list will end up in Untrusted category? What if an app has no vendr or is not signed? Same result?
Maybe this program is too complex for you at this time. You could just run it and leave Windows' Firewall active (it won't hurt your system). Then watch and observe and search for answers (here and w/Google) before adding 50 questions to this thread. I say this in peace.
Re: HIPS... it is fine to leave it on... some here do. It is chatty. Try it if you like. Again... no harm is done by running it.
Re: HIPS... it is fine to leave it on... some here do. It is chatty. Try it if you like. Again... no harm is done by running it.
You have a lot of information about CF on the CIS website. The Firewall Configuration, HIPS Configuration, Containment Configuration, File Rating Configuration, and Advanced Protection Configuration are valid for CF too.
Here is an answer to your question:
As you can see the application must be signed and the vendor must be on the TVL list, and then the application will be Trusted. There are some other possibilities too (citation):
"There are three ways that a file can be treated as safe in CIS:
- The file is on the Comodo safe list (a global white-list of trusted software)
- The user has assigned 'Trusted' rating to the file in the CIS file list (‘Settings’ > ‘File Rating’ > ‘File List’)
- The file is published and signed by a trusted vendor. The 'vendor' is the software company that created the file."
You may also like...
-
Why does the Comodo "Disappearing HIPS rules" bug require a complete source code rewrite?- Started by bazang
- Replies: 421
-
Help: Comodo 2025 - cmdguard.sys - boot fail with newer Nvidia drivers- Started by Something-x2
- Replies: 33
-
-
