Serious Discussion Why does the Comodo "Disappearing HIPS rules" bug require a complete source code rewrite?

[bazang]

Y'all are over-complicating this.

1. Install Comodo
2. Create permanent allow rules for just the Windows OS and legitimate installed software
3. Which HIPS rules mode is used does not matter - even creating the rules manually
4. Eventually, all the HIPS rules will disappear
5. The rules might disappear within hours, sometimes within days
6. A system reboot is not required

No matter what, this can be replicated/reproduced at-will every single time.

 

[Trident]

For me it didn’t take hours or days, they disappeared very quickly like smoke.

 

[Pico]

Y'all are over-complicating this.

1. Install Comodo
2. Create permanent allow rules for just the Windows OS and legitimate installed software
3. Which HIPS rules mode is used does not matter - even creating the rules manually
4. Eventually, all the HIPS rules will disappear
5. The rules might disappear within hours, sometimes within days
6. A system reboot is not required

No matter what, this can be replicated/reproduced at-will every single time.

Is Windows dumping the Registry when CIS has corrupted it?

 

[lockeddown]

bazang says hours or days ,
Trident says Even faster .
I am using comodo hips for many years and it never happened .
It seams bizarre .

 

[Trident]

@bazang says hours or days ,
@Trident says Even faster .
I am using comodo hips for many years and it never happened .
It seams bizarre .

It is possible that you won’t even notice as it automatically creates rule for safe apps and recreates the same rules again and again. Even if you manually block something it is unlikely that you will notice if it executes. It’s not easy to spot unless you go look for it.

 

[lockeddown]

Trident
Well i have no idea how both of u guys Config comodo , what os ver are u using , programs and so on .
I am messing with malware for years . never happened that a program got executed if it was HIPS disabled .
I have Comodo HIPS rule on my HOST from 2-3yers ago , while i am not using comodo HIPS (disabled) it was not deleted or altered in any way .
And i do check the av and os for any changes manually .
So again i have no idea what both of you are talking about .

 

[Trident]

Trident​

Well i have no idea how both of u guys Config comodo , what os ver are u using , programs and so on .​

I am messing with malware for years . never happened that a program got executed if it was HIPS disabled .​

I have Comodo HIPS rule on my HOST from 2-3yers ago , while i am not using comodo HIPS (disabled) it was not deleted or altered in any way .​

And i do check the av and os for any changes manually .​

So again i have no idea what both of you are talking about .​

My system is probably amongst the slimmest on MalwareTips, it has no more than 4-5 applications installed, because it’s not my main one. My main one is a Mac. So it can’t be third-party software.

The issue has been reported times and times again and its existence has been confirmed by Comodo, even the owner/founder/director has posted online that it requires a full rewrite.

 

[Pico]

while i am not using comodo HIPS (disabled) it was not deleted or altered in any way

You have to enable (make use of) HIPS for the bug to happen.

 

[lockeddown]

You have to enable (make use of) HIPS for the bug to happen.

Hi , When first HIPS was enabled (2-3 y ago ) and Rules , were created , it was enabled for 2-3 weeks and nothing changed .
Let's go back 15y ago XP PRO SP3 VM Comodo HIPS where enabled permanently and i had that VM copy for like 2-3 y .
This is why i had no clue about all that fuzz , not saying it is not real .

 

[bazang]

The issue has been reported times and times again and its existence has been confirmed by Comodo, even the owner/founder/director has posted online that it requires a full rewrite.

Yes. Any further discussion about it be like:

 

[Pico]

Hi , When first HIPS was enabled (2-3 y ago ) and Rules , were created , it was enabled for 2-3 weeks and nothing changed .
Let's go back 15y ago XP PRO SP3 VM Comodo HIPS where enabled permanently and i had that VM copy for like 2-3 y .
This is why i had no clue about all that fuzz , not saying it is not real .

I did not test CIS in VM so I cannot say whether or not the HIPS bug occurs in VM (according to @bazang it does not occur in VM) but I know for sure that it happens in a real system (in a real computer).
Sometimes it takes very long and you have to add / create HIPS rules for the bug to happen. Once your system is settled (no more HIPS rules being created or no new rules need to be created) than HIPS rules can / will stay on the list for quite some time.
Personally I have never seen the rules disappear when doing nothing on my system (when the system is idle).

 

[bazang]

I did not test CIS in VM so I cannot say whether or not the HIPS bug occurs in VM (according to @bazang it does not occur in VM) but I know for sure that it happens in a real system (in a real computer).

IIRC I said that it has to be replicated on a real Windows system, instead of within VM.

It could happen in VM. It's possible.

But for me... don't know. Don't care. Never tried.

The "Comodo Disappearing HIPS Rules" bug is random.

After I saw it a few times, I ditched the software.

 

[Andy Ful]

It does not require a system reboot. Windows reboot has absolutely nothing to do with it.

You tested another configuration. For me, it doesn't matter whether a reboot is required or not. The settings that cause bugs are not accepted by me.

Currently, I test a scenario with initial Training Mode (including a few Windows Updates) and then apply Paranoid Mode. I do not enable "Create rules for safe applications". Yesterday, I successfully upgraded from Windows 24H2 to Windows 25H2 while using Paranoid Mode. The current test has been running for a few days without any issues. Of course, this does not necessarily mean that the tested config will work in the future.

Contrary to your experience, I do not try to find the settings that easily expose the HIPS bug. I try to find the settings that avoid the HIPS bug.

 

[Andy Ful]

CIS users have the option to delete the Vendor List or disable the Rate Apps By Vendor Rating setting (or something called like that) than HIPS Safe Mode will be prompting you with as much Alerts as Paranoid Mode does, there is no difference in bug behavior.

I do not understand you. Let's agree to disagree.
I would be grateful if anyone could post information about confirmed HIPS bugs when using HIPS Safe Mode without enabling "Create rules for safe applications".

 

[Divergent]

I do not understand you. Let's agree to disagree.
I would be grateful if anyone could post information about confirmed HIPS bugs when using HIPS Safe Mode without enabling "Create rules for safe applications".

By using HIPS Safe Mode and keeping "Create rules for safe applications" UNCHECKED (disabled), you are applying the recommended workaround to prevent the major rule corruption bug.

 

[Pico]

I do not understand you. Let's agree to disagree.
I would be grateful if anyone could post information about confirmed HIPS bugs when using HIPS Safe Mode without enabling "Create rules for safe applications".

Not sure why you want more evidence. It has been said it happens in every mode.
If you still like to promote Safe Mode with create rules for safe apps disabled as a workaround than I just told you that it will not work for CIS users who wish to delete the CIS Vendor List or who wish to disable the setting Rate Apps By Vendor Rating because they will be prompted with many HIPS alerts as if they were using Paranoid Mode.
Not sure what you are trying to achieve from all the info that has been given meanwhile.

 

[bazang]

Contrary to your experience, I do not try to find the settings that easily expose the HIPS bug. I try to find the settings that avoid the HIPS bug.

There are no settings or configuration to avoid the bug.

The bug exists for any configuration and reproducible at-will every single time.

It is random and one has to wait until it happens to observe it.

 

[cruelsister]

Forgive me from interrupting 19 pages of giggles, but please note that Comodo, (perhaps counter-intuitively) works best when modified least (and this includes the enabling of the HIPS module); any added "tweaks" may prove to be self-defeating.

 

[Divergent]

Community observation, spanning multiple years and various version updates (as evidenced on Comodo forums), suggests a persistent, verifiable defect wherein the Host Intrusion Prevention System (HIPS) rules are occasionally "forgotten" or corrupted. This is often observed following a system reboot or a major configuration change. However, the accompanying assertion that this is perfectly reproducible at-will, for any configuration oversteps the available evidence. While the existence of the bug is corroborated (it's like a leaky faucet that sometimes just stops working), its perfect, universal reproducibility is an unverified, extreme claim.

 

[Andy Ful]

I do not promote anything, especially using HIPS.
I am focused on finding a bug-free HIPS setup (if possible).
I tested some HIPS configurations with Paranoid HIPS, and they failed after one or two days.
I do not discuss opinions based on what someone said about HIPS without performing a direct test on the setup below:

1. "Create rules for safe applications" was never enabled in the current system (even a few years ago).
2. Initially, Training Mode was used for some time, along with several Windows Updates, including at least one cumulative update.
3. Finally, the Paranoid HIPS was applied.

The above setup is currently tested on two VMs (Windows 10 and Windows 11). Anyone who wants to test it, is welcome.

I am also interested in reports about confirmed issues related to another setup (I did not test this setup):

1. "Create rules for safe applications" was never enabled in the current system (even a few years ago).
2. Safe HIPS was applied.

If none of the above setups can work, then enabling HIPS is pretty much useless and can be dangerous to users in any form.