Serious Discussion Why does the Comodo "Disappearing HIPS rules" bug require a complete source code rewrite?

[Trident]

There are no settings or configuration to avoid the bug.

The bug exists for any configuration and reproducible at-will every single time.

It is random and one has to wait until it happens to observe it.

It didn’t look very random to me, I rebooted at least 5 times and on every reboot the rules disappeared. I exported several different policies.

What I did was:
Installed Comodo.
Next, put HIPS in training mode and ran some apps to generate rules.
I then put HIPS in paranoid mode and rebooted.
Create rules for safe applications was on.

The rules were gone.

I did a few reboots with create rules for safe applications.

The weirdest thing was that alerts I had seen previously did not appear again, despite the rules being gone. I don’t think all rules disappear, perhaps during the rewrite which gets cancelled on shutdown (my suspicion and opinion) some rules get lost but not all.

Careful investigation showed that at least some rules persist but they are written under a new ID. For example launching calculator for the first time generated a number of prompts. The Calculator rule did survive all reboots.

The bug in HIPS is not one, the entire rule creation system is deeply flawed.

 

[Pico]

I am also interested in reports about confirmed issues related to another setup (I did not test this setup):

1. "Create rules for safe applications" was never enabled in the current system (even a few years ago).
2. Safe HIPS was applied.

Some evidence for you...

 

[Andy Ful]

The weirdest thing was that alerts I had seen previously did not appear again, despite the rules being gone. I don’t think all rules disappear, perhaps during the rewrite which gets cancelled on shutdown (my suspicion and opinion) some rules get lost but not all.

Careful investigation showed that at least some rules persist but they are written under a new ID. For example launching calculator for the first time generated a number of prompts. The Calculator rule did survive all reboots.

This can be a bug, or Comodo can consolidate the rules.

 

[Andy Ful]

Some evidence for you...

View attachment 292365

Thanks.
Unfortunately, there is no information about "Create rules for safe applications".
Also, disappearing rules can follow from consolidation. See the @Trident's post where the rules for some applications disappeared, but they were apparently remembered (no HIPS alert).

 

[Trident]

This can be a bug, or Comodo can consolidate the rules.

From what I saw in the registry structure, there is nothing to consolidate.

Every rule contains application identifiers as string “Filename”=“pathToFile”
Then it there is subkey protections.
For automatically created rules, this seems to remain blank (likely default, all protections applied).
Then subkey rules defines access to different resources (protected registry keys and so on). They are written as Rule1, Rule2, etc
Allowed and Blocked defines what appears to be exceptions from the rule.

For example regedit.exe was blocked from the access of protected keys but exception was created for software\\classes\\<wild card>\\shell.

The exported policies did not list duplicate rules, every rule was for a new application.

But it could be.

 

[Pico]

Unfortunately, there is no information about "Create rules for safe applications".

It's a user report with default unchecked setting.

 

[Pico]

From what I saw in the registry structure, there is nothing to consolidate.

Every rule contains application identifiers as string “Filename”=“pathToFile”
Then it there is subkey protections.
For automatically created rules, this seems to remain blank (likely default, all protections applied).
Then subkey rules defines access to different resources (protected registry keys and so on). They are written as Rule1, Rule2, etc
Allowed and Blocked defines what appears to be exceptions from the rule.

For example regedit.exe was blocked from the access of protected keys but exception was created for software\\classes\\<wild card>\\shell.

The exported policies did not list duplicate rules, every rule was for a new application.

But it could be.

Registry HIPS rules structure is rather complex to be correctly consolidated.
One corruption and Windows will dump it.

 

[Trident]

Registry HIPS rules structure is rather complex to be correctly consolidated.
One corruption and Windows will dump it.

With all these drivers, corrupted rules can cause a lot more than dumping, they can completely wreck your system so badly that you’d easily spend an hour trying to restore it.

 

[Andy Ful]

From what I saw in the registry structure, there is nothing to consolidate.

If not, then we have one of two possibilities:

1. The rule is remembered in another way.
2. The rule does not disappear.

Otherwise, you should see a HIPS alert.

 

[bazang]

The bug in HIPS is not one, the entire rule creation system is deeply flawed.

When the software owner admits there is/are problem(s), and says "to fix this will require an almost entire code rewrite but due to resources required it will not be fixed," that says to me "Move on."

There's probably multiple things contributing to the problem.

I just don't care what those problems are nor do I care to have any of it fixed.

The software owner, Melih A., he sures as heck ain't gonna fix any of it. He even said so. Not once, but publicly many times.

 

[Andy Ful]

It's a user report with default unchecked setting.

There is nothing about default settings in the post. Did you skip something? Can we check the full information by using the link?

 

[Pico]

There is nothing about default settings in the post. Did you skip something? Can we check the full information by using the link?

It was reported on old forum those links are dead.
Nothing has been skipped, the user switched to Paranoid mode after this report to check on that.

 

[Andy Ful]

Nothing has been skipped, the user switched to Paranoid mode after this report to check on that.

I cannot be sure that he/she did not enable "Create rules for safe applications". Many users do it and do not realize that it is probably buggy.
Furthermore, the post does not contain sufficient information to consider the event a bug. It is confirmed that some rules can "disappear," but are somehow remembered (no alert).

 

[Pico]

I then put HIPS in paranoid mode and rebooted.
Create rules for safe applications was on.

The rules were gone.

I did a few reboots with create rules for safe applications.

Was HIPS still in Paranoid Mode or in Safe Mode after the few reboots?

 

[Trident]

If not, then we have one of two possibilities:

1. The rule is remembered in another way.
2. The rule does not disappear.

Otherwise, you should see a HIPS alert.

It’s not all rules disappearing.

There's probably multiple things contributing to the problem.

There are certainly a few things.

Was HIPS still in Paranoid Mode or in Safe Mode after the few reboots?

I tried different modes, it doesn’t seem to be related to the mode. I believe one reboot with “create rules for safe applications” off did leave the rules. Frankly I got tired of rebooting at one point, the install requires a reboot as well.

 

[Pico]

It is confirmed that some rules

I do not read the word "some" in that report.

 

[Pico]

I tried different modes, it doesn’t seem to be related to the mode.

Yes it can.
It is likely that the app on first run was in Unrecognized state and as such a HIPS Alert occured. After the next reboot the same app was cloud-looked-up by CIS and rated as Trusted (safe) and thus no more HIPS Alert (when in HIPS safe mode).

 

[rashmi]

bazang says hours or days ,
Trident says Even faster .
I am using comodo hips for many years and it never happened .
It seams bizarre .

The issue never occurred on my real system either; I also used HIPS with containment disabled for a few months. Several reports highlighted the "disappearing HIPS rules" bug and the "Create rules for safe applications" feature, indicating that many HIPS rules contributed to the issue. It is the reason I always used HIPS in Safe Mode, kept the "Create rules..." feature disabled, and selected "Trust" or "Allowed Application" to reduce the number of HIPS rules; as a result, I never experienced the bug.

 

[rashmi]

Installed Comodo Firewall (using the newest CIS Premium installer) in VirtualBox VM with Windows 11 25H2. After the restart, I added 10 HIPS rules and applied the settings. The HIPS window was closed after one second.

I decided to apply Comodo Internet Security configuration and Paranoid HIPS with enabled "Create rules for safe applications".

View attachment 292125

After running many applications and clicking on over a hundred alerts, the system worked without issues.
However, after restarting Windows and signing in. I saw only a black screen.
I thought, do not give up, and used CTRL+ALT+DEL to see what could happen. It worked.
I could run Task Manager and execute explorer.exe from it. Finally, I could see the Desktop and Comodo alert.
I did a few clicks to accept the Comodo alerts. Previously alerted applications could be executed with no alerts (HIPS not corrupted).

I decided to restart Windows and tried to sign in. I saw the black screen again. So, I did the same trick to run explorer.exe, which worked.
Adding Explorer to the Allowed Application group did not help. Although CIS saved the new rule, it was overwritten to "Custom ruleset" after running Explorer. After restarting Windows, the black screen again.

I did the trick with TaskManager to see the Desktop and disabled the setting "Create rules for safe applications" and enabled Training Mode.
After a successful restart, I enabled Paranoid Mode again. This finally worked, Windows restart and sign-in were successful.

In the end, I enabled the setting "Create rules for safe applications" and restarted Windows. No problems.
CF works with Internet Security config + Paranoid HIPS + enabled "Create rules for safe applications".
I did not encounter any HIPS corruption in my whole test (so far). We will see if this happy scenario will continue.

Conclusion (so far).
The best order of action for using Paranoid Mode:
Training Mode for a few days ----> Paranoid Mode for a few days -----> enabling "Create rules for safe applications"

I tested this using the Comodo proactive configuration, without CAV or any antivirus software, and had the same experience as you. I also disabled Microsoft Defender and Firewall, like I do when using Comodo. There were 30 HIPS rules after running a few programs, and the rules were intact after a system restart. I also tested restarting/shutting down the system without responding to HIPS alerts, and the HIPS rules were still there.

Is Comodo blocking Explorer at boot, making the screen go black in Paranoid Mode? Comodo blocks Explorer at boot, but Safe Mode is okay.

 

[Andy Ful]

Is Comodo blocking Explorer at boot, making the screen go black in Paranoid Mode? Comodo blocks Explorer at boot, but Safe Mode is okay.

I do not know what was wrong. Finally, I could run Explorer by using Task Manager. But this usually worked after the sign-in phase.

In another test, the system hung at the end of Windows Update, before signing in. I think that the issue was indirectly caused by Comodo when installing an update during the previous Windows session (before Windows restart).