Yes. This is a possibility for any backup software. One has to make it properly to avoid problems.
Why does the Comodo "Disappearing HIPS rules" bug require a complete source code rewrite?
- Thread starter bazang
- Start date
Yes. This is a possibility for any backup software. One has to make it properly to avoid problems.
Yeah, but he won’t just pull a lump sum of money out of his pocket (or out of the profits). It will have to be an approved business loan and it will be difficult for a relatively new business with unimpressive revenues and with ineffective pitch (we need 200 million to retain the HIPS rules) to secure such loan.
Last edited:
Totally agree, Bazang. Comodo is like a pixelated nuclear bomb—it doesn’t just protect, it obliterates. Every alert feels like a digital air raid siren, and each HIPS rule is a missile waiting to launch.By the way, this is inspiring another story… but I don’t want to overwhelm the forum participants and readers with it just yet. Maybe later, once the digital dust settles.
Last edited:
Here's something to digest.
With approx. 1000 entries (rules) on HIPS rules list this is what happens when one manually adds just one single HIPS rule.
A massive amount of registry HIPS\Policy events (opens/closes/reads/writes/others)...
With approx. 1000 entries (rules) on HIPS rules list this is what happens when one manually adds just one single HIPS rule.
A massive amount of registry HIPS\Policy events (opens/closes/reads/writes/others)...
It basically rewrites everything.
This is exactly what I was talking about. Comodo on adding rules spends 40 seconds registry time. The logic is likely the following:
Upon opening the UI section for managing these rules, Comodo will loop through the section hosting the rules and will popupate them one by one.
Upon creating new rule, Comodo first deletes all rules, then saves them again from memory.
On shutdown, Windows doesn’t have 40 seconds to wait for Comodo. The rules are populated and deleted, but there is no time to write them. Comodo first needs to populate a collection with all this data and then needs to start calling ancient registry operation APIs. These APIs are not to blame for the inefficiency, It’s the way Comodo uses them.
Likely every rule is rich on data as well.
A much more efficient design:
One function tracks the IDs, for every new rule generates a new ID.
User wants to create a new rule, delete or modify an existing one:
Comodo can write 1 single rule or override all data just for this rule (though it can be even further optimised).
The rule is pulled by ID.
The registry writer is that function which is called when the save/ok button is pressed (or if save/ok don’t need to be pressed, rules are immediately added, it is that function which is called from the function to add rules).
The function to add rules likely populates all in a collection immediately and passes the whole dump to the writer as a parameter. Likely even before that, the rules are already deleted (reset and get ready to save). In paranoid mode there are more rules hence the bug is more likely to manifest in this mode.
It just needs basic optimisations, nothing more than that.
Even if it’s not called from the same module but is found at many different places, the developers would have copy/pasted.
It just needs to be replaced everywhere.
Last edited:
so much thought-effort (speculation) for code you do not have access to and @cruelsister says turn HIPS off in CF. (but sort of an interesting read...)
The thought effort is based on hard facts which include lost rules on reboot (only when too many rules), the 40s registry time and 14K writes (which likely include updates of data and metadata) and knowledge of the Windows APIs for registry interaction.
The code line by line is not needed to grasp the logic behind it, when the final piece of the puzzle was provided by Pico.
I did search for her in Comodo CIS User Guide, couldn't find her...
MalwareTrek: Episode 7 — “The Final Configuration”
(Star Trek style) Digital space: the final frontier. These are the logs of the MalwareTrek thread, whose mission is to explore unknown bugs, seek out new configurations, and fix errors nobody asked for. MalwareTrek boldly goes where no antivirus has dared to patch…
Scene 1: The Phantom Bug
Captain’s Log, stardate 2025.1017. The HIPS system has failed again. Rules vanish like cookies in Melih’s browser. The crew is uneasy. The bug lurks. But not without resistance…
The CIS-Enterprise floats through the MalwareTips sector. On the bridge, Captain Bazang stares at the main console. A message blinks: “HIPS RULES MISSING.”
Bazang (deep voice, ironic gaze): — Not again… Who let Melih code without a helmet?
Bazang commands the ship with the authority of someone who’s survived more forced reboots than successful updates. His sarcasm is as precise as a PowerShell script and hits harder than a BSOD during rush hour. His patience runs out faster than a Comodo update stuck at 99%. His uniform is always sprinkled with cookie crumbs—probably from a late-night debugging session—but his mind runs like an optimized kernel… though occasionally in safe mode.
Trident (Science Officer, impeccable and serene): His voice is deep, his posture upright with near-mathematical precision. His uniform seems tailored by the elegance algorithm. Some say his jawline was sculpted by the C++ compiler. If the system had a face, it would be his.
— The rules don’t vanish, Captain. They’re corrupted by a race condition during shutdown.
Bazang (raising an eyebrow): — And you figured that out just by looking at the event log?
Trident (with a barely perceptible smile): — Also with my rearview mirror. And a bit of intuition.
Scene 2: The Configuration Council
In the engineering bay, the sages of the engineering bridge gather.
Andy Ful (Chief Engineer, calm voice, wise gaze): — We can mitigate the bug with a restoration module that loads before the antivirus. Activating protocol: “IntegritySync: Kernel Phase Restore.”
Andy Ful is the system’s druid, with a metaphorical beard made of legacy code. His presence is firm, as if carved by Baltic winds. His stature commands respect—some say the ceiling adjusts itself not to offend him. His eyes, a mix of sea green and amber, see sharper than Lieutenant Geordi La Forge’s visor. He speaks as if every word came from a forgotten Windows 2000 manual. His presence radiates calm… and backups. His words sound like they come straight from Starfleet’s core.
Divergente (First Officer, enthusiastic and visionary): — We don’t need drivers! We need hypervisors! Ring -1 is the new Ring 0! His enthusiasm is so contagious even the system mouse starts to vibrate. He has the aura of someone who’s read every whitepaper and turned them into poetry. If there’s a solution no one can implement, he’s already proposed it.
Pico (Junior Lieutenant, young and curious): — What if we just export the rules to a .txt file?
Pico is the youngest officer on the team, but his intuition has saved more configurations than his record suggests. His naïveté is his superpower, and his idea folder has more colors than logic… but sometimes, that’s exactly what the system needs. His presence is like an unexpected pop-up: surprising, yes, but capable of offering solutions no one else considered.
— Think about it —he adds, gesturing at the console—: if the rules disappear during shutdown, why not save them beforehand? A simple .txt file, out of the bug’s reach. It’s not elegant, but it’s like hiding the keys before the burglar even thinks of breaking in. Maybe it’s not advanced engineering… but it’s preventive engineering.
Pico smiles, satisfied. He’s not sure if he just saved the system or accidentally invented a new category of solutions: the ones that work by accident.
CruelSister (Security Officer, mystical and puzzling): — My Interdimensional Sandbox™ already stopped it. Got the hash? No? The file? Also no? Well, it stopped it anyway.
CruelSister is a mystery wrapped in logs. Her loyalty is as ambiguous as her configuration: sometimes she helps, other times she drops cryptic lines straight out of Melih’s manual. Her sandbox is legendary—though no one’s seen proof. Some believe she lives in a parallel dimension where bugs commit suicide out of fear.
Simmerskool (Support Cadet, kind and reflective): — So much effort… and CruelSister still says to disable HIPS. But I enjoy reading all this. It’s like staring at the source code of the universe.
Simmerskool is the gentle soul of the forum. Always grateful, always curious. His innocence isn’t weakness—it’s a pure form of enthusiasm. He believes every HIPS rule has a story, and even bugs deserve understanding. Some say his presence stabilizes the system… like an emotional patch.
Scene 3: The Return of Melih
Suddenly, the main screen lights up. A hologram appears: it’s Melih, emperor of legacy code, surrounded by multipurpose functions and broken promises.
Melih (opera villain voice): — There will be no rewrite! No budget! Use containment and stop whining!
Melih is the antagonist who needs no introduction. His code is so old it has fossils, and his ego so large it spans two servers. He believes everything can be fixed with containment… and silence.
Bazang (defiant tone): — Your reign of bugs ends today! As Mr. Spock would say: “Logic is the beginning of order… but even chaos has rules. And you, Melih, have ignored them all.”
Trident (activating his console with elegance): — Initiating rewrite protocol. (His hair moves with the digital breeze. His keyboard trembles in reverence. If logic had a face, it would be his.) Reflecting aloud: — Though realistically, to rewrite the code, Melih would need a loan approved by the Galactic Compatibility Committee, the Council of Obsolete Drivers, and the dreaded Department of “Who even asked for this?”
Andy Ful (raising his USB staff): — Activating: “IntegritySync: Kernel Phase Restore”
Divergente (connecting to the astral plane): — Hypervisor activated! May Ring -1 protect us!
CruelSister (whispering from her quantum capsule): — My sandbox foresaw this… though Melih was right about one thing. (Her words leave everyone uneasy. Is she with us… or with him?)
Simmerskool (from the observation corner, soft voice): — Maybe he just needs someone to explain how HIPS works… with kindness.
Melih (fading away): — Nooo! My multipurpose functions! My senseless containment!
Scene 4: Open Ending?
The CIS-Enterprise sails toward a new version… or does it?
Bazang (gazing at the digital horizon): — Did we defeat him? Or did he just update in the background?
CruelSister (though it seems no one’s listening): — My sandbox will know… (Her gaze drifts into the void. Is she watching… or waiting for his return?)
Trident (arched brow, subtle smile): — Logic suggests he’ll be back. With more bugs. (His silhouette stands against the starry backdrop. Some say the bug was fixed. Others say it simply surrendered to his elegance.)
Andy Ful (stowing his staff): — Then let them come. I’ve got backups… and a new protocol in development.
Epilogue
This episode, as always, was created to entertain and uplift everyone who participates in or reads the thread. Because in the MalwareTips universe, even bugs have a sense of humor… and forum members have superpowers.
I want to wish you all a fantastic weekend. I wrote this story so you could kick off these days of rest with the best possible vibes—like activating an optimism protocol during boot. May your systems stay stable, your HIPS rules intact, and may no bug disturb your peace. We’ll meet again in the next version… or the next patch.
And remember: In this digital space, we continue exploring the unknown, fixing the improbable… and patching where no antivirus has patched before.
MT should add "Comedy and Fantasy" section to vent your expertise...
We should cover the threads in chaos, burying all the posts that pretend they’re original but just echo what’s been said.
this is better than 99.9% of YouTube
Last edited:
A bunch of people who’ve never seen the source code are busy guessing how to fix the HIPS bug. Melih says: why not turn your wild theories into a job application?
I’m engaged, sorry. But I see a few potential candidates on here that may be suitable for the role.
It is no more strange than doing nothing for 15 years.
Absolutely, this deserves better reaction than the 100% one but yeah. This is what we have.
Haha, clearly you've locked down love, but your scouting skills are still top-tier!
An Italian restaurant chef that's now a student maybe... no idea. Definitely not me.
Maybe we should list 'pretending to care' as a feature—at least it doesn’t disappear after a reboot.
You may also like...
-
-
Deep Research: McAfee GTI, JTI, Artemis and Other Technologies Explained
- Started by Trident
- Replies: 2
-
Deep Research: Trend Micro VSAPI and ATSE Release History and Modus Operandi
- Started by Trident
- Replies: 7
-
