Serious Discussion Why does the Comodo "Disappearing HIPS rules" bug require a complete source code rewrite?

[Trident]

You are wrong. I already confirmed that it can overwrite existing rules.
For example, I added Explorer to the Allowed Application group, applied the settings, and checked that it is saved properly. Next, I ran Explorer (no alerts) and rechecked the settings. The setting for Explorer changed from Allowed Application to Custom ruleset.

Must be the case because “create rules for safe applications” logically in this case for paranoid mode should become disabled, and there should be clarification that it can’t be used in paranoid mode. This would be the responsible way to manage the settings UI.

 

[Andy Ful]

Must be the case because “create rules for safe applications” logically in this case for paranoid mode should become disabled, and there should be clarification that it can’t be used in paranoid mode. This would be the responsible way to manage the settings UI.

Yes, it can be a risky setting even when applied after a proper time of using Training Mode and Paranoid Mode (a few days):
Fresh installation >> Comodo Internet Security config >> Training Mode >> Paranoid Mode >> enable “Create rules for safe applications”
However, it still works well on my test computer (for a few days).
I suspect some problems with Windows updates.

 

[Pico]

HIPS Paranoid Mode alerts for every application (no auto create rules). After allowing a trusted (safe) application at the HIPS Alert CIS may change the created rule for that application (when there is need to) when auto create rules for safe applications is enabled.

It's not explained in the User Guide but that's how Paranoid mode works on created rules for trustes (safe) applications when auto create rules for safe applications is enabled.

Furthermore CIS may change created HIPS rules for hard-coded whitelisted MS applications (such as explorer.exe) anytime (but I'm not sure about that).

 

[Divergent]

It's not explained in the User Guide

 

[Pico]

CIS can drive one to madness.

 

[bazang]

CIS can drive one to madness.

• 1,000+ page manual
• Bugs Galore
  
  Any continued attempted use or use of can only be some form of syndrome.
  
  Do not venture where mortals should not. Walk away. Out of the darkness into the light.
  
  Find a different obsession. Trade crypto.
  
  

 

[Halp2001]

Totally agree… CIS really has a talent for driving us crazy!Sometimes I feel like configuring HIPS is like playing chess against yourself while blindfolded.

 

[Pico]

1,000+ page manual

Don't exaggerate bazang, the User Guide counts only 670 pages.

Bugs Galore

Unfortunately yes, one of them is being discussed here.

 

[bazang]

Don't exaggerate bazang, the User Guide counts only 670 pages.

I don't know how many pages the manual has. Don't know. Don't care. Never asked. Never looked. So for "big" I had to choose a number and it was 1,000+.

Unfortunately yes, one of them is being discussed here.

But Comodo is so strong. It provides such great protection. It always does well in credible, trustworthy independent AV test lab testing.

Melih spiced Comodo up with his secret sauce.

 

[Pico]

Melih spiced Comodo up with his secret sauce.

Yikes, please spare me the details...

 

[Andy Ful]

TEST: Windows 10 and Comodo Paranoid HIPS.

1. Fresh Windows 10 22H2 + CIS were installed.
2. CIS was set to Internet Security configuration + HIPS Training Mode + enabled "Create rules for safe applications".
3. Many Windows updates were successfully installed.
4. CIS HIPS was set to Paranoid Mode.
5. Windows restarted and works with no issues (no HIPS corruption).

However, this configuration failed (a Windows reinstall was required) when Training Mode was not enabled during the Windows updates.

 

[bazang]

TEST: Windows 10 and Comodo Paranoid HIPS.

1. Fresh Windows 10 22H2 + CIS were installed.
2. CIS was set to Internet Security configuration + HIPS Training Mode + enabled "Create rules for safe applications".
3. Many Windows updates were successfully installed.
4. CIS HIPS was set to Paranoid Mode.
5. Windows restarted and works with no issues (no HIPS corruption).

However, this configuration failed (a Windows reinstall was required) when Training Mode was not enabled during the Windows updates.

The Comodo "Disappearing HIPS Rules" bug does not manifest immediately after a system reboot every single time. The tester has to allow rules to be added to the database every single day. Within 7 days on a real system (not test VM) all the HIPS rules will disappear.

 

[caleche]

The Comodo "Disappearing HIPS Rules" bug does not manifest immediately after a system reboot every single time. The tester has to allow rules to be added to the database every single day. Within 7 days on a real system (not test VM) all the HIPS rules will disappear.

Have you verified that all rules will disappear within 7 days as you mentioned?

 

[Pico]

@bazang is right, it does not happen at every reboot and maybe not exactly within 7 days maybe it takes longer. The user has to allow rules to be added (or just let CIS modify existing ones when create rules for safe apps is enabled) for some time for the bug to happen, adding allow rules during shutdown phase are the most critical..

It may not happen (although it can) with just one single test and one reboot.

 

[Andy Ful]

The disappearing rules bug is not a main Comodo HIPS problem. The incompatibility with Windows Updates (regardless of whether this bug is present) makes Paranoid HIPS unusable for home users, except for unsupported Windows versions.
We do not know if anyone (so far) has tested Comodo Paranoid HIPS on a system with no Windows Updates, so we can only speculate whether this bug can occur in such an environment. I can only confirm that Training Mode is essential to avoid HIPS problems.

 

[caleche]

When using Paranoid HIPS, you may need to create exclusion rules to allow Windows updates to complete successfully.

 

[Andy Ful]

When using Paranoid HIPS, you may need to create exclusion rules to allow Windows updates to complete successfully.

I did all the needed exclusions by allowing processes in the HIPS alerts, and this did not help. Windows Update did not end.
After rebooting, the update started from the beginning and stopped before the end. After a few reboots, Windows gave me the option to refresh the system.

There is a deeper incompatibility. For example, I successfully installed all updates in Training Mode, set Paranoid HIPS, and restarted Windows. No problems. Next, I tried to uninstall the last Windows Update, which ended terribly as above.
I restored the VM snapshot and successfully uninstalled this update in Training Mode.

I suspect that Training Mode does not learn properly how to allow Windows Updates; it works because HIPS are inactive during the update. So, some updates can fail when Paranoid HIPS are activated.

 

[Pico]

The disappearing rules bug is not a main Comodo HIPS problem. The incompatibility with Windows Updates (regardless of whether this bug is present) makes Paranoid HIPS unusable for home users, except for unsupported Windows versions.
We do not know if anyone (so far) has tested Comodo Paranoid HIPS on a system with no Windows Updates, so we can only speculate whether this bug can occur in such an environment. I can only confirm that Training Mode is essential to avoid HIPS problems.

Have you tried installing the Windows Updates using an Admin account?
A user reported on the Comodo forum that installing Windows Updates fail / don't work when one is using a standard user account however it works when using Admin account.

This Windows Update bug may not be connected to the HIPS bug we are talking about.

 

[Andy Ful]

Have you tried installing the Windows Updates using an Admin account?

Yes. The only difference was the HIPS setting.

 

[Pico]

Yes. The only difference was the HIPS setting.

Odd, that same user wasn't using HIPS at all.
May be a VM issue.