Serious Discussion Why does the Comodo "Disappearing HIPS rules" bug require a complete source code rewrite?

[bazang]

Have you verified that all rules will disappear within 7 days as you mentioned?

The rules disappear within 7 days, sometimes longer - but I've been able to reproduce at-will every single time with every single version of CIS/CFW since Day 1. I reported the issue many times and Melih said "We will never fix this bug."

Now, I don't bother with it. Don't care. Don't ask. I got better things to do in life than fret about Comodo software bugs and quality.

 

[Andy Ful]

The rules disappear within 7 days, sometimes longer - but I've been able to reproduce at-will every single time with every single version of CIS/CFW since Day 1. I reported the issue many times and Melih said "We will never fix this bug."

Now, I don't bother with it. Don't care. Don't ask. I got better things to do in life than fret about Comodo software bugs and quality.

Did you encounter this issue with CIS 2025?
Did you use Paranoid HIPS + "Create rules for safe applications"?
How long did you use Training Mode before applying Paranoid HIPS?

Although the bug exists, we are still not sure about its source. Therefore, it is possible that this issue can be avoided through a specific training procedure or by adjusting certain settings.
It is also possible that this bug may not happen due to changes in Windows 11 (while still present in Windows 10).

I would not use CIS + Paranoid HIPS and could not recommend it to users.
However, there is some potential in such a security layer on Windows 10 (if updates are unavailable) after a sufficiently long period in Training Mode.
CIS is still used in very small businesses. Many small companies use computers or software that are incompatible with Windows 11.

 

[Pico]

The bug can never be avoided because CIS may create / add / change rules at will whenever it wants depending on users's HIPS settings. The only way to not encounter the bug is to swutch off HIPS completely or use Safe Mode with create rules for safe apps disabled, simple as that.

Users must not be taught to use HIPS in a special way just to avoid or workaround the bug, if things don't work as described in the User Guide than that's a bug and should be fixed (but unfortunately it never will).

CIS users on the Comodo Forum keep hearing the same stories / being taught the same lessons for decades (don't use that because it doesn't work, use this instead) to workaround the flaws in CIS, that doesn't make any sense at all. If something doesn't work it doesn't work point.

 

[Divergent]

The only way to not encounter the bug is to swutch off HIPS completely or use Safe Mode with create rules for safe apps disabled, simple as that.

This is not entirely accurate, as there is one other way. Simply do not use this product when there are so many other means of protecting ones self.

 

[Pico]

This is not entirely accurate, as there is one other way. Simply do not use this product when there are so many other means of protecting ones self.

You are right.
And I wasn't entirely accurate because the bug can manifest itself also in Safe Mode with create rules for safe apps disabled...

 

[Andy Ful]

It is very probable that the HIPS problem cannot be avoided in practice. However, I saw many times that very probable is not the same as true.
I prefer to check it by myself.
So far, I have not found a reliable way of avoiding the HIPS problem, but some possibilities are still not excluded.

 

[Pico]

No problem, but focus your CIS HIPS bug investigation on a real system, not on VM just to exclude VM artifacts.

 

[Andy Ful]

No problem, but focus your CIS HIPS bug investigation on a real system, not on VM just to exclude VM artifacts.

The first step is to find a way that works on VM. If I find any, others can test it in the real system (if someone is interested).

 

[bazang]

Did you encounter this issue with CIS 2025?

Yes. Every version since 5.

Did you use Paranoid HIPS + "Create rules for safe applications"?

No. Just Paranoid HIPS mode. The point is to get a massive number of rules into the HIPS rules database.

Although the bug exists, we are still not sure about its source. Therefore, it is possible that this issue can be avoided through a specific training procedure or by adjusting certain settings.

I just don't care. Melih was aware of the massively problematic back in 2011, and he said he will never fix it.

So I don't care what Comodo or Melih does.

 

[Pico]

It has been reported recently that in latest CIS version the use of wildcards in file/folder paths in HIPS rules in some cases don't work. In previous CIS versions wildcards in file/folder paths in HIPS rules did work normally.
This new issue might affect the standard default HIPS rules which come with CIS after a fresh CIS install if those HIPS rules contain wildcards.
Comodo Staff say they are aware of this issue.
Just to let you know in case someone wants to use HIPS in latest CIS version...

 

[Andy Ful]

Just Paranoid HIPS mode. The point is to get a massive number of rules into the HIPS rules database.

So we agree. Problems with just Paranoid HIPS (without training) are easy to reproduce.

 

[Pico]

The HIPS bug is not limited to only Paranoid Mode, it's the easiest mode to reproduce the HIPS bug.
The HIPS bug occurs also in the other HIPS modes, not easy to reproduce but it happens in those other modes too.

 

[Andy Ful]

The HIPS bug occurs also in the other HIPS modes, not easy to reproduce but it happens in those other modes too.

Are there some confirmed reports of HIPS bugs with Safe Mode without enabling "Create rules for safe applications"?

 

[Pico]

There is no difference in adding a HIPS rule to the rules database at a Paranoid Mode HIPS Alert and at a Safe Mode HIPS Alert.

 

[Andy Ful]

There is no difference in adding a HIPS rule to the rules database at a Paranoid Mode HIPS Alert and at a Safe Mode HIPS Alert.

Yes and No.
In Safe Mode, many rules are not added compared to Paranoid Mode. This matters, especially when using enabled "Create rules for safe applications".
So, the question can be important: Are there some confirmed reports of HIPS bugs with Safe Mode without enabling "Create rules for safe applications"?

 

[bazang]

So we agree. Problems with just Paranoid HIPS (without training) are easy to reproduce.

The bug can be replicated at-will every single time using ANY of Comodo's HIPS modes.

I have observed the "Disappearing HIPS Rules" bug with hundreds of rules and as few as 20 rules (perhaps less) in the HIPS rules database.

It does not require a system reboot. Windows reboot has absolutely nothing to do with it.

 

[lockeddown]

The bug can be replicated at-will every single time using ANY of Comodo's HIPS modes.

I have observed the "Disappearing HIPS Rules" bug with hundreds of rules and as few as 20 rules (perhaps less) in the HIPS rules database.

It does not require a system reboot. Windows reboot has absolutely nothing to do with it.

I have win10 or 11 setup with comodo
Please tell me how to replicate the bug .

 

[Pico]

In Safe Mode, many rules are not added compared to Paranoid Mode.

CIS users have the option to delete the Vendor List or disable the Rate Apps By Vendor Rating setting (or something called like that) than HIPS Safe Mode will be prompting you with as much Alerts as Paranoid Mode does, there is no difference in bug behavior.

 

[Pico]

I have observed the "Disappearing HIPS Rules" bug with hundreds of rules and as few as 20 rules (perhaps less) in the HIPS rules database.

I confirm that.

It does not require a system reboot. Windows reboot has absolutely nothing to do with it.

I've only noticed it happening while shutting down the system.

 

[lockeddown]

Here is a link to a video i made just now about trying to trigger the bug

Sorry for the multiple edits.