Behavior Blocker, not enough options

I agree, we should limit CIS to what other security vendors do, no innovation is allowed!

btw cis behavior blocker is one of the best behavior blockers out there

Even though it is not a true “behavior blocker” but rather a more silent implementation of the underlying HIPS technology.

That is very true. It is a like a set of rules to follow automatically without alerting the user. I would like a more proactive approach and more settings.

To me, if that’s what you want, you can just turn on HIPS and turn off the BB. I can’t see a reason to use both.

Yeap, that’s my variant - BB off and HIPS on. It will be until the BB becomes real Behavior Blocker and not an alias of the AutoSandbox.

In 6.2 they have got rid of the term Behavior blocker and changed it to auto-sandbox. I think that name suits it better.

Indeed they have, didn’t even notice. :smiley: Though the advanced settings still says “Behavior Blocker”

Decisively +1

HIPS and BB are not alternatives. Currently, they complement each other, from the point of view of safety.
BB has the one VERY important function (HIPS does not have it) - I mean checksum verification of executable files.
It is especially important in the case of unrecognized files treated as trusted by user. Any modification of these files will trigger a new alarm.
The HIPS (when BB is off) recognizes files only by path and name, so… for example, simple replacement of safe exe with destructive will give silent full permission for a unwanted actions (when earlier HIPS rule was set to e.g. typical Allowed Application).
In the scenario when both BB and HIPS are turned on, the HIPS checks own rules but unfortunately without popup alerts, even when HIPS rule contains Ask options. But Block options in the rules works, so user can manually set needed restrictions for specific resources.


Should definitely be a 4th Button letting you run the software out of the Sandbox but with HIPS control.

For those concerned about the novice users, I think the Basic / Advanced View could also solve this problem.

Since the BB actually runs as a controllable and much more silent version of HIPS, I see no reason for both to be on. I think the default setting of BB on and HIPS off is the way to go.