CFP- Poor Pop up alerts by compared with other HIPS?

I have made a thread here.I think no need to re-write it here.

What are your thoughts?


Thanks for the tests. I’m concerned that critical driver installation alerts are hidden within registry alerts, to say the least, and I think Defense+ would be greatly improved by alerting users directly to driver installations instead of registry changes. Please post your findings here, because someone has made this suggestion to the wishlist:

Most people won’t understand any of those alerts… Thats a problem with HIPS… 88) I don’t think saying that a “driver/ service” is installing is necessary better than telling where in the registry changes are taking place.

Those who do understand alerts to some extent would be perfectly fine with all the alerts presented… By all the programs…

I prefer CIS alerts since thats what Iam used to… 88)

Anyway, testing and uninstalling/installing software takes time… good job! O0 :-TU

[at] aigle,

I think you might have posted the wrong CIS screenshot in your post on Wilders. The CIS screenshot clearly shows it alerting about loading a device driver, using those exact words. As such, it is as good as the EQS screenshot.

Wouldn’t it be better if the CIS screenshot was one showing where it is alerting about the registry mod?

Ewen :slight_smile:

OMG… Aigle this time don’t let it be like the wrongly preformed conflicker test please… Were users was made believe that CIS in proactive only popped once… something some users there still thinks… 88) 88)

If what Panic says is correct then please post that on wilders… Not telling when comodo actually passes, or as in this case, alerts nicley isn’t really fair… >:( >:(

I feel your intentions are not to fool anyone… But as a rumor starter you should end it now…

Prehaps post a link here and tell them that you missed the alert or ■■■■■■■ over when testing and that CIS actually alerts about loading a device driver. Cus thats a fact… Highly doubt Panic would lie…?? If you think he is… I will test as well…
But I hope I don’t have to…

Well, when I installed Process hacker, what started all this (follow the threads back) it installed a driver, but I never saw ANY pop-up that said a driver was being installed…

Can you post a screenshot of the claimed driver pop-up, because I’ve never seen one in using CIS for about a year…


Post the picture of an alert by CFP saying about a driver/ service install with this software installer. I doubt that you might not even bothered to read my long thread.

Think again. I’ve been following this thread and its spawns since the beginning. Both you and forcespawn have made good points about the obscurity of some of CIS’s alerts and about the fact that a driver install can apparently bypass CIS.

I was only trying to help.

My post referred to your link Comodo Defense+ fails to stop drivers from loading | Wilders Security Forums, where the CIS screenshot clearly shows a driver install alert, which seemed at odds with the rest of the topic.

Your other Wilders topic, CFP- Poor Pop up alerts by compared with other HIPS? | Wilders Security Forums, is really well done and I really hope the CIS devs are monitoring it.

I hope you bother to read my short post. >:(

KIS has very intuitive pop up alerts! CIS should follow it!

Please read my comment on this in the PH thread:

I will elaborate on this. In the Wilders Security thread, gmer was shown with the correct CIS alert. That’s because it uses the first technique I discussed (NtLoadDriver). Process Explorer and Process Monitor also use this method. Most other software uses the second technique, and the alerts are broken. I find it puzzling why we are alerted to registry access by services.exe but we are not alerted to services.exe calling NtLoadDriver…

Attached is a small test program demonstrating the two methods. You will be able to see how CIS responds to the two methods with different alerts…

[attachment deleted by admin]

Yes D+ alerts could be displayed clearer…

hehe… I understood this as if you had tested this yourself and got alerted “about loading a device driver, using those exact words”…

Hard to tell you was referring to something else…
Therefor I got a little upset with aigle for not showing that popup… :a0 88)

Then my mum pulled the plug to my Internet… hehe… ;D :-TU

I hope the Devs reads this… Everyone loves work so Iam sure they jump right on it… 88) ;D

I did not mention first link as it was a bit irrelevent as no such alert was shown with virtual CD drive software install. This alert was shown by gmer and I did mention in that case that CIS alert was correct.

And Monkey_Boy=) thought I am trying to hide something. He might not even bother to read the threads and supposed that you have tested and found the results contrary to me. It took me all the day to make this thread and some one just supposing that I am hiding some thing and he is asking me to confess. That,s sad and funny.

Any way wj32 has already made it very clear.

Thanks wj32. :-TU

Well perhaps I misunderstood panics post… 88) Shit happens… :a0
I did not read and certainly wasn’t aware of this thread/post: Comodo Defense+ fails to stop drivers from loading | Wilders Security Forums and that the alert in there was what panic was talking/referring to… I only read the one link you posted here… Without clicking any further links at wilders…

Well sorry “mate”… (:LOV) (:LOV)

Wait till CIS ver 4…

Zero pop ups is the future with max security guys. :slight_smile:


The most superfluous post in this thread yet.

It reminds me at WW2: “Wait for the new super weapon which will turn the tide!”…

I don’t really know how hard it would be to change the alert presented in the 3.10 codebase, but it seems to me that a 3.11 with some of these sorts of fixes shouldn’t be impossible - on the other hand, if 4 is dropping in ?October? November? then the few months to get 3.11 through beta would be at the 4 release time anyway…


Popups aren’t problematic if they are clear! Compare KIS or OA with CIS popups and you will see the difference!

I wish to have few words from developers on this issue.

Comodo is busy working on v4. They will only release updates for 3.10 that fix bugs. So we have to wait until v4 for which all sorts of new stuff is planned. A very preliminary estimation by Melih says that we cannot expect v4 before the end of the year.

Relevant in this context would be the new interface with usability improvements and a behaviour blocker with possibly a sand box. Letting an installer run in a sandbox may be useful for cross referencing registry entries for services regarding .sys files and actual sys files being written. Wrapping those things up in one alert… Who knows what new alert descriptions may show up with the new and improved interface… sigh… if only we knew… :wink:

But coming to think about things. Even with classical HIPS it shouldn’t be too hard to keep an eye out for cross referencing registry entries for services regarding .sys files and actual sys files being written. It would alert a little later. With the sandbox you may be able alert before the two acts. With the HIPS you would allow one of the two but would still be enough…