Child process totally bypasses HIPS?

If application X is allowed certain functions, and it is also allowed to run a child process Y, does that mean Y process inherits all the HIPS settings of application X?

This application is spawned by “Diablo Immortal.exe” and it seems to run without triggering any hips alerts or log entries.

I have removed all certificates in the comodo vendor list and also disabled all the options that trust basically the whole internet thanks to those certificates, so I would have expected a HIPS alert when this application was launched?
Like if I launch something from command prompt (cmd.exe already having HIPS rules), I get a popup pretty much immediately with HIPS alerts, yet this application seems to just coast through everything, why is this?

Hi k1k2k3,

Thank you for reporting.
May i know your:

  1. CIS version ?
  2. Win version along with system bit type ?
  3. Any other security software installed other than CIS ?
  4. Game download link.


Your obviously using hips in safe mode and the application is trusted in one of three ways. Either by file lookup service that you still have enabled, it is trusted by being created by a trusted installer, or it is trusted by whitelisted anti-virus file signature database. You need to view the file list and check the file rating tab of the file in question to see why it is given a trusted rating.

  1. CIS
  2. Win 10 Enterprise 10.0.19044.1645
  3. Just CIS + Whatever Windows is running (Firewall and some features of Defender that are not disabled when you are running another security suite)
  4. Diablo Immortal through Client from Blizzard (Downloads – Blizzard Entertainment -® Desktop App)

HIPS is running in Paranoid mode with popup requests disabled (Set to Block Requests).
Verbose Mode for popups (When I enable those, but I had an issue when updating to Win 10 21H2 that Windows would freeze with HIPS popups so now I do everything through the COmodo Log).
File Rating Settings: All Disabled
Vendor List (For certificates): Everything removed except for Comodo/Intel/Microsoft.
VirusScope: Disabled

If the application is detected as an installer/updater type of application and it has a trusted file rating, it won’t get blocked by HIPS even in paranoid mode. Same is true if it is executed by a parent process that is running as a trusted/installer, you can check the active process list of CIS to see if this is the case. Also if the application is running under the SYSTEM level account, some HIPS actions will not be detected and be allowed. It is possible the application doesn’t do anythng that would trigger HIPS alerts/blocking.


The Parent Process is registered in HIPS already with a Custom Ruleset.

Allows executing this child process.
Blocks all interprocess memory
Allows 4 Windows/WinEvent hooks (dinput, dwmapi, mscft,
Blocks all process termination
Block all device driver installation
Block all window messages
Allows 1 COM interface ({8BC3F05E-D86B-11D0-A075-00C04FB68820})
Allows 7 registry keys
Allows 9 folders/files.
Allows DNS
Blocks memory, monitor, disk, keyboard

Neither this application nor its child process are set as ‘Trusted’, both are ‘Unrecognized’ on the File Rating/File List.

Parent and child run as processes under the logged in user, not as system.

What happens if you run the application that is being run as a child process on its own, e.g. browse to the file path to where it is located and execute it from there? Do you get alerts or blocked events from the application after you execute it?

Nothing occurs when I launch the executable by itself, and no messages.

I see the process in ProcessExplorer and it launces with a cmd line argument:
/ipc MLIVECCPLAYERIPC00000D0C62C75D892711 /pid 3340 /videoinfo eyJ2aWRlb3VybCI6IlA6L0dhbWVzL0RpYWJsbyBJbW1vcnRhbC9QYWNrYWdlL01vdmllL3Z4X2RlbmdsdTAxLm1wNCIsImVuYWJsZV9zdHJlYW1fcmVjb3JkIjowLCJzdHJlYW1fUmVjb3JkX2ZpbGVfbWF4X2NvdW50cyI6LTE3NDQ4NDE0MTV9 /initstatus e30=

So it would seem it uses ipc to the parent process (pid 3340 is the parent) to playback video in that application.

It writes to two files in %userprofile%\Appdata\ROaming\CC\Logs\playersdk* which I guess is a folder area that Comodo will not trigger on?