Clarification or best guidance regarding HIPS - Protection Settings

k1k2k3 · April 3, 2026, 6:19pm

I see nearly all (or all) of my HIPS rules have “Inactive” set on protection settings, meaning from my understanding that Comodo only detects the “outbound” (if you can call it that) from an application but never the inbound (Which in most cases would be handled by the outbound configuration).

Are there any documents with suggested setup for the “Inbound” protection settings used.

Say for example setting “Process Termination” on TASKMGR.EXe to Actively protected with an exclusion from “TAskMgr” itself?

I see these rules also only allow “Active” or “Inactive” with no ‘ask’ implementation so it can learn as you go along. Which I would think could be highly dangerous if activated for Windows system processes and applications unless they have their configured list of allowed appliations already.

Is there anywhere that documents this in more detail and provide sample configurations and explain why it doesn’t seem to be used much in default rulesets (can they even set it?).

I’m thinking a Ruleset with “Core Windows Files” should have the applications already defined as a group and have both inbound/outbound protections set or would that cause performance issues, potential errors and or be unfeasible or pointless?

Basically what I want to know is.

Should I use it
On which application should I use it
and 2b How should they be configured

Cheers

Scenarios I think this could be usefull is say you allow one of the many gaming rootkits to spy on you when you play a game, you might give them “Interprocess Memory Access” to *, but then you might say on Thunderbird that the protection setting for Memory access is Active and only Thunderbird itself is allowed to access it (or is that a default rule, so all the thousand of Electron and other application packages will function without being explicitly configured to allow themselves to read their own memory). (and many other scenarios). (otoh, since they are rootkits perhaps they bypass Comodo anyway since they are both in ring 0?).

Speaking of which, would it be possible to block specific os/win calls, so an application can use all functions but those that enumerate a list of all running processes, list mutexes, or similar. Or are there tools that do this?

Citizen_K · April 6, 2026, 3:23am

CIS is following a different kind of logic than the one you are supposing. In your supposition all protection is defined by HIPS Rules. This is not the case.

Protection (incoming protection) of important objects is provided by CIS as defined in Protected Objects.

There are five main groups of Protected Objects:

Protected Files
Protected Registry Keys
Protected COM Interfaces
Protected Data
Blocked Files

Protected Objects provides the following access and protection:

The protection of Protected Objects is used in conjunction with the rules in HIPS Rules.

There are different HIPS Rules for different categories of files. Notice that f.e. HIPS Rules for COMODO Internet Security 2025 differs from the ones for Windows Updater Applications and Windows System Applications. The rule for Comodo Internet Security 2025 has a protection rule to keep applications from accessing CIS processes in memory as a protective measure to make sure no program can terminate CIS processes.

The consequence of the latter is that when Task Manager is running CIS will log every few seconds that Task Manager is trying to access cmdagent.exe in memory. A user was complaining about this. To keep the CIS logs from being filled with these entries it is possible to allow Memory Access by Task Manager by making an Exclusion in the Protection Settings in the rule for Comodo Internet Security 2025. We will always caution a user who is considering to make this type of exclusion that it makes the system a bit less secure.

I hope the above explained the basic logic of how CIS protects and how different aspects work together.

k1k2k3 · April 6, 2026, 3:13pm

Thanks for your reply.

I was reading from the manual online and it says this.

Protection Settings - Protection Settings determine how protected the application or file group in your ruleset is against activities by other processes. These protections are called ‘Protection Types’.

602×547 21.9 KB

Select ‘Active’ to enable monitoring and protect the application or file group against the process listed in the ‘Protection’ column. Select ‘Inactive’ to disable such protection.

The in-app UI says “Exclusions” which I would read to be exclusions from the rule, so basically leaving this blank would appear to block Any interprocess memory access towards this app, if I enabled it - except for the apps I put in Exclusion.

But the manual reads like, if I enable this - everything will be allowed access to the memory of the application UNLESS i put their name in the ‘excluded’.

Regarding your comments on Protected Objects and reading this Protected Files, PC Files, Folders Protection From Malicious Software | COMODO it reads like all applications have access to these interfaces for READ but not for Modification - does that mean anything not listed here is given full access?

It would appear that \device\afd\endpoint (listed under windows socket interfaces) and \device\cng have the same protection based on HIPS popups, since I get one for either? But I can not find \cng\ listed under protected files under protected objects.

So how are they treated differently when one is in protected objects and the other is not?

For testing I added “r:\log.txt” to Protected Objects.

Before the rule entry I could run cmd.exe then do a “more” or “echo” towards the file (since I had given cmd.exe “r:*” permissions on protected files\folders.

I then removed the permission for cmd.exe to "r:" and started a new cmd prompt.

I could still list the contents of the file to the console with more, and when I used echo > towards the file, I got the normal hips prompt, and when accepted and stored, it got added to the rule for “cmd.exe” as well as the changes appeared in the file.

What did protected objects do in this case?

When I added it to Blocked Objects, cmd could not access it at all, and I was not even prompted for access by a HIPS popup.

Same thing with notepad.exe, I have the “r:\log.txt” listed as a protected object, I can open and modify it fine in notepad, because I had given notepad allowed permission on protected files/folders. But if I had set this to Ask, I would get a hips prompt for saving this file regardless of the entry being in protected objects or not…

Maybe its insonia but I just dont get how that settings area works even after reading your explanation and the readme, and experimenting. Perhaps I’ll understand tomorrow

k1k2k3 · April 6, 2026, 3:20pm

Is it perhaps intended for use in combination with “Trusted Applications”?

Citizen_K · April 7, 2026, 1:01am

k1k2k3:

Thanks for your reply.

I was reading from the manual online and it says this.

Protection Settings - Protection Settings determine how protected the application or file group in your ruleset is against activities by other processes. These protections are called ‘Protection Types’.

602×547 21.9 KB

Select ‘Active’ to enable monitoring and protect the application or file group against the process listed in the ‘Protection’ column. Select ‘Inactive’ to disable such protection.

The in-app UI says “Exclusions” which I would read to be exclusions from the rule, so basically leaving this blank would appear to block Any interprocess memory access towards this app, if I enabled it - except for the apps I put in Exclusion.

But the manual reads like, if I enable this - everything will be allowed access to the memory of the application UNLESS i put their name in the ‘excluded’.

That’s not how I read the manual. I read the part up to five times to make sure I was not overlooking something. I did come across an error though. In the following I struck the part that is incorrect:

When a protection is set to inactive it is not possible to add an exception

That is correct.

I cannot comment because I don’t know how you were testing and what alerts were given.

This is expected behavior because Protected Files are allowed be read.

It is working as expected. Nothing can access Blocked Objects.

The behavior you watched with Notepad is expected. You don’t need to make a rule for Notepad for it to change a Protected Data Object.

Correct. It brings me to a third principle. I sometimes voice it as CIS is the nanny of program behavior not the nanny of user behavior. The user is allowed to do anything including destroying the CIS and Windows installations and CIS won’t alert. However Unknown Executables are not allowed to do this.

That is why when you use Notepad, Command Prompt, Windows Explorer or any other program every action is allowed: it is allowed because it is initiated by the user.

To see protection at work write a batch file that will try to delete a Protected Data File. It will be blocked. When the user uses Windows Explorer (or similar files like Total Commander, Free Commander etc) to delete that same Protected Data File the user is allowed to delete it because the action is initiated by the user and not by an unknown executable.

Conclusion: if you want to test protection settings at work you will have to write a batch file that tries to intrude on Protected Objects and you will see the intended actions getting blocked.

k1k2k3 · April 8, 2026, 9:40am

Provided they have the status “Trusted”, which basically means it will “bypass” (even if by design) parts of HIPS - correct?

Citizen_K · April 8, 2026, 10:46pm

I would not call it bypassing HIPS though.

Trusted Applications are allowed to do things Untrusted Applications are not allowed to because it is the HIPS that determines which one is which and therefor what they are allowed and not allowed to.

Permissions for Trusted Applications makes the HIPS less talkative and therefor more user friendly.