For awhile now, every time I think to look at the Blocked Applications in Comodo, I find four entries, all showing as blocked by HIPS - and the SAME four entries every time, despite the fact that all are rated as trusted, all are from trusted sources, and each time I unblock them for the component shown in the 'blocked by, i.e. HIPS. But the next time I look, whether several days later, or the next day, there they are back again in the list, blocked by HIPS again.
And here’s the funny thing:
One is the Microsoft Windows compattelrunner.exe that reports back to Microsoft about software compatability issues…
One is SRE.exe, which is a utility provided by Dell for my Dell laptop, to check for updated drivers, clear up things like temp files, run diagnostics on the hardware, and receive tech support if needed from Dell.
And the other two? Comodo’s cis.exe and cavwp.exe.
That’s right - Comodo is showing its own main exe and updater exe as blocked by its own HIPS!
I am getting REALLY tired of unblocking these four out of the block list. Why do they keep coming back, and how do I stop them coming back?
For awhile now, every time I think to look at the Blocked Applications in Comodo, I find four entries, all showing as blocked by HIPS
Why do you not look in the HIPS events log to see actions that is being blocked? The blocked applications list is not going to tell you anything useful as to the cause of the blockage other than what component is responsible for the block. You need to view the events for that blocked application in the view logs task for the relevant component that is listed under block by column.
The Blocked Applications list in the main UI seems to cause a lot of confusion. It may be a good idea to remove it from the UI.
It does not distinguish between memory access attempts to CIS processes (which will always get blocked because it is how CIS protects its self) and other events. People will keep on adding flagged programs to the Trusted Files list in vein.
Why do you assume I didn’t?
All the HIPS Events log says is that the action was ‘Block File’ multiple times (mostly once a day every day) for all those 4 .exes (plus one instance of an ‘Access memory’ for Dell Support Assist a few days ago when it ran its scan for any issues and looks like it was trying to access cis.exe’s memory, which is understandable). In each case the target was mobile_backup_server.exe, but it’s a trusted file, Dell Support Assist, the Microsoft compatibility reporter, and cis.exe and cavwp.exe are trusted files, and nothing in that event log tells me WHY HIPS is ‘block file’-ing these events. Or why it keeps on happening despite me unblocking for HIPS each time. Or why HIPS is blocking two COMODO exes.
Blocked files means an application attempted to access a blocked file that you defined in blocked files section of HIPS protected objects. This means all access including read/write/execute permission is denied by all applications regardless of application rating or HIPS rule.
The only ways that I know of that a file or folder is added to the blocked files list, is if you manually add a file/folder or use killswitch option kill and block process.