Difference in Comodo HIPS behaviour for Safe Applications with / without HIPS rules
Comodo Free FW 18.104.22.16818
Avast Free AV 18.7.2354
I have used SpywareBlaster ( SpywareBlaster® | Prevent spyware and malware. Free download. ) for many years and it still gets periodic protection updates. Although I guess it may well be that the protection it affords is already covered in other ways these days.
So, a couple of weeks ago I went to temporarily disable (unload) the SpywareBlaster protection and it took an absolute age to complete (around 10 minutes). Likewise re-enabling took ages. I noticed at the time that cavwp.exe was using high CPU.
Yesterday I booted up my laptop and had same issue (and so not a one off on my desktop). As the lappie is less powerful, cavwp.exe was hitting around 50% CPU all the while SpywareBlaster.exe was running (i.e. whilst unloading / loading protection).
I realised straight away that the cause was likely be some interaction between SpywareBlaster and Comodo (and that something had changed in recent weeks to cause the recent change in behaviour– maybe Chrome, IE11, Windows registry protection, Comodo itself ? [very recently I updated the Comodo software to the latest – previous program update was done in Feb 2019]).
As I have Comodo set up to create rules for Safe Applications in the FW and SpywareBlaster.exe was already there with appropriate access allowed, I looked at HIPS.
HIPS was set to not create rules for safe applications. CLARIFICATION: both FW and HIPS set to SAFE MODE
So I set HIPS to create rules for safe applications. Instantly SpywareBlaster.exe zoomed through (both loading and unloading protection) and cavwp.exe CPU was hardly noticeable. On checking, there was then a set of HIPS rules for SpywareBlaster.exe (see two attached images for details).
So I then changed HIPS back to not create rules for safe applications and removed the HIPS rules for the few other extra safe applications that had also been added whilst create rules had been enabled.
So, now all fine (with HIPS rules that had been created for SpywareBlaster.exe)
It is worth noting that (both with and without create HIPS rules enabled), when SpywareBlaster.exe was running, Comodo did not log anything pertinent to it (other than the creation of the HIPS rules themselves).
QUESTION 1: So my main my question is this:- Why would Comodo perform markedly differently (as evidenced by the high cavwp.exe CPU) for a safe application without HIPS rules created versus the same safe application with HIPS rules created?
QUESTION 2: Furthermore, it begs the question as to what other safe applications might benefit from having HIPS rules to minimise cavwp.exe CPU?
Appreciate any input.