Full HIPS protection when sandbox is on

Not sure if is a wish or bug, I think wish

1. What version of CIS, or Comodo Firewall, are you currently using:

2. What actually happened or you saw:
Now if you activate sandbox, HIPS miss some alerts.

How to test:
0. Download Comodo Firewall | Get Best Personal Firewall Software for $29.99 A Year

Fail 210/340. 13 miss

  1. Activate sandbox in any lvl and HIPS to secure mode.
  2. Run CLT out of sandbox, block all alerts in HIPS.

Correct protection 340/340. 0 miss.
0. Clean CLT rules from comodo.

  1. Disable sandbox and set HIPS to secure mode.
  2. Run CLT out of sandbox, block all alerts in HIPS.

3. What you wanted to happen or see:
A. Option to set HIPS into default block mode when SB is on.
B. Don’t disable HIPS functions by default.

4. Why you think it is desirable:
Give max protection to users

5. Any other information:
I think not need to give more info

This is a very good suggestion.
A practical example of how this would be useful: Do you access your email and see a message containing malware or keystroke capture screen, it contains the email of a parent or friends, you download the file and run. So without realizing you access your bank account or other email, and there are ancient methods used by malware writers to easily pass through the firewall without a single warning.
Any malicious program that is able to use legitimate programs to access the internet will send their data to the criminal if using the browser, messenger fully virtualized.

Sorry my english!

Okay, let me try to wrap my head around what is really going on with this configuration. Is the issue, which causes the bypasses, due to the leaktest actually being able to leak information, meaning a true bypass, or due to the Behavioarl Blocker component making it think it has been able to leak information.

From what I have been told it is the second, meaning that there is no danger here. This has been reported many times, and the best information I have gotten is that the leaktest was meant to test a HIPS (meaning if it is not automatically blocked it is marked as a failure). Therefore, as the HIPS in that configuration is meant to supplement the BB, some actions will technically not be blocked, but instead run at the level of the BB, hence the lowered score. However, this does not mean that you are actually that much less secure. It is just a different way of protecting your computer.

If anyone believes I have misunderstood the issue, or perhaps downplayed the danger, please feel free to respond. I am absolutely willing to have a discussion about this, and if I believe there is any danger against real malware forward this as a wish.

Thank you.

Sorry to intrude!
I decided to download the latest version of comodo firewall pro 2 and take the tests that failed the CIS 7 looks like the firewall was and how it is.
see attachments

To supplement what I had said.
The leak may have been to test the HIPS, so why version 2 comodo is able to filter this kind of test?

Time ago said that my tests had no value, but it looks interesting:
comodo firewall pro 2.xx

comodo firewall 5, 6 e 7

How to explain that versions of the firewall that theoretically should be more robust fail to do what comodo was in its early versions.

[attachment deleted by admin]

liosant, does the HIPS alone pass the test, meaning the BB is completely disabled and nothing is sandboxed? Sorry if this is shown in the videos. I have not watched them.


With HIPS in safe mode and no custom rules made, HIPS will alert that the leaktest is trying to access the Protected COM Interface C:\Program Files (x86)\Internet Explorer\iexplore.exe and if you allow it then it is able to send the data and the fail page shows, if you block it then it isn’t able to send the data and the pass page shows.

Any thoughts on this? If nobody disagrees with this statement I will move this to Rejected within a few days.


When b152, said he wants to interact when the HIPS module performs some fully virtualized file. If I understand he may be unsure as to not filter leaks firewall (comodo firewall is unable to recognize malware or secure files that use other files recognized by the CIS database).
The firewall comodo five versions became dependent on the HIPS module and injectors passed easily through the firewall.
If users do not want to listen to at least give a little more attention to the firewall module, which has with HIPS disabled or a fully virtualized and running malicious file with HIPS enabled, comodo firewall will fail.
As I show in the print and video because comodo firewall pro 2.xxx is able to intercept leaks connections, and comodo firewall 7 failure?

mm I think it’s a bypass. I try to explain but my english is so limited.

Configuration A:
SandBox: OFF
HIPS: Secure Mode.
Leak test Result: RUN OUT of SandBox.

Result: HIPS ask for ALL actions, all actions are blocked.

Configuration B:
SandBox: ON
HIPS: Secure Mode.
Leak test : RUN OUT of SandBox.
Result: HIPS mis ask some actions, not all actions ar blocked.

Conclusion: Malicios program can bypass HIPS and make changes on system if this run out of sandbox when it is enabled.

[at] lionsant, if I am not misunderstanding, are those not different situations from that which the OP is describing? There are issues with Fully Virtualized and firewall leaks and the default configuration and firewall leaks. However, I am not aware of any for just the HIPS, with the BB disabled and nothing sandboxed.

[at] everyone, I think the issue with having the BB enabled and the HIPS also enabled is that some things will not be blocked as they will be allowed to run in the BB. However, this is the intended behavior. If users do not want anything to be run without their permission they should just use the HIPS.

Am I correct in my interpretations?

However, b152, I do not understand why you believe it is run outside of the sandbox. Can you please explain this?


In this situation is for testing only, but i can write a litte example:

Timmy want SoftX but this is so expensive 500$ and doesn’t have test period.
Timmy decides to test the program using a keygen.
But comodo sandbox block it (some programs fail in sandbox)
And timmy deicdes tun ot of sanbox, the keygen give a key, but surprice keygen infect computer with a file (¿Invasion: FileDrop?) and make it autorun (¿Hijacking: StartupPrograms?) and Timmy is f**

Jon want SoftX but this is so expensive 500$ and doesn’t have test period.
Jon decides to test the program using a keygen.
Comodo alert Jon from badKeygen (Invasion: FileDrop, Hijacking: StartupPrograms)
Now Jon can block this and get secured. Jon is happy with comodo

Yes, Jon can miss Comodo alerts and get infected, but is HIS mistake, not comodo mistake.

BB is a good layer of protection, but would not have to interfere to another layers…

BB=/=HIPS. Are two distinct layers, there would have to be affected with each other

If you are talking about an execution of a program you want to use or know better , yes .
If you are talking about running the browser on the virtual desktop to access your email or bank safely , download acidentalmene an email containing malware capture and use the browser itself to leak your information the firewall will fail .

The solution for this is this wish: https://forums.comodo.com/waiting-area-please-cast-your-votes-cis/add-option-to-run-hips-or-hids-inside-sandbox-w3-t102364.0.html

b152, it’s best not to think of the BB and the HIPS as two completely different security systems. The Behavioral Blocker (BB) is best thought of as an automated HIPS. Essentially, each level of the BB will load certain rules which will automatically allow certain types of actions while allowing others. Essentially, it is answering the HIPS alerts for you. Obviously, the higher the level the more often it will restrict these actions (essentially answer no on your behalf).

Using the BB with the HIPS will give the user a little more control, but as the BB is being used some actions will of course be allowed. If you didn’t want that you would just be using the HIPS or have the BB set to Blocked.

Does this explanation help make a little more sense as to how these two work together? Let me know if you have any questions.


I think now I know why we do not understand
Full HIPS protection when Full Virtualization is on.

I use sandbox as Full virtualization, and I want full protection out of F. V.

Okay. In that case I believe I did misunderstood.

In that case I believe that you are correct. The wish has already been submitted here.

In that case would you have any objection to me moving this topic to the Rejected section, seeing as the wish has already been submitted?

I think it’s not just the same.

I want full HIPS OUTSIDE of F. V. not inside :confused:

When you set Sandbox in F. V. mode you lose BB and need full HIPS.

Okay, but full HIPS is currently available outside the Fully Virtualized Sandbox. It’s just that you won’t have full protection from the HIPS if you leave the BB enabled, which is intentional.

Am I still misunderstanding?


I don’t understand you this time :frowning:

Outside the sandbox you can already have full protection from the HIPS if you just disable the Behavioral Blocker.

The other wish was created because currently there is no way to have the HIPS provide any sort of protection if something is sandboxed as Fully Virtualized.