I am either going blind, old, or both… :-X
Thnx for the help!!! :-TU
You are welcome, “old” your not alone. 
I think I’d probably welcome this.
What I’ve noticed is that if I disable the BB then I get a lot more HIPS alerts than when BB is running, even though I’m not aware of anything actually being sandboxed.
Mayeb this is connected to this request, I’m not sure.
I wanted to start a similar topic but found this one. My suggestion is more concerned with usability and ease of creating rules. Not just decision suspicious/dangerous. I am always using paranoid mode. And it’s very annoying to answer dozens of HIPS questions. So here is concept of rules based on logs:
- Every virtualized application should have logs similar to current Defence+/Firewall logs. We don’t need to know about every file/registry access. Just access to Protected Objects. We need short overview which Protected Objects this application is trying to access or modify. Not just abstract app.exe is trying to access a protected pseudo-COM interface but name of protected group, i.e. Internet Explorer/Windows Shell, Windows Management, Miscellaneous Classes, etc. For Registry Keys: Automatic Startup, Internet Explorer Keys, etc, etc. Also we should be able to expand these group names and see which same keys/objects was accessed/created/modified. Not only object names but also values. For registry keys we can see old and new value. For Protected Files you can add simple diff functionality which will show difference between original and modified file (for text files only, win.ini, hosts for example).
- User should be able to quickly create HIPS rules based on these logs. Just select specific protected object or group of protected objects and mark it as deny rule. Select everything else and mark it as allowed. Click OK and new HIPS Rule with custom ruleset are ready. It will be applied next time when application runs not virtualized.
- Also user should be able to create Firewall rules directly from logs (including standard Firewall Events). Right click and select “Create rule” from menu. Logs should dynamically react on new rule showing rule coverage. For example: I have 100 lines of log. Instead of creating 100 rules I will create 1 rule with IP range and port range. This new rule will cover 90 lines of log. These 90 lines should be marked somehow so I can quickly find another 10 lines and create second rule.
At this moment dozens of COMODO popups is my nightmare when I run new “heavy” application. Moreover if there is too many alerts at the same time then old alerts will be lost since COMODO can display only one alert window at a time.
If you think about it this is halfway to an application virtualiser 
@Koshi: Any reason for using paranoid mode?
Of course it would alert you for every application, don’t see the usability factor in everyday computer usage…