HIPS hinders antivirus update

Can you reproduce the problem & if so how reliably?:
The problem is easily repeatible; If I have HIPS enabled and set to safe mode, it isolates WerFault.exe, preventing the antivirus signature update to complete. That update provides an error: “Can’t execute RPC” (Translated)

If you can, exact steps to reproduce. If not, exactly what you did & what happened:

  1. Enable HIPS
  2. Run antivirus Signature Update
  3. Look at HIPS report, notice that WerFault got isolated.
  4. Look at update error message.

One or two sentences explaining what actually happened:
WerFault.exe got isolated by the HIPS-feature in comodo10, preventing update of the AV-signatures.

If a software compatibility problem have you tried the advice to make programs work with CIS?:
No

Any software except CIS/OS involved? If so - name, & exact version:
No

Any other information, eg your guess at the cause, how you tried to fix it etc:
I tried to deblock WerFault, but feature doesn’t seem to work… So far the only thing that works is to switch to another pre-installed profile of CIS V10 and revert to my custom profile after that update.

Exact CIS version & configuration:
CIS Premium 10
running the same configuration I had in CIS8 (I exported that profile and reimported it into 10)

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
HIPS
Firewall
AV
Auto-Containment
Website-Filtering

Have you made any other changes to the default config? (egs here.):
The profile has been customized over the course of a few months, however it all worked in V8

Have you updated (without uninstall) from CIS 5, 6 or 7?:
No,
I exported the profile from CIS V8, used the built-in uninstaller, rebooted, used CCleaner, rebooted, installed CISV10.
This was done on all computers, only one is acting up.

Have you imported a config from a previous version of CIS:
Yes, a fully working configuration file from V8 that ran flawlessly.
if so, have you tried a standard config - if not please do:
Yes, this worked, but using this will make me lose my firewall rulesets, right?

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
WIN10 X64, Default UAC, Admin account, No VM

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:

A: MalwareBytes Anti Malware (2nd opinion scanner)
B: None


I also noticed that switching from a default profile to my custom profile after having done an update, locks up the system. Nothing works (Windows explorer, Comodo GUI, taskmanager, Ctrl+alt+del,…)

I have some snippets here from the configuration file that refer to WerFault.exe:

  1.  			<Rule Flags="2" DefaultAction="4">
     				<Allowed>
     					<File UID="{4C2D4614-0414-4952-935C-4C8CEEA39893}" Flags="0" Filename="C:\Windows\System32\WerFault.exe" DeviceName="C:\Windows\System32\WerFault.exe"/>
     				</Allowed>
     				<Blocked/>
     			</Rule>
    
  2.  			<Rule Flags="2" DefaultAction="4">
     				<Allowed>
     					<File UID="{51A64DA7-D0EE-4B48-A294-B1588C03FC0E}" Flags="0" Filename="C:\Windows\System32\WerFault.exe" DeviceName="C:\Windows\System32\WerFault.exe"/>
     				</Allowed>
     				<Blocked/>
     			</Rule>
    
  3.  			<Rule Flags="2" DefaultAction="4">
     				<Allowed>
     					<File UID="{34F00138-B4A0-464C-A9D6-8327F511FCB8}" Flags="0" Filename="C:\Windows\SysWOW64\WerFault.exe" DeviceName="C:\Windows\SysWOW64\WerFault.exe"/>
     				</Allowed>
     				<Blocked/>
     			</Rule>
    
  4.  			<Rule Flags="2" DefaultAction="4">
     				<Allowed>
     					<File UID="{783EAB24-2235-49A0-8548-25AB1CCDF89D}" Flags="0" Filename="C:\Windows\SysWOW64\WerFault.exe" DeviceName="C:\Windows\SysWOW64\WerFault.exe"/>
     				</Allowed>
     				<Blocked/>
     			</Rule>
    
  5.  			<Rule Flags="2" DefaultAction="4">
     				<Allowed>
     					<File UID="{E42E5251-A783-4868-956D-7C5815BA1356}" Flags="0" Filename="C:\Windows\SysWOW64\WerFault.exe" DeviceName="C:\Windows\SysWOW64\WerFault.exe"/>
     				</Allowed>
     				<Blocked/>
     			</Rule>
    

I also compared the values for RPC in the default configfile and my own, but those were the same.

Can you try using one of the standard default configs and check the file rating of werfault and make sure it is set to trusted.

So when using one of the pre-installed (default) profiles it all works, but then when I try to switch back to the profile holding my custom rulesets, the computer freezes to a halt (nothing works).

I checked WerFault’s file rating and it is set to trusted. In the HIPS-log the target of WerFault is “c:/Program Files/COMODO/COMODO Internet Security/cavwp.exe”

CIS is trying to protect itself from a trusted file, or am I interpreting something in the wrong fashion?

I scanned WerFault on Virustotal which returned that the file was clean.
The MD5 of WerFault matches other instances I found online: 54B91C4C9B1F88EE6EF3222290FDFACE

I’m a bit at a loss with this.

Yeah werfault is gathering memory information within cavwp.exe which is protected from interprocess memory access when HIPS is enabled. So something in your custom config is causing the issue. Can you attach your config here? just attach with a compressed zip folder.

I thought of that already but I can’t find what’s going on on that PC. Attached is the zip file from that PC; all was working before the update to V10, so I’m a bit baffled that it is a configuration issue.

I have no button to add a file, it’s zipped and can be found here: https://we.tl/viwnmsNbYY

Yeah something is wrong with your config but I can’t figure it out. When I activated your config it locked up my pc so I had to do a hard reboot. Then once I was back in Windows, the AV update started to download the big db because it somehow deleted the db I already had and yes it ended up failing. My only suggestion is to start over with a default config and use that as your starting point and then customize it the way you want. I know that is not an ideal solution but at least you will be able to update the AV.

@Futuretech, thanks for investigating and putting your time in. I had feared as much.

Is there any clue to what causes this, other computers that got updated had no problems importing the config file unique to them. It has to be something in the configuration that changed from V8 to V10 but I’m still no step closer to finding it. For now I did as you suggested, using one of the default configs and modify them to match the old profile.