HIPS not detecting VLC installer?

Okay, so why is the HIPS not complaining about the VLC installer when executed from explorer? I would expect an alert like Explorer is trying to execute … and later VLC Installer is trying to modify registry key, VLC Installer is trying to modify a protected file, etc. But when I ran the installer all I got was a privilege escalation windows popup telling me whether or not I want to allow this program to make changes to my computer. Then no thing! the thing installed VLC without triggering any alerts. WTH?

https://get.videolan.org/vlc/2.1.2/win32/vlc-2.1.2-win32.exe
SHA1:11DAA54DC41AB9AA664979DB91C8099599C11045

The file isn’t even signed - no exe signature, no pgp signature. It is an unknown file.

My HIPS is set to safe mode, Do not show popups is disabled, popups are set to verbose, create rules for safe applications are off, the installer file is not in the trusted files list, behavior vlocker auto-sandbox is disabled, BB is set to detect programs with elevated privileges and to show escalation alerts, sandbox file list is empty, clous lookup is disabled, Trust apps signed by trusted vendors is partially enabled but shouldn’t matter since the installer is not signed, trust files installed by trusted installers is disabled, the installer file is not on the trusted file list, it’s not on the unrecognized file list or submitted file list, and the trusted vendors are only comodo and microsoft.

So… ? If I set the HIPS to paranoid mode, I get some alerts running the VLC installer.

VLC’s installer is not an unkown file, it is in Comodo’s whitelist.

You can search for the SHA1 here: http://file-intelligence.comodo.com/index.php

Wow, I didn’t know about that, thanks a lot for pointing it out. I found it extremely unusual for an unsigned file not to trigger alerts. I was beginning to wonder whether there is some sort of a NSA trojan present on my PC that disabled HIPS for certain files :-/

Is it possible to disable this whitelist somehow? I assume it can be done by setting the HIPS into paranoid mode, but does that also disable anything else?

Best regards!

You can see what the different modes do on this page: http://help.comodo.com/topic-72-1-451-4760-HIPS-Behaviour-Settings.html

Basically Paranoid mode ignores everything regarding TVL and only uses the HIPS Rules which means if there are no HIPS rules then you’ll get an alert, even if it’s a known program. It shouldn’t change any other settings.

However be aware that Paranoid mode could cause your system to stop working normally, for example on my system it sometimes prohibits me from logging in because all I’ll see is a black screen, that was fixed by setting HIPS to training mode and then restarting a few times and then setting it to Paranoid mode again, but even then most of my start-up programs wouldn’t start on start-up and I would get stuck when trying to shut down, it would simply never complete… I never got any alerts for this though. :-\

So enabling Paranoid will give you more control but it might introduce unwanted side effects.