HIPS or Behavior Blocker?

Be default the Comodo Firewall has the HIPS on instead of the Behavior Blocker. Is it okay to enable the Behavior Blocker and disable the HIPS?

Actually, the HIPS are disabled by default. They are however activated if you switch to proactive security.

Either way, I can tell you that I currently have the HIPS disabled, and recommend it in my article here. It works fine for me.

That makes sense. Do you recommend using the Comodo Firewall or Internet Security. I know that the Comodo Firwall has a cloud AV.

To be honest it’s up to you. In my opinion the detection of Comodo Antivirus is good. There are some which I believe are probably better, but to be honest that isn’t that important to me. Comodo Antivirus will catch most, and that’s enough for me.

For my views on how an antivirus fits into the realm of computer security please see this section of my article about How to Stay Safe While Online.

I agree about Comodo antivirus being pretty good. When I test it it does about as well as avast. I think I will stick with the Internet Security instead of the Firewall. Thanks for the help Chiron. The article about setting up Comodo was very helpful.

You’re welcome.

Please let me know if you have any other questions.

I will. Thanks. :slight_smile:

Sure it is ok. And chirons guide is very helpful.

But right now i would say, if u want friendly usability then use the BB (even its not a real BB right now, it only checks hashes)

if u want more security, then use the HIPS or both.

its one of the best friendly usability HIPS.

Using both doesn’t really improve your security, which is why the HIPS is disabled by default.

If you use both the HIPS and BB, you will reduce your systems performance a bit, due to the HIPS making unnecessary checks on safe files.

That’s what I thought. I did disable the HIPS once I understood that enabling it did not provide any extra protection. I am really looking forward to the full behavior blocker. Does anyone know exactly what the full behavior blocker will do?

thats not true, cause in the default settings the autosandbox is partially limited and not fully virtualized!


  <blockquote>  Partially Limited - [b]The application is allowed to access all operating system files and resources like clipboard.[/b] Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed. (Default)</blockquote>

… that is no HIPS protection!

i would prefer the HIPS only, but if he want he can use both if he like!

i want to know too, cause right now its only a sandbox that checks hashes and do not analyze any behavior of a file.

Doesn’t BB get bypassed by Java exploit kits bucause most average users will not run a fully virtualized browser

And again, thats not true! Sorry!

if that would be true, then it would mean, that Comodos HIPS is not stronger than an auto"sandbox" that is partially limited!

partially limitied=The application is allowed to access all operating system files and resources like clipboard

Actually, it is true…

You can’t think of the HIPS the way it operated in previous versions of CIS. Unlike previous versions, the HIPS is not Off when it is disabled. If an unrecognized file is encountered by the BB, the HIPS will still react.

The current incarnation of the BB, is a bit of an automatic sandbox/HIPS combo.

So, having the HIPS disabled in CIS 6 (with the BB enabled, obviously) offers the same amount of protection as the previous versions of CIS using the automatic sandbox with Defense+ enabled.

This is why the HIPS is disabled by default. The user is still fully protected with just the BB.

Sorry, but that is a totally unlogically. First of all, i can not read about it in the help guide of Comodo. Or sorry, maybe i have not found it.

And second, if it is how u describe it, for what we have still an option to use the Hips, if it is no better security, cause it is enabled already? Then the Hips option is totally senseless.

It would be nice if Comodo could give a statement which way they want drive for the future - HIPS, Autosandbox with checking hashes or BB. A clear Statement. And if they want to use all components and mix it, then please give us a better guide to use it!

the truth is, i cant believe that the autosandbox partially limited gives us same protection like the HIPS!

I don’t quite agree. The BB set to partially limited will provide less protection than if you just use the HIPS. For example, some ransomware can bypass the BB set to partially limited, but not the HIPS.

However, if properly configured I do believe that the BB can be a suitable replacement for the HIPS. That’s why I recommend in my article that users set the BB to Restricted. As far as I can tell there is no malware that can bypass the BB when it is set to restricted, even though I also advise users to disable the HIPS. Thus, the amount of protection at that protection level appears to be equal to that of users using the HIPS. However, those using only the BB receive far fewer alerts.


Please read the official help for the behavior blocker. There it’s clearly stated, that the behavior blocker will auto-sandbox unknown files and let run safe files unsandboxed.
There’s no mention, that HIPS will check any behavior in any case. Why should it, if it’s disabled in the GUI?

If you have another official source stating something else, please provide a link.

If you think CIS behaves in an other way as described in the help file, create a bug report about the misleading help file entry and the misleading GUI options or the wrong behavior.

Thank you

Thank you Chiron, that are true words for me! :slight_smile:

thank you Mike, thats what i mean! Pity that my english is not so good like urs. But i see some users can understand me and understand what i mean!