HIPS or Behavior Blocker?

That is how Egemen explained to us that it worked when we were given the first moderator preview. I’ll ask him if I can quote his comments on the moderator forum here in the public forum.

Sorry, but how should I find the configuration that fits my needs if the software doesn’t do, what the documentation and the settings imply?
And how should I have trust in a security software that doesn’t do what the documentation tells me it does?
And how should anyone give valuable support if noone from us knows, what CIS is expected to do?

I believe this is correct. The Behavioral Blocker is in charge of deciding which files are safe and which are unknown. Those which are unknown will be auto-sandboxed with the level of restriction which the user has chosen.

However, what this auto-sandbox does is allow the application to perform certain actions while blocking others. The way I like to think of this is that the auto-sandbox is like an automatic HIPS. Instead of asking the user what they would like for every popup the Behavioral Blocker will make those decisions. I think that’s where the main confusion is coming from. It is almost as if the HIPS is still on even though it is disabled.

Also, future versions of the Behavioral Blocker will have the ability to undo changes made by sandboxed applications. It will also include a module which will monitor the behavior of applications and warn the user if they believe they are suspicious. Thus, what we are seeing right now is just the framework of the BB. Comodo plans on expanding its role.

If anyone has any other questions I’d love to answer them as well as I can. This is definitely a confusing thing to talk about, but I’ll do the best I can.


Any idea when this might come? Have you seen a BETA of this. The Behavior Blocker sounds like it will be much improved. Thanks for the information. Sorry if I am asking too many questions. :embarassed:

No worries. The answer is that as far as I know there is no ETA for this yet. Comodo wants version 6.0 to be as stable as possible before they start adding new components.

thats it. :slight_smile: nice that the mods knows more, but @Comodo, dont forget to think about the endusers!
The truth is, that right now, no one of the endusers really know how CIS works and how to handle it for best protection! That was BigMike is telling above, that is the real and big problem.

I can only say again, that the documentation tells us, that the BB is just an autosandbox that checks hashes, and nothing more. - Other like the mods tell to us!

I hope Comodo will find a better way for us, the endusers of CIS.

@Comodo, if the software works like the mods want to tell us, then please make a better documentation for the BB

That makes sense. I think the Behavior Blocker does work well in this version. It will still be exciting to see the improvements in future versions. Thank you for the quick reply Chiron.

That is what i mean. that happend cause misinformation. How can the Behavior Blocker work well, if it is not a behavior blocker? It does not analyze any behaviors! :slight_smile: :wink:

If u would say the Automatic sandbox which checks hashes works well, then all is ok. Or like the mods say the sandbox/hips combos works well, then its ok too. :slight_smile:

right now, u r one of many users who are misinformed, sorry :frowning:

Sorry there aren’t any links because this is a conversation from the mod board, but Egemen has given me permission to quote his statements here.

This is the relevant portion of the release features:

To which I asked,

And this was his response.

Thanks for the info HeffeD. I can’t wait until Comodo makes the Behavior Blocker into a more traditional behavior blocker.

And this was his response. Quote from: egemen Yep. Previously, if you disabled D+, everything was disabled. Now its not.

Yes. Behavior blocker is used because we will be adding traditional behavior blocking and combine autosandbox and BB.

Thanks for the clarity :-TU
looking forward to future releases…

Thank you HeffeD.

I think the problem here is, that Comodo renamed the components which leads to much confusion. I don’t see a contradiction to the documentation anymore now. Thank you.

As I understand, egemen states, that the behavior blocker [“(auto) sandbox” in CIS5] does not depend on the HIPS [Defense+ in CIS5] anymore, such that you can disable the HIPS now without loosing the behavior blocker functionality, while in CIS5 disabling Defense+ disabled the sandbox capabilities.

But as I understood this topic, the question was if the new HIPS adds additional security to the new behavior blocker features and that’s probably the case. While the behavior blocker just limits unknown applications, you can restrict particular applications as you like it with the HIPS. If an application breaks out of the sandbox with HIPS disabled, there won’t be any alerts.

HIPS-only is better.
BB (auto-sandbox) causes issues to some applications and you can’t whitelist anything (https://forums.comodo.com/defense-sandbox-help-cis/avoid-application-sandboxing-t89581.0.html).

thats the case! So i would still prefer the HIPS component of CIS.

But the only info we got from Egemen in clearly words, that till now, nothing has changed, except the components have other names now and they run alone now and need not run together like in the past.

The v6 BB does block more than its predecessor.

Good to know. So far CIS 6 has done a great job for me. Thanks EricJH.


Hi and thanks for all the good info on how to setup Comodo CIS.

I’m a bit perplexed concerning the BB setting you suggest.
In your article it’s Untrusted but in this thread it’s restricted. ???
Sorry if I misunderstood the reading.

Also, did you write something about the differences of all the options in CIS?


As far as I remember there’s just a minor bug where a screen-logger can bypass Untrusted, but is blocked by Restricted. However, as the firewall will block transmission of the logs anyway, I don’t consider it a main issue.

As for the different BB levels, please check the help file. It has a good description of these.