When I shutdown my PC I usually get a HIPS popup Alert telling me that System wants to modify a file. The Alert doesn’t stay long enough on the screen to be able to answer it and ticking Remember so I decided to consult the HIPS Events logs and to add the file that System wants to modify to the System HIPS Custom Rule myself.
Now when I open up “HIPS Rules → System Custom Rule → Protected files/folders → Modify → Add → Files” and enter the file with its complete path in the Open Dialog I get a Windows message dialog saying:
[b]C:\Windows\system32\WDI\LogFiles\ShutdownCKCL.etl
You don’t have permissions to open this file
Contact the file owner or an administrator to obtain permission.[/b]
I’m logged in as administrator but obviously this file and all its sub-directories have only System permissions set to it.
Sounds to me as if Windows thinks I want to open the file but I only want to add it to the System HIPS Custom Rule.
As I don’t want to mess around with directory/file permissions, how to make the HIPS Rules File Open Dialog accept System files?
Furthermore, HIPS runs in Safe Mode so why isn’t this file added to System Custom Rule automatically?
During normal windows use I had to answer another HIPS Alert about System wanting to modify another file, it seems that System isn’t allowed by HIPS all the time.
Of course I can ignore the HIPS Alert at shutdown but it is somewhat annoying to have to see it every time.
where added to the System HIPS Custom Rule by answering the two corresponding HIPS Alerts (and ticking Remember) which popped up during normal windows use. So also these files weren’t added to the System HIPS Custom Rule automatically despite HIPS being in Safe Mode.
As for the File Open Dialog not allowing System files issue, there is a workaround to it that I’ve applied in the meantime so I don’t get the HIPS Alert anymore during shutdown which removes the inconvenience.
However, with the workaround the File Open Dialog not allowing System files issue still persists and it also doesn’t solve as to why the mentioned files aren’t added to HIPS Custom Rules automatically with the mentioned HIPS settings.
Create rules for safe applications causes all rules to be deleted on shutdown while a new rule is being auto created, this includes the default rules which for SYSTEM is part of the windows system applications file group that has the windows system applications pre-defined ruleset. There is no reason to use create rules for safe applications, it is an option that needs to be removed as it also cause high CPU usage when those rules are being dynamically created.
You are no ambassador for promoting create rules for safe applications, I know.
I have never experienced any difficulties using this mode while using it for decades.
This mode gives plenty background information for experts so I would certainly not vote for it to have this feature removed.
I’m happy with it.
To be back on topic, the last two mentioned files weren’t added automatically to the System HIPS Custom Ruleset during a normal windows session (not shutting down). They were added to the System HIPS Custom Ruleset by answering the HIPS Alerts and didn’t get removed from the Custom Ruleset since then.
Anyhow, everything is working fine now regarding this issue, it’s just that the File Open Dialog doesn’t like to open System files when you want to add those files to a Custom Ruleset (you have to use a workaround which does the trick).
Losing default HIPS rules for SYSTEM is a serious issue and will lead to needless alerts. Is it possible for Comodo to fix the “auto delete rules on shutdown while a new rule is being auto created” Bug and also the problem with high CPU usage when the rules are being dynamically created? If they can’t fix it or it is not among their priorities, then I think it is for the best if this function is removed.
There are many users afraid to leave HIPS enabled because they think it will generate too many alerts (which isn’t true at all for Safe Mode), I can’t help but wonder if they ever enabled “Create rules for safe applications”, got critical rules auto deleted leading to multiple alerts, and then jumped into this conclusion that HIPS is the culprit, when in reality this option is at fault…
“Create rules for safe applications” is causing more harm than good at the moment.
As I didn’t have any issues with “Create rules for safe applications” in the past I vote for to keep it but would suggest to rename it into something like:
“Create rules for safe applications (not recommended)”
“Create rules for safe applications (for experts only)”
“Create rules for safe applications (expert mode)”
…
Or any other name that would tell novice users not to use it.
