HIPS still block/show application as blocked when application is allowed

HIPS will not register correctly setting for application and still show it in the blocked app list (but seem to only half block it or not at all)
Can you reproduce the problem & if so how reliably?:
Yes, all the time
If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1: Launch application
2: Wait a bit
3: Check blocked applications it will show up withing 5-10 minutes or less
4: Add as allowed application or unblock for specified component or all component
5: Keep using the app or relaunch it
6: App will appears in the block list again
(App is not contained and it is normal and ok so, saying just in case)
One or two sentences explaining what actually happened:
Playing Diablo Immortals (don’t judge me ^^), and comodo, even if it is a trusted executable, will block the game exe by HIPS but only “partially”.
The game can continue to be played but will have some issue at some point (loading correct windows in game making the game bug and have to restart the game completely, just one example of issues arising when blocked).
I then unblocked it completely and then even set it as allowed application in the HIPS config to avoid issues.
Worked, but after some minutes, the same exe will show up in the blocked list again, even though it is still in the HIPS app list as allowed application.
One or two sentences explaining what you expected to happen:
Should ignore the exe as it is an allowed app and stop blocking it / showing it up in the blocked app list.
If a software compatibility problem have you tried the advice to make programs work with CIS?:
Yes, and not working (allowed application applied to the exe)
Any software except CIS/OS involved? If so - name, & exact version:
Diablo Immortal PC version 1.4.0.886634
Any other information, eg your guess at the cause, how you tried to fix it etc:
No idea HIPS acting crazy for no reason… first time having the issue.
B. YOUR SETUP
Exact CIS version & configuration:
CIS Pro 12.2.2.8012
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
AV: Stateful
Auto-Containment: Enabled
HIPS: Safe Mode
VirusScope: Enabled
Website Filtering: Enabled
Firewall: Safe Mode
Have you made any other changes to the default config? (egs here.):
No
Have you updated (without uninstall) from CIS 5, 6 or 7?:
No (but would be time to update your template, we’re in version 12.x by the program’s about page…)
Have you imported a config from a previous version of CIS:
No
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 10 Pro 21h2 (Os Build 19044.1706), UAC disabled (never notify)
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=Malwarebyte but no issue at all with both running and this is not a conflicting situation.

In the attached file, you can see the app in the HIPS as allowed application and at the same time in the blocked application list.
Allowed application config shown too (default one anyway - all allowed except the first one as in the screenshot).

Not a bug Comodo Forum

Is there a way to be sure that the app is actually trying to get access to CIS Memory ?
I wonder why a game would do that at all, but if it is the case, I would gladly report this to the devs and ask them for clarification/fix of this behavior.
Regards

Hi GSecurity,

Thank you for reporting.
Could you please share us the download link of the game ? so that we will check and update you.

Thanks
C.O.M.O.D.O RT

Hi,
You need to download the game launcher: Downloads – Blizzard Entertainment
And then the game from it (Diablo Immortal).
Regards

Hi GSecurity,

Thank you for providing the requested information, we will check and update you

Thanks
C.O.M.O.D.O RT

Thank you, this is much appreciated!

Hi GSecurity,

Could you please check the issue now ?
Let us know your feedback.

Thanks
C.O.M.O.D.O RT

Hi,
After checking I have the latest update + reboot I still have the same issue sadly.
App version: 12.2.2.8012
DB version: 34690
Website version: 64410

Regards

Tested again with latest update, still same behavior.

App version: 12.2.2.8012
DB version: 34691
Website version: 64410

Hi GSecurity,

Thank you for the feedback, we will reach you through private message to get required logs for further investigation.

Thanks
C.O.M.O.D.O RT

Sure :slight_smile:

Hi GSecurity,

Could you please share us the blocked file(DiabloImmortal.exe) by uploading on any online storage ? so that we will check and update you.
DiabloImmortal.exe SHA1 Value ?
DiabloImmortal.exe File size ?

Thanks
C.O.M.O.D.O RT

Hi,

Here are the requested file + information:
File: SwissTransfer.com - Envoi sécurisé et gratuit de gros fichiers
SHA1 Value (as seen in screenshot): 12cd4f18c6fae192b17b544eb3e23be5a5436136
Size (as seen in screenshot):
35.0 MB (36’775’712 bytes) / On disk: 35.0 MB (36’777’984 bytes)

Hi GSecurity,

Thank you for providing the requested information, we will check and update you.

Thanks
C.O.M.O.D.O RT

It’s called checking the logs specifically the hips logs, you shouldn’t rely on blocked applicaions list as it won’t show why an application is being blocked.

Is it me or you sound a bit condescending? :-\

Anyway, I checked the logs and indeed it shows access memory. (screenshot provided)
Strange thing to see that WeFault.exe from Windows is doing the same too…
I really don’t see why those programs would try to access cis.exe’s memory…

And, saying you can’t trust/rely on a list provided by a security app is not the best statement one could make… (even tho you’re right)
I would rather suggest that the devs better this part of the app to either show more info or simply don’t show such blocking (or in a separate section related to self protection of the app?).
Definitely room for improvement. (Even in the link you provided it is suggested at the end that such info should not be shown as such (even tho I’m glad to see everything is blocked, but more detail in the list would be nice instead of having to go in the logs))

I still find the behavior of the app strange and I’m glad that Comodo’s team is looking into it.
(Really can’t see why a legit app would try to access security program’s memory or wonder how bad the devs must be to achieve such behavior without knowing… -_-)

Hi GSecurity,

Could you please check your inbox for pm and provide us the requested log ?

Thanks
C.O.M.O.D.O RT

Hi GSecurity,

Thank you for providing the requested log, we will check and report this to the team.

Thanks
C.O.M.O.D.O RT