HIPS vs Behavior Blocker

HIPS vs Behavior Blocker
Which one do you use in CIS 2013 / CIS 6 ? And why do you think your choice is better ?

They can be bypassed by some java exploit kits.

For example, java.exe creates an autorun entry for a malware.
(The sample is dead now.)

Here is my basic understanding of it. HIPS give you a lot of alerts and much more informative info which is good for a advanced user like me. BB gives you only few alerts but provide you with the same level of protection as HIPS good for a basic/medium user.

The Q here what is better for you? I use HIPS.

Really? That’s not good. I hope Comodo will fix that. For now thank God I have EMET and ExploitShield.

For HIPS, only Online Armor can block it.

Because OA can block unknown autorun entries created either by a trusted application or by an unknown process.

In the picture, the java.exe is an trusted application.

[attachment deleted by admin]

I use the behaviour blocker, however, does HIPS auto-sandbox unknown files - or is the user asked?? I understand IT, I just like the BB auto-sandbox which I have set as fully virtualized, can I still use EMET?

Well, I don’t have java installed on my system, so that should not be a problem :slight_smile:
Anyway, I understand your concern, so I hope Comodo team will think about that

If we revert CIS 6 to CIS 5.10:
HIPS = Defense+ security level
BB = Execution control level
Sandbox = Sandbox security level

So, if I’m correct, we can enable both HIPS and BB in CIS 6, as well as we were able to do in CIS 5.10…
Any benefit with this?

Reduced performance due to unnecessary redundant checks from the HIPS on safe files. This is why the HIPS is disabled by default.

Well I run both. HIPS on and BB on. Not sure about benefits but I have no issue with it. But HIPS are enabled by proactive configuration right? And BB are on in all configurations?

You can still use EMET. I do. No issue what so ever.

Ive disabled the hips and run the BB fully virtualized.
in the hips section do i need to tick the “do not show pop up alerts and block requests”?
Thanks. ???

That depends on your preference. Do you not want to see an alert when it blocks something?

You can’t think of the HIPS like it functioned in previous versions. Disabling the HIPS doesn’t turn it off. It still reacts if the BB encounters an unrecognized file.

In V6, this function is for HIPS only.