HIPS vs Behavior Blocker

Jon79 · December 24, 2012, 11:16am

HIPS vs Behavior Blocker
Which one do you use in CIS 2013 / CIS 6 ? And why do you think your choice is better ?

a256886572008 · December 24, 2012, 11:24am

They can be bypassed by some java exploit kits.

For example, java.exe creates an autorun entry for a malware.
(The sample is dead now.)

Seany007 · December 24, 2012, 12:07pm

Here is my basic understanding of it. HIPS give you a lot of alerts and much more informative info which is good for a advanced user like me. BB gives you only few alerts but provide you with the same level of protection as HIPS good for a basic/medium user.

The Q here what is better for you? I use HIPS.

Seany007 · December 24, 2012, 12:11pm

Really? That’s not good. I hope Comodo will fix that. For now thank God I have EMET and ExploitShield.

a256886572008 · December 24, 2012, 12:20pm

For HIPS, only Online Armor can block it.

Because OA can block unknown autorun entries created either by a trusted application or by an unknown process.

In the picture, the java.exe is an trusted application.

[attachment deleted by admin]

TonyChipper911 · December 24, 2012, 1:04pm

I use the behaviour blocker, however, does HIPS auto-sandbox unknown files - or is the user asked?? I understand IT, I just like the BB auto-sandbox which I have set as fully virtualized, can I still use EMET?

Jon79 · December 24, 2012, 1:17pm

Well, I don’t have java installed on my system, so that should not be a problem
Anyway, I understand your concern, so I hope Comodo team will think about that

Jon79 · December 24, 2012, 1:30pm

If we revert CIS 6 to CIS 5.10:
HIPS = Defense+ security level
BB = Execution control level
Sandbox = Sandbox security level

So, if I’m correct, we can enable both HIPS and BB in CIS 6, as well as we were able to do in CIS 5.10…
Any benefit with this?

HeffeD · December 24, 2012, 4:20pm

Reduced performance due to unnecessary redundant checks from the HIPS on safe files. This is why the HIPS is disabled by default.

Seany007 · December 24, 2012, 7:03pm

Well I run both. HIPS on and BB on. Not sure about benefits but I have no issue with it. But HIPS are enabled by proactive configuration right? And BB are on in all configurations?

Seany007 · December 24, 2012, 7:05pm

You can still use EMET. I do. No issue what so ever.

Mrarnold · December 24, 2012, 10:34pm

Ive disabled the hips and run the BB fully virtualized.
in the hips section do i need to tick the “do not show pop up alerts and block requests”?
Thanks. ???

HeffeD · December 25, 2012, 4:45am

That depends on your preference. Do you not want to see an alert when it blocks something?

You can’t think of the HIPS like it functioned in previous versions. Disabling the HIPS doesn’t turn it off. It still reacts if the BB encounters an unrecognized file.

a256886572008 · December 25, 2012, 4:46am

In V6, this function is for HIPS only.