HIPS warns that System is trying to modify/create an etl file.

Hello, I have activated HIPS again, as it feels strange to have CIS without HIPS.
Sandbox and Viruscope are off, they have messed up a few installations and I feel them not necessary to be there all the time.
HIPS is in safe mode although a deep scan with CIS and with Malwarebites gave a virus free result (heuristic medium, scan for rootkits).

Today I got two warnings for files I had never heard about, which in internet I read are log files, but I could not find out “logs of what?”.
Which program is using these logs and for which purpose and why now (HIPS is active since a while). I feel like, spied.

Here the screenshots: I could not see the screenshots in the preview so I have posted and I see now, they were attached at the bottom.

Well, should I worry? Should I allow and let remember? Should I put HIPS in Clean PC? Make a Rule? Drink a Tee?

[attachment deleted by admin]

You need to add the file group windows system applications to the HIPS rules and treat it as a windows system application ruleset. Go to HIPS rules and add a new rule, then next to name click browse file groups, select Windows System Applications, then next to Use ruleset select Windows System Application. It should look like the attached picture.

[attachment deleted by admin]

Thank you :wink:

Shouldn’t Comodo create such basic rules (I mean, come on, it is WINDOWS SYSTEM!) on its own?
What went wrong there?

Yes normally there should be three preset rules.


You mean rulesets?
I had three I think, because now with this new one I have four, look at the new attachment.

Could you think of any reason why this windows system thing was not automatically created? I suppose it may have been responsible also for a warning I sometimes saw when turning off the pc, something about system trying to do something, I could never really read well or make a screenshot, because the system was turned off immediately after.

[attachment deleted by admin]

No, in Hips rules, if no one else posts a screenshot will do later.

Have to switch to Win 7


Oh yes, I see now your Avatar.
I never was brave enough to do that. May be in the future, also because, I kind of feel a certain antipathy for the horrible 4 (Google, Microsoft, Apple, Amazon).

In the while, I post the two screens with the rules in my CIS. The first one is of course the one I have created today.


[attachment deleted by admin]

Here are the screenshots of the two preset rules appears I lost one :slight_smile:


[attachment deleted by admin]

Yes the individual voices inside the group Windows System are the same I have here.
I do not have the Windows Updater group. Is that important? I did not have any problems with Windows Update.
Apart for the fact that I notice now that I do not receive notifications when new updates are available, but it may depend on something else.

I will repeat myself, but, why do you have the Windows System voice automatically there, while I had to create it manually. What went wrong in my Comodo?

Could be a corrupt configuration when updating to newer versions of CIS over an existing install, but judging by your HIPS rules I’m guessing you have “create rules for safe applications” enabled in HIPS settings which removes all default rules and creates new rules as needed.

No, I don’t.
But it may be that I did select this option once.
If one selects this option, and then deselect it again, would the deleted rules be restored?

You may wish to post this as a bug, because I think it should.

Then we have probably found out what happened.

But I do not understand. In the online help guide it says:

Create rules for safe applications - Automatically creates rules for safe applications in HIPS Ruleset (Default = Disabled).

And also given the following explanation, I had understood that if I selected this option CIS would automatically create rules, otherwise I should create them all manually or by answering “allow” to a popup each time.

But you are telling me the opposite.

Or, what did I misunderstand here?

The only way I know to put all preset back, return to default profile, is to import a default profile from the Comodo folder and activate it.

Please note this also removes all rules you have added and settings you may have changed.

The best way is to backup/save your profile before making changes or once a month.


I am thousand light-years far from the competence of you guys, so I do not have this ability of creating special rules (as I may know how, but I ignore which rules I should create). This means, I would not hesitate restoring the original profile by doing what you say, or by uninstalling/reinstalling, if the original profile would have safer rules and a more fritctionless experience.
Eventually I will just have to answer “allow and remember” again for some things, no big deal. Done it already.

But I would like to know:

  1. would I have any advantage if I restore the original profile?
  2. read my last post. What did I misunderstood? Why I have the impression that what you told me is the opposite of what the help guide says?

Yes by your very statement “have safer rules and a more frictionless experience” as you wouldn’t have to worry about needing to create rules manually or answer alerts for windows applications and other applications that are deemed safe by comodo.

2) read my last post. What did I misunderstood? Why I have the impression that what you told me is the opposite of what the help guide says?
The help guide is correct but doesn't state that existing rules are deleted so it's not clear if that's intentional or a bug when setting the option to create rules for safe applications.

I am afraid what it says in the help guide and what actually happens for everyone is not the same :slight_smile:

Most users have no problems like me even when I try to pester CIS :slight_smile:

But others have problems one of them is disappearing rules, the advantage of importing a fresh profile is everything is correct, disadvantage is you lose all your rules that you have added which can be quite considerable.

If you choose a different name for the profile it will not overwrite the existing one, or at least it should not.


I thank you for the answers, but either you did not understand my question or I your answers.

In my understanding the Guide says that I have to select the option “create rules for safe applications” to “instruct CIS to begin learning the behavior of safe applications so that it can automatically generate the ‘Allow’ rules.”

I have understood that you are saying that if one does NOT select the “create rules” he will have the advantage of not having to create rules manually or answer to the popups. Which sounds like the opposite of what the guide is saying.

That is what I meant with “what am I misunderstanding?”.

The guide is correct it should create rules for Safe apps without asking.

It seems in some cases this does not work as it should, plus if any preset rules are missing it is liable to ask instead of creating the rule.

I presume you are using Defense+ in Safe Mode and have Trusted Vendors list and Cloud active.

The idea behind not creating rules, is if you have a large number it takes time to check all, no rules no checking just allow.


I can’t find anything about Trusted Vendors, and I find Cloud only in the options of the Antivirus Scans.

What if I uninstall and reinstall Comodo and we make it shorter?
After all, I have created no rule.
Not manually.
Just allowing. I can do that again if necessary.
As far as that would make things easier in the future.