Need to be online for HIPS whitelist?

As far as I understand that whitelist/HIPS thing, I need to be constantly online that the file hash can be checked at Comodo. What about the users with dial-up that aren’t constantly online. Will CAVS work for them?

Or is the whitelist included in the CAVS download package and saved locally like virus signatures are? How big would such a whitelist file be? How do you prevent malware from altering the whitelist if it is locally saved?

I think I didn’t fully understand how that full-blown whitelist/HIPS approach will look like.



CAVS performs a real time scan against comodo servers to check the most up to date version of the safe list. Users can disable this feature, and just use the safe list that is installed with the program. Safe list databse is updated with malware database.

HIPS works like this:

  1. Check application against installed safelist file.
  2. If on safe list, then allow file, or if not found, check against latest saflist at Comodo.
  3. If still not found, perform a virus scan. If clean, display HIPS alert for user action.

To disable online lookup unckeck ‘look up at comodo safelist server if file is not found as safe’ under the HIPS section of the settings in CAVS.

The safelist is an encrypted file so it cannot be altered by malware. As for the size of the file, I’m unsure for CAVS.


But if that database is really that huge, the database file needs to be huge as well. I think of hundred million file entries, each with say 16 bytes per entry. Now I’m already in the gigabyte-size area.

Perhaps the database has usage statistics where 10% of the file serve 90% of the requests but that is still too big to download. I’m still puzzled how this will work.


While I don’t know what size wise is for the safelist files in GigaByte’s, the current installed safelists of CAVS and CFP have around 11,000+ files.

From CFP 3 and soon CAVS the safelist will be over 300,000. How this converts size wise, I don’t know, perhaps an explanation by Melih or one of the devlopers can clear this up more?


Not sure about this…
Cpf v2 safelist should have 8577 entries and a total uncompressed size of 5298853 bytes with a compress ratio of 1:6.55

A whitelist of 400000 entries will be about 247119179 bytes and a compressed estimated size of 37728118 bytes (35 MB)

That would be the full whitelist size…

But no one needs the full whitelist. There could be a default size whitelist and an option to download only needed additional elements. Each element is about 650 bytes uncompressed…

Thanks for the information!
I was just wondering how good the protection is for someone that is not always online. If a safelist with the most important 400000 files is about 35 MB this is ok, because this would be a size one could easily download at a friend. Now I’m seeing clearer.


As I understand it, you don’t get the full list. The system scan to establish safe applications only loads that part of the list that is needed for the system. Then it updates as you go.

I could be wrong though, or thinking about something else… My apologies if so.


I’ve just started tinkering with CAVS and the first ‘situation’ I encountered is that of not being permanently connected. Two effects I can see. No ability to use the Profiled user database and continuous prompts from the reporter applet, wanting to send reports back to Comodo.

The main problem is the first. Without the ability to check ‘online’ one will be limited to a small, although I assume, updated whitelist. It also has the effect of loading CavApp.exe which added an additional 15Mb to the existing 62Mb of memory used by CAVS That’s 77Mb total memory utilisation!

Not sure I can see a way around this for dial-up and non-permanently connected users, as the on-line whitelist is key.


You can turn off auto-submissions - Settings/HIPS/Automatically submit files… Uncheck it, click Apply, and you’re set.


Thanks LM. Just need to think about the whitelist issue now…