Question on Protected Files


Today I wanna use the “Protected Files” function to protect some important files. You can find this function via “Advanced settings – HIPS – Protected Objects – Protected Files”. In my test, I first create a file group which contains some .doc&.docx files that to be protected. Then I added this group to the “Protected Files” section. I use Microsoft Word to open a .docx file that is in the protected files, and it shows READ ONLY in the Word application. I think it works as expected so far.

However, what I really want to achieve is protecting these files from deleting or modifying by other applications rather than the Word application. In other words, the editing or modification of the protected files should be allowed by specified apps.

To this end, I tried to create a HIPS rule for Word application and add the above-mentioned “Protected Files” in its rules edit windows “Access rights – Protected files/folders – modify – Allowed files/folders”. After that, I reopened the file with the Word application, it still shows as READ ONLY. It does not work as expected.

I tried to learn some tips from the help file of CIS. You can find it here.

After following the instructions, this issue persists. Besides, strangely I can ensure that official help instruction on the Protected Files, especially the given example at the end is totally wrong from two aspects. The first one is the logic of the demonstrated rule creation is really confusing, why the target .odt file is regarded as the parent process and the parent app .exe regarded as the target?? The second reason is the created rule doesn’t work. You can test it. I have no idea how to realize my expectation of Protected Files. I appreciate it very much if you could give me any advice.

P.S. I hope you can revise the help file regarding the mentioned “Protected Files” part.

Hi Redstraw,

Thank you for reporting.
We are checking on this.


hi @C.O.M.O.D.O_RT
is there any progress on this concern?

Not so ideal or comfortable:
you can create a new group named Malicious in file rating which will be blocked by comodo. But files or folders you have to set to trusted if you want to open them.

My knowledge of HIPS isn’t as extensive as I’d like but a HIPS pop-up alert for any application if it’s set in Paranoid Mode rather than Safe Mode as HIPS allows access for programs/processes deemed as Safe in Safe Mode.

By the way, you can protect your entire drive with HIPS under protected files adding ?:* will cause HIPS to protect all files on all volumes and drives. I used to do that but found some delays and hiccups now and then on my old PC. I find Containment set to Restricted by default the best way to go with protecting your data and you can use Protected Data in HIPS in conjunction with that to make any files invisible to those running in the container.

It may be possible to do what your asking for you need to change your HIPS setting to Paranoid Mode for that, from what I understand.

nope. paranoid mode is not my ideal choice as many many popups may generated.

I am assuming that you are attempting to protect certain files against malicious action (protecting Doc’s against ransomware). Attempting to make a specific HIPS rule to meet that end can be termed Reactive Protection, something that is needed to bolster inadequate protection by the main AM application (preventing unknown malware from doing nasty things). Folks currently using newer products like Checkpoint Harmony and DeepInstinct are realizing that Reactive rules need to be added.

Fortunately with both Comodo’s Containment AND Script Analysis active one already has Proactive Protection- unknown malware will be automatically blocked from any nastiness before it can occur, so any obsession over a Reactive Rule is really pointless.



I want to use this feature to safeguard valuable files (spreadsheets, databases, documents) against accidental or deliberate sabotage. Such sabotage is not only from malware/ransomware but also from artificial.

hi @Redstraw

Please find the below steps to achieve the scenario you requested and let us know your feedback after testing

  1. Add file path(s) to Protected Files

  1. Edit HIPS rule for All Applications to block access to specified file path(s):


  1. Create rule for WINWORD application to allow modification of specified file path(s):
    Word path: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

  1. Move rule under the rule for All Applications:


  1. Save settings.

This way modification access will be blocked for all apps except WINWORD.EXE

Hi @ilgaz, here is my feedback, correct me if I am wrong. I cannot achieve the expected result by following the steps you gave. Although the given steps were based on the Xcitium platform, I tested it on CIS as I don’t have an XCS installed currently. I believe XCS and CIS share the same function in this scenario for “Protected Files”.

I think the 4th step is wrong. You said

If I remember correctly, the order of the HIPS rules from top to bottom determines the processing sequence and priority level. The rule on the top (the first rule in the HIPS rules list) has the highest priority, while the rule on the bottom (the last rule, i.e., the “All Applications” rule) has the lowest priority. Hence, I think the created rule for WINWORD.EXE should be located above the “All Applications” rule. I have tested and it works after moving it above the “All Applications” rule.

Thanks very much for your kind help.

1 Like

Thank you for not giving credits for my idea nor for referencing to it, very thoughtful.

HIPS Protected Objects read-only access for files and directories

1 Like

hi @CISfan , I am sorry that I missed this topic, and that you already brought this back in 2021. Of course credits goes to you.

Hi, @ilgaz. As your instructions are based on the XCS platform, I tested it on XCS and it works great. However, I found that this instruction works on CIS only if putting the created rule above the “All Applications” rule. This is quite the opposite of XCS (which should be under the “All Applications” rule). Whether this opposite result indicates that the XCS has changed the handling sequence of the HIPS rules (from bottom to top)?

hi @Redstraw

HIPS rules work in different manner. It checks rules from top to bottom to build final config, if there are duplicated items for the same object, last rule overrides previous ones. So in general we can say the priority is reversed and allow rule should be on the bottom.

Thank you