I was wondering how the Defense + HIPS and File Rating systems work exactly and if they interact with each other:
- Which system goes into effect first on new event?
- Will files that already exist in the DEF+ rule set still be checked to see if they are trusted or not? (leading to other questions)
- Will applications that were changed or updated (but still have the same path and name) be checked to be trusted or trigger new DEF+ alerts (even though they already have DEF+ rules)?
- Does CIS check every application (upon login) that exist in its database (file rating or DEF+ rules) to verify that its indeed the file it encountered previously and not some files with the same path and name? (I can think of a scenario where files can be modified outside of windows).
- Can it be said that DEF+ is redundant now that we have file rating system with cloud support and the sandbox?
(Yes, I’m paranoid)
I had similar questions like you as to how CIS 6.0 prioritizes/executes its various security settings. Happily, COMODO provides online help documentation for CIS 6.0 to answer such questions, located here:
In regards to your specific question, the documentations states that:
HIPS trusts the applications if:
* The application/file is included in the Trusted Files list
* The application is from a vendor included in the Trusted Software Vendors list
* The application is included in the extensive and constantly updated Comodo safelist
(The above is located on the following webpage:
HIPS Behaviour Settings, Comodo Internet Security | Comodo Internet Security v6.3)
Based on the answer, you can see that HIPS and the File Rating components are integrated. The Trusted Files list, Trusted Software Vendors list and cloud-based COMODO safelist are all part of the File Rating settings and are referenced by HIPS to determine whether an application can be trusted by HIPS.