Questions regarding DEF+ and the File rating system.

I was wondering how the Defense + HIPS and File Rating systems work exactly and if they interact with each other:

  • Which system goes into effect first on new event?
  • Will files that already exist in the DEF+ rule set still be checked to see if they are trusted or not? (leading to other questions)
  • Will applications that were changed or updated (but still have the same path and name) be checked to be trusted or trigger new DEF+ alerts (even though they already have DEF+ rules)?
  • Does CIS check every application (upon login) that exist in its database (file rating or DEF+ rules) to verify that its indeed the file it encountered previously and not some files with the same path and name? (I can think of a scenario where files can be modified outside of windows).
  • Can it be said that DEF+ is redundant now that we have file rating system with cloud support and the sandbox?

(Yes, I’m paranoid)


I had similar questions like you as to how CIS 6.0 prioritizes/executes its various security settings. Happily, COMODO provides online help documentation for CIS 6.0 to answer such questions, located here:

In regards to your specific question, the documentations states that:

HIPS trusts the applications if:

*       The application/file is included in the Trusted Files list

*       The application is from a vendor included in the Trusted Software Vendors list

*       The application is included in the extensive and constantly updated Comodo safelist

(The above is located on the following webpage:
HIPS Behaviour Settings, Comodo Internet Security | Comodo Internet Security v6.3)

Based on the answer, you can see that HIPS and the File Rating components are integrated. The Trusted Files list, Trusted Software Vendors list and cloud-based COMODO safelist are all part of the File Rating settings and are referenced by HIPS to determine whether an application can be trusted by HIPS.