questions regarding hips

From what i’ve heard even though hips is disabled it is still active but doesn’t show alerts.

If I enable hips is there an option that actually says don’t show alerts and then gives option for default action like how cis 5 gives option to not show alerts and then user can choose allow or block for default action? If this option is there then that would lead me to believe the user is loosing more than just alerts with hips disabled. If the user really does only loose hips alerts with hips disabled then why not change the wording from hips disabled to do not show alerts and then give option for default action like cis 5 with block or allow?

Also in cis 6 what is the default action for hips when It’s disabled if it is still active even though it says It’s disabled?

Edited capitals at the beginning of each sentence for ease of reading. Eric

The HIPS isn’t just turning off alerts when it is disabled.

In previous versions of CIS, the HIPS was monitoring all execution control.

In CIS 6, when the HIPS is disabled, the BB is doing the initial execution control monitoring. The HIPS will only come into play when an unrecognized file is run.

And no, I can’t get any more specific than this, because I’m still a bit unclear on just how the HIPS functions now. All I can say is what we’ve been told by Egemen, and that is that you can’t think of the HIPS the way it used to function. “Disabled” does not equal “Off”. The HIPS will still act when running unrecognized files when it is disabled.

I was lobbying that the GUI needs to make it clear just what “Disabled” means, and why the HIPS is disabled by default, but that didn’t happen.

I see your point. To any new user of Comodo it will be very confusing. Let’s hope it will be much more clear as we get to the RC stage.

It is kind of confusing, but maybe it is something the average users will never even think about or question.

What is the average user? And what about the newbies? Must we leave them in the dark? No.

Average user must always think and question. To understand the smallest detail is being a pro.

I consider myself an average user yet I do find CIS 6 BETA a bit all over the place. Plus if you not sure how the program works who does? The guys who make it. That’s it. But sure just wait for the user guide.

I’d certainly like to know WHY does the HIPS is disable by default!?!??! It has always been the backbone of CIS and now it is disable by default >:(

@HeffeD - Sorry but I don’t understand your explication or at least the logic behind it :frowning: By the way, from what I seems to see the BB is now doing what the sandbox of CIS 5.10 was doing…


The automatic sandbox in V5 was essentially like an automatic-HIPS. It automatically allowed certain behaviors while blocking others.

In V6 this is exactly what the Behavioral Blocker is doing, only it is even smarter and stronger than what was in V5. The HIPS in V6 is now really just a classic HIPS. Thus, if you are using the Behavioral Blocker you do not need to enable the HIPS. After all, what would be the point of running an automatic HIPS, where you have essentially already told it what you want allowed and what you want blocked, and a HIPS which will ask you each time.

I hope that helps clarify the difference. If not please ask and I’ll try and explain it a little bit clearer.


I would not consider anyone that reads, moderates, etc. antivirus forums as an average user. I would suspect you are MUCH more informed/knowledgable than the average PC user when it comes to virus protection. 99.999% of the population has no idea what HIPS is.

disabled by defult was a wise move, however deleting the option to enable it in the setup was way not wise.

cis 6 beta is easily killed by any program, which I consider a mistake. :frowning:

mind explaining in more detail? what killed it? what was killed?

I thought the auto sandbox and bb came into play when an unrecognized file is run. if that’s right then what does hips do? if not then what does the auto sandbox do?

to me it sounds like they renamed hips bb but if you want hips to be louder then you enable hips. I think they should just use one term or the other and have 2 levels. normal mode which would be the bb which is quiet and then a strict mode which is hips and gives more alerts so users can have greater control of things as they happen. with the current setup of cis 6 it sounds like the bb monitors and then if unrecognized files run it tells the sandbox to kick in or ask the user what they want to do for only certain situations.

I think enabling hips and setting it to auto block and disabling bb would be the most secure way to go the user wanted to increase protection over default cis config would it not?

It’s BETA that’s why. So don’t panic.

I prefer HIPS which ask me each time. So using behavioral blocker and hips won’t provide any extra security it’s just for rules? One manual one auto? Right?

BB is enabled!

case1: If the HIPS is enabled! (the same condition for CIS V5)

The HIPS rules will be activated. (for “block” only)

The taskmgr.exe can not kill CIS.

case2: If the HIPS is disabled!

The HIPS rules will not be activated.

The taskmgr.exe can kill CIS.

I don’t entirely understand how the Behavioral Blocker and the HIPS fit together, at least not the details. However, Egemen was very clear when he told us that in terms of security concerns you do not need both the Behavioral Blocker and the HIPS to be activated at the same time.

Thus, unless someone can find a piece of malware which is able to bypass the Behavioral Blocker, when set to Limited or higher, I am not too worried. However they have set up the behavioral blocker it seems to me that it is working well and very silently.

Now that we already have BB working great on a base protection, we can consider HIPS to be more for advanced/paranoid users (like me), right?

This keeps Comodo popup free and usable for women and children ;D

In laiyman’s terms, if a logical program behaviour is to harm your computer, the BB will block it, but if you want a more advanced control over a program, for instance, if a program will not harm your computer (by logic BB analysis) but you want to control exactly what it can affect/change, you use HIPS to limit it’s operation.

I believe that is correct.

From what I’ve seen so far, if the HIPS is enabled you won’t receive more popups than when it is disabled unless you set it in paranoid mode. In parano mode, the HIPS is more difficult to manage than in version 5.10, at least in Win 8 which seems to be a very active OS (always checking stuffs and making logs), as you are flooded by popups.

Hence what’s the difference between HIPS disabled and HIPS enabled in safe mode as you’re no more alerted in one case or the other?