1. What actually happened or you saw:
When manually starting an executable file through Windows Explorer, HIPS will alert for Explorer.exe trying to start a new process.
Some users don’t seem to know at first sight that HIPS alerts in Comodo apply to the object at left side in the alert, and they will click the “Treat as:” option and select the “Blocked Application” or “Limited Application” HIPS ruleset for Explorer.exe which will prevent it from starting any new executable (known/safe or unknown) and thus destroying their own Operating System due to this silly mistake.
2. What you wanted to happen or see:
I wanted the “Treat as:” option to not be available on HIPS alerts regarding Explorer.exe System Process, the option could be either Grayed Out/Unselectable or don’t exist at all in such alerts. I bet this won’t take much resources to accomplish for the developers, at max they would need to design a different HIPS alert window for Explorer.exe.
3. Why you think it is desirable: This topic’s first post serves as an example and I even saw a Youtube tester back in 2017 commit this very same mistake, choosing “Treat as: Blocked Application” for Explorer.exe and initially thinking that Comodo allowed an infection. Had said Youtube tester not deleted his video, I would link it here as well.
Explorer.exe being treated with any other ruleset than the default “Allowed application” will cause system malfunction and/or security breaches (If Trusted Installer is selected for example). Thus to avoid confusion or mistakes like this, the best is to remove this option on Explorer.exe alerts only.
Yes sure, novice users are advised to disable HIPS, but users will often change to Proactive Security configuration (default Internet Security configuration is too permissive for testing the real protection capabilities of Comodo) which comes with HIPS enabled by default and that should stay as it is.
4. Any other information:
Ploget’s reply to the mentioned topic gives a detailed explanation on this issue.
I would propose to add a default Allow HIPS rule for explorer.exe to allow it to start any new executable (is easy to add in my opinion) rather than disabling the choice in the HIPS Alert.
In this way novice users won’t get the Alert and expert users can revert the explorer.exe Allow HIPS rule (or delete it) to get back the HIPS Alert when explorer.exe wants to start a new executable.
For new users the HIPS Alerts are not always easy to understand and how they should be answered. HIPS certainly has a steep learning curve and this takes time for new users to understand HIPS.
I would expect from users who are using HIPS for a longer period of time that they now how to respond to the HIPS Alerts.
Sounds like a good idea to me but I think the developers might not want to implement this default allow HIPS rule for Explorer.exe, since this would be detrimental to the default Firewall Security setting which comes with disabled Containment and HIPS enabled (For Comodo Firewall only installations this is the default config) so any Unknown executable file started from Explorer.exe will be allowed to be executed in the default Comodo Firewall setting.
I just think that it is best to come up with a way (any way, really) to avoid such silly mistakes being commited by users who don’t know how to answer a HIPS alert and end up obliterating their own OS. I think this is on the same boat as my other Wish to remove Downloads folder from Virtualization exceptions, since even a Youtube tester (from COMSS.RU website) commited a mistake because of this default exception rule for Downloads folder.
Such situations should be always avoided if possible, it does no good to the product’s reputation.