Safe Mode always blocks application from trusted vendor

A. THE BUG/ISSUE (Varies from issue to issue)
I have a Synaptic driver (verified trusted vendor) and I’m in safe mode.
The .exe is automatically blocked by the HIPS and, even if unblocked, it is re-blocked ???

Can you reproduce the problem & if so how reliably?:

If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1: Set HIPS in Safe Mode, use the touchpad
2: Observe that the driver C:\Program Files\Synaptics\SynTP\SynTPEnh.exe is added in the blocked applications list by HIPS
3: Unblock it from the list
4: Observe that the entry is immediately removed from the list and the HIPS allow rule has been created.
5: Go to the blocked apps list, and observe that the entry is added back few seconds later.

One or two sentences explaining what actually happened:
The driver comes from a trusted vendor, but it’s always auto-blocked by the HIPS.
Unblocking manually (right click from the Blocked applications list > Unblock) does not solve the problem: a rule is created, but the driver is blocked again after few seconds and added to the blocked list.

One or two sentences explaining what you expected to happen:
I expected that the driver was not blocked in Safe Mode since it comes from a trusted vendor.
Also, an allow HIPS rule is not evaluated and I didn’t expected it.

If a software compatibility problem have you tried the advice to make programs work with CIS?:

Any software except CIS/OS involved? If so - name, & exact version:

Any other information, eg your guess at the cause, how you tried to fix it etc:
Tried disabling the hips, and the application is not blocked.


Exact CIS version & configuration:
CIS, Proactive Configuration, Safe Mode.
File rating (cloud lookup) enabled
Trust application signed by trusted vendors enabled

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
All enabled:

  • HIPS Safe Mode
  • Autosandbox enabled
  • Firewall Safe Mode
  • AV Stateful

Have you made any other changes to the default config? (egs here.):
Create rules for safe applications: disabled
Trust files installed by trusted installers: disabled (tried enabling it, but no difference)

Have you updated (without uninstall) from CIS 5, 6 or 7?:

if so, have you tried a a a clean reinstall - if not please do?:

Have you imported a config from a previous version of CIS:

if so, have you tried a standard config - if not please do:

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 10, 64bit, UAC max level, default windows account, no virtual machine

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=N/A b=N/A

What you’re seeing is CIS self-protection by preventing applications from accessing any of CIS processes in memory. You can see the blocking in the HIPS events for the mentioned application that is being blocked. In order to prevent this blockage you need to edit the HIPS rules for “COMODO Internet Security” and go to the protection tab of the rules window, then click modify under the exclusion column next to interprocess memory access and add the blocked application to the list. Once you OK all the changes syntpenh will not be blocked anymore and will not show up in the HIPS events or in the blocked application list. For more info see Active HIPS Rules, Network Access, Internet Protection | Internet Security

WOW, it seems to work :-TU
Thank you, I must admit this goes beyond my knowledge of the tool.

But is it only for CIS self-protection, or it works like this for all processes in safe mode?
So even if it was a trusted process, protections can bypass that evaluation?
How did you find out that was CIS self protection, and specifically COMODO Internet Security ruleset? Just my curiosity, I didn’t find such a granular event view

Self-defense is active for processes that belong to CIS when HIPS is enabled.

It’s not dependent of rating. You can inspect exclusions.