Setting up HIPS

So I have spent an enjoyable weekend getting to know CIS and really like it. I had a problem with unauthorized access (possibly using legitimate admin tools, maybe RATs), from a person (a programmer, but he had no legitimate reason to do this) that I have to be in contact with for a bit longer. So, I needed something beyond what the typical internet user might face. I used the Proactive set-up, sandboxing of all unknown files as restricted, medium heuristics, viruscope on for both sand boxed and non, HIPS on. Now for the HIPS, when I look at the Protection Settings for each of the Rulesets, all the States are set to ‘Inactive’- does this mean the HIPS is turned off? I have the Enable HIPS option checked and all options checked under monitoring, so I might be misunderstanding the State variable. Should this be turned on? I read through the manual quite a bit, but couldn’t understand this option.

Also, if there is a good configuration for the above situation, please let me know. I can deal with decisions and false positives.

Thanks in advance for any help!

Can you show a screenshot of your hips rulesets? so i can see what you mean by inactive.

I took one of the details for “limited”, but it the inactive part is the same for other categories. Let me know if you need more or if there is a way to export the whole rule set as a text file perhaps.

Thanks for the help!

[attachment deleted by admin]

from the help file inactive means that protection is disabled. idk why its inactive with all your rulesets. Are you running a clean install of CIS or have you upgraded from an older version?

Hi, thanks for your help and looking into this.

Clean install on newly installed OS. I uninstalled (using Revo pro and then using comodo’s cleanup tool and following all the instructions) and re-installed latest beta version. They are still set this way. From reading the manual, I wonder if Protection Settings does something almost opposite of Access Rights? For example, for some isolated application (isolated.exe), in Access Rights process termination is blocked (isolated.exe can’t terminate other applications, which makes sense if it is not trusted). In Protection Settings, process termination is inactive (meaning isolated.exe CAN be terminated by other processes, which makes sense because you might want to terminate potential malware easily). I can’t figure out why nothing is protected, even windows system applications…maybe it creates too many conflicts if not carefully implemented?

I have been thinking about this and that is the only thing I can come up with…I thought I might be missing something.

Yes this is correct from the help documentation

Protection Settings - Protection Settings determine how protected the application or file group in your ruleset is against activities by other processes. These protections are called ‘Protection Types’.

Also if you look at your HIPS rules you will see that comodo internet security group does have these protections enabled with some exclusions see attached sceenshot.

[attachment deleted by admin]

Awesome, good to know. I am kind of curious about when one would use the protection settings, but will leave it alone for now :slight_smile:

Could someone clarify this “inactive” status for all protection settings, in proactive config?

I mean, why is everything inactive, and what can/should I do about it?