So I have spent an enjoyable weekend getting to know CIS and really like it. I had a problem with unauthorized access (possibly using legitimate admin tools, maybe RATs), from a person (a programmer, but he had no legitimate reason to do this) that I have to be in contact with for a bit longer. So, I needed something beyond what the typical internet user might face. I used the Proactive set-up, sandboxing of all unknown files as restricted, medium heuristics, viruscope on for both sand boxed and non, HIPS on. Now for the HIPS, when I look at the Protection Settings for each of the Rulesets, all the States are set to ‘Inactive’- does this mean the HIPS is turned off? I have the Enable HIPS option checked and all options checked under monitoring, so I might be misunderstanding the State variable. Should this be turned on? I read through the manual quite a bit, but couldn’t understand this option.
Also, if there is a good configuration for the above situation, please let me know. I can deal with decisions and false positives.
I took one of the details for “limited”, but it the inactive part is the same for other categories. Let me know if you need more or if there is a way to export the whole rule set as a text file perhaps.
from the help file inactive means that protection is disabled. idk why its inactive with all your rulesets. Are you running a clean install of CIS or have you upgraded from an older version?
Clean install on newly installed OS. I uninstalled (using Revo pro and then using comodo’s cleanup tool and following all the instructions) and re-installed latest beta version. They are still set this way. From reading the manual, I wonder if Protection Settings does something almost opposite of Access Rights? For example, for some isolated application (isolated.exe), in Access Rights process termination is blocked (isolated.exe can’t terminate other applications, which makes sense if it is not trusted). In Protection Settings, process termination is inactive (meaning isolated.exe CAN be terminated by other processes, which makes sense because you might want to terminate potential malware easily). I can’t figure out why nothing is protected, even windows system applications…maybe it creates too many conflicts if not carefully implemented?
I have been thinking about this and that is the only thing I can come up with…I thought I might be missing something.
Protection Settings - Protection Settings determine how protected the application or file group in your ruleset is against activities by other processes. These protections are called ‘Protection Types’.
Also if you look at your HIPS rules you will see that comodo internet security group does have these protections enabled with some exclusions see attached sceenshot.