HIPS is the offender. I have finally cought it doing that and noted it down this time, with Arma’s (a Bohemia Interactive game) exe. But the thing has been hapening for a long time on my system, at least since the beginning of 2019 (so CIS 11).
Here are some screenshots, for arma as well for RivaTuner statistics server (part of MSI Afterburner).
https://1drv.ms/f/s!AvyUQyNGJs9mkd0lqCbbUEk6ezkapg
This has been explained to death if you search the forums you will find the answer. Also you can’t rely on blocked applications list as it doesn’t provide any useful information as to why something gets blocked. Besides using unblock application does not cover all cases to unblock an application from HIPS.
Blocked Applications is not s useful feature and as far as I am concerned Comodo removes it. It creates confusion as explained in another topic of yours: https://forums.comodo.com/defense-sandbox-help-cis/blocks-its-own-secure-shopping-csssrv64exe-t124368.0.html .
Only the HIPS Logs provide the complete and exact picture of what is being blocked. Is the functionality of the programs effected? Probably not because you are concerned with message they are being blocked. The most likely reason they show up blocked is that CIS is blocking interprocess memory access; it is CIS protecting its self. Only in very rare cases programs get impaired when they can’t access CIS processes in memory. Also Blocked Applications is not capable of allowing memory access for which I am happy coz it will lessen security.
“Is the functionality of the programs effected?” I’m troubleshooting ArmA’s BattleEye problems and I really wouldn’t want to have CIS as a variable in this scenario. Especially with anti-cheat protection and an injection-based performance monitoring software running. I don’t think I’ll be able to tell hot their functionality is actually affected either.
I went ahead and created rules for RivaTuner components, MSI Afterburner and ArmA. After I restarted the system I got HIPS blocking RivaTuner right away.
Date & Time Application Action Target
2019-06-07 00:34:52 C:\Users\hg1\AppData\Local\Temp\VO4KlzQS.exe.part Scanned online and found malicious
2019-06-06 20:07:08 C:\Program Files (x86)\RivaTuner Statistics Server\RTSSHooksLoader64.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cis.exe
2019-06-06 20:07:05 C:\Program Files (x86)\RivaTuner Statistics Server\RTSS.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cis.exe
Could you please share your take on that?
EDIT:
I forgot to add! I used “Allowed application” HIPS ruleset.
If you don’t notice the programs are effected assume they aren’t. Anti-cheat protection software can be very sensitive but will block you when it thinks you’re cheating (as far as I understand this type of programs); it would be in your face.
In case or injection based performance monitoring you could try to allowing interprocess memory access and see if the benchmarks differs before and after allowing.
I went ahead and created rules for RivaTuner components, MSI Afterburner and ArmA. After I restarted the system I got HIPS blocking RivaTuner right away.Trusted application does not allow interprocess memory access.Date & Time Application Action Target 2019-06-07 00:34:52 C:\Users\hg1\AppData\Local\Temp\VO4KlzQS.exe.part Scanned online and found malicious 2019-06-06 20:07:08 C:\Program Files (x86)\RivaTuner Statistics Server\RTSSHooksLoader64.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cis.exe 2019-06-06 20:07:05 C:\Program Files (x86)\RivaTuner Statistics Server\RTSS.exe Access Memory C:\Program Files\COMODO\COMODO Internet Security\cis.exe
Could you please share your take on that?
EDIT:
I forgot to add! I used “Allowed application” HIPS ruleset.
On what Windows version are you? With Windows 10 1903 CIS will erroneously report memory access with 32 bits programs:
If you are not on Windows 10 1903. This tutorial describes how to allow interprocess memory access for an application: Comodo Forum .
Edit: A word of warning. Allowing interprocess memory access to CIS processes introduces an element of risk. It is something we only advice to do when a program is not working properly. Then it is worth exploring. If it turns out that memory access will make the program work like it should then keep it. In case it doesn’t make a difference undo the memory access to CIS processes.
Thank you for the explanation and tips!
I use Windows 7 x64
I hope this unfortunate part of UX gets replaced soon.