Some applications still get blocked no matter how much I whitelist them

HIPS has been auto-blocking certain specific applications no matter what I do. I can unblock them in the blocked applications list, I can rate them as safe in the options… nothing, they still wind up in the blocked apps again. The only solution I’ve found is to temporarily turn HIPS off just to run them. What should I do?

I run the latest version of CIS Pro on Win10 2H22.

What is the message of HIPS?

How did you react to HIPS?

Have you tried to define a rule set and apply it to this program?

The rules were created the first time I unblocked the applications, but they still get blocked and show up in the blocked list again. There’s no message.

Perhaps it is the same (or related) issue as you’ve had here : Can't disable auto-containment on Trusted applications where in the end the solution was to uninstall CIS completely and re-install it.
But not sure if your current issue is related though.

Hi. Have you tried to add these applications editors in the trusted vendor list?

I checked and at least one of them is already in the list marked as safe.

And to answer to CISfan, I doubt it, since I did it back then and it was already doing it before that.

What’s the names of these certain specific applications that get blocked by HIPS?

One of them is Crystal Rich Ltd.'s LockHunter. Used it on occasion, and it’s a signed application. And yes, still gets blocked after whitelisting the vendor.

And you did add Crystal Rich Ltd.'s LockHunter’s executables (and related files) to the “File List” with rating “Trusted” I presume?

Of course. Still the same result.

What HIPS mode are you using?
Do you have HIPS “Create rules for safe applications” on or off?

Huh, didn’t know there was that option.
That said, even after turning it on and unblocking the app one more time, it got blocked again anyway.
As for HIPS, it’s in the default Safe mode.

Another thing you could try if you are sure the application is safe. Uninstall one of the applications blocked by CIS.
Before reinstalling :

  • disable auto containment
  • go to File Rating > File rating Settings and check “Trust files installed by trusted installers”
    Launch the installer of your application and at the first prompt of HIPS check treat as installer or updater.

(the end of my reply was lost. Here it is.)
Launch the installer of your application and at the first prompt of HIPS check treat as installer or updater.

Can we please try to figure out what’s wrong with HIPS and why does it behave this way instead of trying to cheat through it? Even if I somehow trick it into leaving the app alone, it shouldn’t behave this way in the first place once I whitelisted it.

And please don’t suggest I just reinstall Comodo again. I sure am doing a lot of reinstalling on an AV that hasn’t updated in years.

Better to switch off HIPS “Create rules for safe applications” as setting it to on could cause (due to a nasty bug) HIPS rules corruption.
So do switch it off.

Next try. Add one or more HIPS rules for “Application” set to all the involved Crystal Rich Ltd.'s LockHunter’s executables and set each application “Use Ruleset” to “Allowed Application”.
And, important, after creating the HIPS rules move all the created HIPS rules to the very top (click and drag) of the HIPS Rules list. (The HIPS rules at the top have highest priority).
Now check if HIPS still blocks Crystal Rich Ltd.'s LockHunter.

I did everything you described, but when I went to run it, it got blocked again. And when I unblocked it and then checked the HIPS rules, it was changed back to “custom ruleset”.

Are there any other HIPS rules on the list related to Crystal Rich Ltd.'s LockHunter apart from the ones that you’ve just created yourself?
Look carefully from top to bottom through the HIPS rules list and check if there are any duplcate rules related to Crystal Rich Ltd.'s LockHunter.

Yeah, there’s only one ruleset, I checked.

Looks like if cmddata is being blocked by something again and CIS (cmdagent) isn’t able to write to or update it…

Are you running any other security software in parallel with CIS (MS Defender or whatever)?