System cannot be recognized, HIPS prompts for action [8.x]

Hi, I’m issuing a strange problem with Comodo HIPS. It started more than a month ago, caused no greater problems (hopefully so far).

Sometimes Comodo HIPS pops up a message, that application ‘System’ is trying to create a .etl file in …\system32\logfiles.…, and system cannot be recognized . When clicking on the ‘system’ location from the prompt, Comodo opens a folder with system files (obviously). At first I was scared and thought that some malware has changed my system files, but no - sfc shows they are clean, also I remember no popup that any shady application is trying to change anything in protected folder. Action taken by system seems to be legit, so I decided to simply get rid of the prompt, but whichever action I will choose - allow and remember, treat as system application or whatever, this pop up comes back every two days.

My HIPS is set to clean PC mode, auto-sandbox is on. ‘Create rules for safe applications’ is on Comodo is set to check for updates every few hours, current version 8.4.0.5165.
I’m Running Win7 x64 Pro, UAC off. Malwarebytes Anti-Exploit is running as additional protection.

As a sidenote, I cant create a rules for some other programs. Sometimes nVidia updater (digitally signed) tries to execute coprodupdater.exe or something like that - I decided to simply block this one. Also, I can’t view this alerts - for some reason, Comodo creates only logs from current session, despite I’ve set log file size up to 1 GB

Don’t know if it’s a bug, a feature, I’m somehow cleverly infected or I can’t set up a settings to make’em work.

Thanks for any help.

You should upgrade to version 10 as there was a bug with HIPS rules being lost/forgotten under heavy system load but should be fixed with CIS 10.

Shall I do overlay install or a remove-then-install one? Cannot find that.

Anyway, the fact that It does not auto-update from 8 to 10 makes me not convinced that everything is 100% ok…

I would recommend you uninstall then install the newer version and if you want to use your current configuration, you can export it before you uninstall, then import the saved config after installing. As for the automatic upgrade, I’m not sure why it is not being offered yet through the internal updater.

Ok, I got auto-updated to Comodo 10. The same issues are present. I have pop-ups for system actions and signature database is not getting auto-updated, despite being set to check every hour. It checks, and kindly informs I can download them :/.

Performing a clean install usually fixes most problems, you can follow this guide which provide tools to help with a clean uninstall and re-install.

Bumping, bu I have a reason for that.

I had waited until Comodo 10 was published via auto-update feature, then tested it for a few days. Problem was not resolved, what’s more, after short time I’ve been literally swarmed with different alerts, some options (eg. treat as trusted in HIPS pop-up) disappeared.

So, I decided to make a clean install.

Uninstalled Comodo, downloaded package from a website and installed it once again. After going thru all initial procedures and setting up my preferences, It worked with no issues… for a week or so, when again, it started saying, that my system tries to modify system files (see attachment).

It says, that Windows operating system sends itself ARP packages that need to be blocked (192.168.1.3 to itself), and ‘system’ Tries to modify C:\windows\system32\WDI\LogFiles\ShutdownCKCL.etl, and I guess system should modify System logs.

I thought for a while that maybe I really have some major system malfunction or a malware running in the background, but this collides with the week-long ‘calm before the storm’ after clean install I mentioned.

So far the only noticeable drawback of current situation is a ‘Plonk’ sound when I shut down a machine. However I expect more of them to come. And I’d love to know what causes them and what’s the solution. Maybe I misclicked something during one of pop-ups?

My Comodo config is not extraordinary. Firewall and HIPS in safe mode, AV in on-access mode and high heuristics. Auto-sandbox and Virusscope on, URL filtering off. Rules for safe apps are on. Password-protected program config. Rest are rules I choose during program pop-up messages.

It says, that Windows operating system sends itself ARP packages that need to be blocked (192.168.1.3 to itself)
That is the result of having enable anti-arp spoofing enabled under firewall settings which blocks [url=https://wiki.wireshark.org/Gratuitous_ARP]gratuitous arp packets[/url].
Rules for safe apps are on
And that is the issue, when you have that on, overtime depending on how many trusted application you use, the list of rules gets large and if you ever open the advanced settings window while a new rule is being created or an existing rule is being automatically modified, the rules will get corrupted and disappear as if you had deleted all rules when you close the settings window using OK instead of the close button.

I don’t know why anyone uses that option considering it affects system and CIS performance, whether high cpu usage by cmdagent as it learns and dynamically creates rules for trusted applications, or when there are many rules that CIS has to process each time an application runs to find the matching rule. There is no real benefit from using that option.

Not being alerted every time when I launch or install an app coming from a trusted dev, or after an update - knowing that Comodo HIPS recognizes apps by their checksum, i don’t want a pop-up every time Firefox, or any other trusted app, gets updated by its trusted auto-updater.

Especially when you are not the only user and you share a PC with the rest of the family - every pop-up generates panic.

You won’t get alerts when HIPS is set to safe mode, and if you have trust files installed by trusted installers enabled under file rating settings, then any file created by a trusted/Installer rated application will automatically be trusted as well. Create rules for safe applications doesn’t control showing HIPS alerts, only the HIPS mode does. Only time when you will get a HIPS alert from a trusted application is when it attempts to execute anything that is not also rated as trusted.