V220.127.116.1136 (Firewall only) on Windows 7 Ultimate 64-bit
When I unblock an application, which was blocked by HIPS, in the “Unblock Applications” window then the application is removed from the list, so far so good. However the application (with File Rating trusted) keeps coming back in the list of the “Unblock Applications” window even after multiple times Unblocking it (the Unblock method doesn’t matter, I’ve tried both).
The application is listed in the HIPS Rules and having a Custom Rule. Even removing the HIPS custom rule did not change anything, the rule is nicely recreated when the application is run however the application is again added to the “Unblock Applications” list.
The application is Trusted and as such HIPS does not pop up an Alert (that’s good).
Do I overlook a (mind)setting here or…?
I even deleted both the Firewall and HIPS rule for the application, both rules were recreated when the application was run again and it was added to the list in the “Unblock Applications” window. After unblocking it the application still reappears in the “Unblock Applications” list every time when it is run again???
I would like to verify that “access CIS processes in memory” is indeed causing this behavior of “Blocked Applications” not-unblocking.
If the trusted application indeed is trying to “access CIS processes in memory” would this access attempt then be added to the “HIPS->HIPS Rules->Application->Custom Rules->Exclusions->Modify (x\y)” of the trusted application in question or be added somewhere else in the trusted application HIPS rules?
Or, can I allow this “access CIS processes in memory” for the trusted application somewhere else to check if unblocking then works?
Depending on your application and IF it is trusted by yourself . . . this is how it’s done for instance with Logitech SetPoint which has that problem
Open up HIPS rules and edit the rule for COMODO Internet Security, then go to the Protection Settings tab, in the Protection Settings list to the very right of Interprocess Memory Access. Choose Modify and when a new window appears alt-click / right-click in the empty area and choose Add > Running Process and from the running process list select the (your application) executable. Press OK for each window to accept the settings change.
The application is no longer added to the list of Blocked Applications.
FYI, the application is from a trusted vendor and as such it is listed in the “Vendor List” and in the “File List” as Trusted by default.
Even adding my own Trusted setting didn’t help either to solve it.
For me it’s importent what EricJH answered to such questions:
Q: Blocked Applications shows HIPS reporting CIS blocking certain programs and unblocking fails. What does that mean?
A: CIS will protect its self by denying programs to access CIS processes in memory. It is part of its architecture since its conception as Comodo Firewall
A: Blocked Applications is simply not capable of unblocking memory access to CIS processes even though it offers this. I consider this a design flaw in Blocked Applications. Allowing programs memory access to CIS processes is possible but needs to be done deep in the UI in Advanced Settings.
Q: My programs are still working even though Blocked Applications says they are being blocked and unblocking is not working Why is that?
A: From a security point of view allowing memory access to CIS processes is a security risk. Hence why we rarely advice to allow this.
This is not the answer to the question, just a thought which EricJH already expressed oneself.
Isn’t it dangerous to allow software to access memory even if you trust the software, is it? If I change these HIPS rules, then blocking or asking, but not allowing.
That link from Eric is already referenced 5 replies up and explains the Blocked Applications issue perfectly. If it is necessary however to solve the issue in particular cases, then the steps are outlined for the OP
For an issue of such as Logitech and non-stop logging . . . that is the method: CIS and SetPoint
For me the proposed solution is no problem, I know that the application can be trusted because it’s part of the AV that I have running and also because it is in the Comodo list of “Trusted Vendors” and “File List”.
However this solution should never be applied to any application or process that is not trusted or unknown and only being used in specific cases.
I’ve to admit though, that it was quite confusing when the application continuously came back in the list. The CIS user expects the functionality of the “Blocked Applications” to be working as intended but in this specific case it didn’t.
It’s by design that HIPS protects its self and that is good, so I can live with the proposed solution.
Unfortunately, the Blocked Application list causes a lot of unnecessary worry as Eric’s explanation pointed out, especially on a system startup before CIS is fully loaded . . . . ‘In the end this is just a storm in a tea cup because of a usability issue. Programs will continue to function normally and there is no security risk. People get worried and think something is wrong even though programs are functioning normally and get freaked out when unblocking is not working’
Yup - it usually gets a slew of Blocked Applications on every start up - depending of course on what you (or Windows) are running; simply because CIS hasn’t fully loaded. They invariably mean nothing and are all known and long term used Applications
It sometimes tends to panic users who promptly unblock everything and start making numerous rules and altering them the next time for no good reason.
Mark them all and delete them from the GUI. IF one comes back as in your case, then investigate further, but otherwise ignore them and don’t get dragged into making rules cluttering up everything, which have no effect in any case
Would it be better of having a “Recently Blocked Applications” (or whatever name) window showing a list that only sums up or gives an overview/summary of the recently added application/process rules created by HIPS or Firewall?
By double clicking on a rule in the list the corresponding HIPS/Firewall rule would then be opened for the user to make modifications to the rule if necessary.
So no more unblocking in this “Recently Blocked Applications” window.
When a HIPS/Firewall rule for an application is deleted by the user and the application is started again it only then returns back in the “Recently Blocked Applications” window list when a HIPS/Firewall rule is recreated by CIS.
So only when a new HIPS/Firewall rule is created (or when one of those rules is being modified by CIS its self for some reason) then the corresponding application/process shows up in the “Recently Blocked Applications”.
The user can than decide to remove the application from the list and as long as the HIPS/Firewall rules aren’t modified by CIS it stays out of the list.