What exactly is 'Disk' in HIPS Rules?

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
#1

Hi.

What exactly is monitored by the ‘Disk’ option in HIPS Rules?

Does this include both Windows API and Direct Disk Access, or just Direct Disk Access?

I sometimes get HIPS alerts regarding Direct Disk Access, so assume it is the same thing as ‘Disk’ in HIPS Rules (as there is no option with the name of “Direct Disk Access” when setting HIPS Rules)?

As a test I have tried setting ‘Disk’ to block on multiple applications an none seems to be able to open additional files on the computer.

This makes me think that ‘Disk’ blocks more than Direct Disk Access.

If so, is there a way to only block Windows API file Direct Disk access instead of also Windows API file access?

Kind regards,

Reece

#2
Does this include both Windows API and Direct Disk Access, or just Direct Disk Access?
Windows API functions of creatfile with specific file path argument and definedosdevice api function calls. Examples [url=https://forums.comodo.com/resolvedoutdated-issues-cis/add-physical-drives-group-to-hips-protected-filesm2326-t120412.0.html;msg868931#msg868931]here[/url].
I sometimes get HIPS alerts regarding Direct Disk Access, so assume it is the same thing as 'Disk' in HIPS Rules (as there is no option with the name of "Direct Disk Access" when setting HIPS Rules)?
Care to give examples of applications that generate these alerts? Also show the HIPS log for the applications that generate the alert. And yes Disk is same as direct disk access.
#3

Hi futuretech.

Sure, have attached the screenshots for you.

#4

You wouldn’t happen to have any folders defined in protected data?

#5

I do.

However I don’t have any sandboxed applications.

#6

Another stupid bug where HIPS incorrectly detects direct disk access when a non-contained application tries accessing a file or folder within a protected data folder.

#7

But of course it is.

*Face in hand

There’s me trying to work out the logic. Thought CIS was splitting ‘Disk’ as per your example, and Direct Disk Access which only ever occurred as a popup alert if a safe application was trying to gain raw disk access.

Right. Urgh.

Might not be a bad idea then to have an option for HIPS to alert for Raw Disk access. I mean hardly any application needs it, so if there ever was a request for it, I think it would be beneficial to be alerted to such events.

P.s. Comodo, please hire more devs are be nice to them so they stay. Lots of work to be done! :slight_smile:

#8

Disk defragmentation, file recovery, and free space/secure file deletion software are some examples of legitimate use of direct disk access.

#9

Sure, in these cases that is likely fine.

However in cases where an application that does not require raw disk access, which is likely most applications most of the time, tries to gain raw access to the disk, I think it would be very beneficial to be alerted to so such events. This could be an option within HIPS Settings to check on/off.

This prevents processes bypassing Windows File Access Rights specifically via Raw Disk access.