SiteInspector free web version

[Guest]

[trscsaeg]

These 2 sent me vadim:

Examples of unsafe IP match checking:
 http://siteinspector.comodo.com/public/reports/41910
 http://siteinspector.comodo.com/public/reports/41902

When some site is detected as  dangerous its IP is saved and other sites with this IP are detected as a suspicious because of a same IP as a malicious site.

how can 2 websites have the same IP address or are IP addresses for websites dynamic?

also if they're dynamic, the website holder can't choose their IP can they?

if they can't choose their IP and the website holder made a malicious site and then made another one, what's the chances the new sites IP would get the old sites IP?

i have the feeling i'm still missing how this feature is beneficial but i asked you the questions to show you where i'm at in my thinking so you can set me straight because i got a feeling i don't understand sorry

[morphiusz]

I tested it out and i believe that those unsafe IPs are saved only for 48 h. (according to: http://siteinspector.comodo.com/public/unsafe_list )

[vadim]

how can 2 websites have the same IP address or are IP addresses for websites dynamic?

also if they're dynamic, the website holder can't choose their IP can they?

if they can't choose their IP and the website holder made a malicious site and then made another one, what's the chances the new sites IP would get the old sites IP?

i have the feeling i'm still missing how this feature is beneficial but i asked you the questions to show you where i'm at in my thinking so you can set me straight because i got a feeling i don't understand sorry

Very often malicious sites (and sites which are hosted malware files) are hosted on the one web-server (under one external IP address). So, if SI detects some unsafe site, it remembers IP of this site for some period of time. If some other site is hosted on the same IP, SI says it's suspicious (Medium Risk), because this site also can be malicious (or hosts malware site).

This is not a feature for improvement of scan speed, because SI makes full scan firstly, using all detection mechanisms. But it's additional level of detection. We are using a black lists and now unsafe IPs. Of course, both don't give a definite assurance that the site is dangerous, so we use "Medium Risk" status.

If you open some of public black lists, e.g.http://www.malwaredomainlist.com/mdl.php
you may see a lot of different malicious sites which are hosted on the same IP.

[trscsaeg]

Very often malicious sites (and sites which are hosted malware files) are hosted on the one web-server (under one external IP address). So, if SI detects some unsafe site, it remembers IP of this site for some period of time. If some other site is hosted on the same IP, SI says it's suspicious (Medium Risk), because this site also can be malicious (or hosts malware site).

This is not a feature for improvement of scan speed, because SI makes full scan firstly, using all detection mechanisms. But it's additional level of detection. We are using a black lists and now unsafe IPs. Of course, both don't give a definite assurance that the site is dangerous, so we use "Medium Risk" status.

If you open some of public black lists, e.g.http://www.malwaredomainlist.com/mdl.php
you may see a lot of different malicious sites which are hosted on the same IP.

thanks for clearing that up. what if SI held the IP until the IP no longer hosted malware. maybe create something like valkyrie and cima but for websites instead of files. i don't know if there's a way to do this but it would be kinda like def+ for unsafe sites.

also maybe you guys could implement something like dacs but for comodo dns. have volunteers run under different dns and everytime anyone using comodo dns goes to a site, comodo dns sends the url to the volunteers computers running different dns and sends the verdict from the other dns to the user using comodo dns. it would all happen in the background and the user is only alerted when a dns service detects a site as bad

[morphiusz]

[at]up

I think it's too complicated, it would take a loong time and it's possible only for files (Cima eg.).

SI now is very,very good and i think it needs only small improvments in detection engine and reputation system  and  it'll be ready then.

[trscsaeg]

[at]up

I think it's too complicated, it would take a loong time and it's possible only for files (Cima eg.).

SI now is very,very good and i think it needs only small improvments in detection engine and reputation system  and  it'll be ready then.

why is it only possible for files. volunteers have to have a plugin for dacs to work. why couldn't they make one to deliver malicious dns verdicts. as far as slow goes, almost every new technology that comes out is slow at first. don't under estimate developers ability to speed things up or come up with a whole new way that's more efficient than what i proposed to get the same feature. i'm sure a lot of people thought virus total was too complicated at one time as well as dacs which isn't dead even though some on the forum think otherwise.

i state my ideas regardless of difficulty if it could be useful because if some one likes it and wants to implement it then they will find ways to overcome the complications.

the light bulb was seen as impossible but here it is. comodo is innovative. it's their nature to make the impossible possible

[morphiusz]

I think now SI is good enough, i see no reason to implement some things like DACS or cima (i suggsested valkyrie to scripts, php files and so on earlier). It would take too long (belive me) and it is to hard to do.
It's better to have simple and decent mechanism than a very slow, multi-engine, unreliable service.
SI now detects  buffer overflow attacks,  JS files with suspicious code, IE crashnig, malicious files, malicious scripts, it uses few blacklist, has ip matching, detects suspicious file/registry modification, detecting of a pdf exploits (starting acrobat reader) as well.
For now it provides the best detection in my opinion - Mcafee site advisor, avg link scanner and other cannot provide such as good detection as a SI.They are using only  blacklists (avg has very poor scanner - so if the malicious site isn't on a BL - it is not detected - SI has a lot of other layers of detecting - SI preforms a dynamic scanning in the sandbox!)
I'm a big fan and supporter of this service, it is very,very pomising!

[wasgij6]

I think now SI is good enough, i see no reason to implement some things like DACS or cima (i suggsested valkyrie to scripts, php files and so one earlier). It would takes too long (belive me) and it is to hard to do.
It's better to have simple and decent mechanism than a very slow, multi-engine, unreliable service.
SI now detects for buffer overflow attacks,  JS files with suspicious code, IE crashnig, malicious files, malicious scripts, it uses few blacklist, has ip matching, detects suspicious file/registry modification, detecting of a pdf exploits (starting acrobat reader) as well.
For now it provides the best detection in my opinion - Mcafee site advisor, avg link scanner and other cannot provide such as good detection as a SI.They are using only a blacklists (avg has very poor scanner - so if the malicious site isn't on a BL - it is not detected - SI has a lot of other layers of detecting - SI preforms a dynamic scanning in sandbox!)
I'm a big fan and supporter of this service, it is very,very pomising!

+100 i love SI and i think it has a ton of potential. it is very effective and accurate and detecting malicious urls. this is going to be a great feature in cis and cant wait to see this integrated

[trscsaeg]

I think now SI is good enough, i see no reason to implement some things like DACS or cima (i suggsested valkyrie to scripts, php files and so one earlier). It would takes too long (belive me) and it is to hard to do.
It's better to have simple and decent mechanism than a very slow, multi-engine, unreliable service.
SI now detects for buffer overflow attacks,  JS files with suspicious code, IE crashnig, malicious files, malicious scripts, it uses few blacklist, has ip matching, detects suspicious file/registry modification, detecting of a pdf exploits (starting acrobat reader) as well.
For now it provides the best detection in my opinion - Mcafee site advisor, avg link scanner and other cannot provide such as good detection as a SI.They are using only a blacklists (avg has very poor scanner - so if the malicious site isn't on a BL - it is not detected - SI has a lot of other layers of detecting - SI preforms a dynamic scanning in sandbox!)
I'm a big fan and supporter of this service, it is very,very pomising!

yes right now it would take too long and be unreliable but they could play around with it separately from the one available to the public. and yes it would be hard but so are a lot of things that comodo has accomplished. i'm not saying add this to SI if it will make it slow. i'm saying play with it until it's fast and reliable. bottom line, it's an idea and it can be done. if comodo wants to do it they can and they can make it fast and reliable regardless of difficulty. maybe it can't be done to be fast and reliable today, maybe some new technology will have to come out for it to be possible to make this fast and reliable i don't know but it can be done. also i believe site inspector is really good as well and i didn't give this idea because i thought otherwise i gave it because if it could be done then it would make it better. i don't go by what's possible today. if devs did that then we'd never have anything new

[wasgij6]

yes right now it would take too long and be unreliable but they could play around with it separately from the one available to the public. and yes it would be hard but so are a lot of things that comodo has accomplished. i'm not saying add this to SI if it will make it slow. i'm saying play with it until it's fast and reliable. bottom line, it's an idea and it can be done. if comodo wants to do it they can and they can make it fast and reliable regardless of difficulty. maybe it can't be done to be fast and reliable today, maybe some new technology will have to come out for it to be possible to make this fast and reliable i don't know but it can be done. also i believe site inspector is really good as well and i didn't give this idea because i thought otherwise i gave it because if it could be done then it would make it better. i don't go by what's possible today. if devs did that then we'd never have anything new

this wouldnt be worth comodos resources and time. SI from what i have tested catches everything. i just threw about 25 zero day malicious urls at it and it detected every one. most if not all of the other dns services work on a blacklist which just like an av hit and miss and unreliable. SI uses many different layers to detect threats. it wouldnt have enough benefits to try and develop what your asking.

[trscsaeg]

this wouldnt be worth comodos resources and time. SI from what i have tested catches everything. i just threw about 25 zero day malicious urls at it and it detected every one. most if not all of the other dns services work on a blacklist which just like an av hit and miss and unreliable. SI uses many different layers to detect threats. it wouldnt have enough benefits to try and develop what your asking.

that's great that it detected 25 zero day malicious url's. comodo uses black list for it's dns as well so if they got the verdicts from other dns then their dns would be stronger than it is now. i'm aware that black list aren't the most reliable way but it is a layer of protection and it is used by comodo so why not strengthen that layer. the stronger each layer is the stronger the overall protection is. as far as it not being worth their time that's for them to decide. if they want to implement it great, if they don't great. i'm just giving an idea and i'm well aware that it would take a lot to implement this but it's not my place to decide if it's worth it for comodo to use it. that is comodo's place and no one elses. i share my ideas regardless of whether i think it can be done or how difficult i think it will be to achieve because i want to give comodo options.

[SiberLynx]

thanks for clearing that up. what if SI held the IP until the IP no longer hosted malware. maybe create something like valkyrie and cima but for websites instead of files. i don't know if there's a way to do this but it would be kinda like def+ for unsafe sites.
also maybe you guys could implement something like dacs but for comodo dns. have volunteers run under different dns and everytime anyone using comodo dns goes to a site, comodo dns sends the url to the volunteers computers running different dns and sends the verdict from the other dns to the user using comodo dns. it would all happen in the background and the user is only alerted when a dns service detects a site as bad

No offense , trscsaeg

... but it seems   ... Well... , that you have no idea  neither about pathetic DACS , nor "Valkyrie" ;  "CIMA"; or DNS  as a whole etc.

Cheers!

[trscsaeg]

No offense , trscsaeg

... but it seems   ... Well... , that you have no idea  neither about pathetic DACS , nor "Valkyrie" ;  "CIMA"; or DNS  as a whole etc.

Cheers!

no offense taken and your right in that i don't know exactly how DACS, Valk, CIMA or DNS work but i know enough about them to talk about them and i know enough to know that my idea is possible to implement which is what the point was in the first place by me posting the idea. i didn't post it to be evaluated by people who don't work for comodo telling me how hard it would be for comodo to implement, whether or not it's worth comodo's time and resources or whether or not i'm knowledgeable enough to talk about DACS, Valk, CIMA and DNS. i imagine that it would be hard, time consuming and take a lot of resources to implement this but it's just an idea. it's not actually taking up comodo's time and resources or making their employees work hard just by me posting the idea. like i said already it's up to comodo. they're big boys and girls and know if they can afford to spend time, resources and put in the hard work to make the idea a reality or if they even like the idea. i'm not hurting anyone by posting this idea or making comodo do something they don't want to do

also DACS is not pathetic though i don't think it will be stronger than valk. the reason DACS isn't pathetic is because as good as def+ and sandboxing are, there are things that can slip by them though it's pretty hard. comodo recognized this which is one reason why they're working on getting DACS integrated into CIS because if another security company has a signature for something that can sneak passed def+ and sandbox then the user will still be protected once it's integrated into CIS and they make DACS scan all unknown files. so it's a very valid layer of protection as well as blacklist verdicts from other DNS services being added to comodo's DNS. yes DACS and DNS services are 2 very different things but to tell me that having comodo DNS submit urls to volunteers computers running different DNS services, getting the verdicts and sending them back to the users of comodo DNS if a site has been detected as malicious all in the background with no user interaction is impossible would be a lie. that can be done and that's the point. not that the implementation is hard, not that it may or may not be worth comodo's time and resources and certainly not whether i'm knowledgeable of Valk, DACS, CIMA, DNS and whatever else you feel i have no knowledge of

[wasgij6]

just a suggestion but shouldnt exploits be considered high risk?
right now it looks like they are medium risk
http://siteinspector.comodo.com/public/reports/108899

[vadim]

just a suggestion but shouldnt exploits be considered high risk?
right now it looks like they are medium risk
http://siteinspector.comodo.com/public/reports/108899

During this scan SI didn't get web-content, because of redirect loop. So, it can't say what this URL is a "High Risk".

But this URL are in the black list, so it's probably was unsafe in the recent past and can be unsafe again in a future. In such cases SI sets a "Medium Risk" status.

Currently, SI sets  a "High Risk" only in the cases of malicious activity found or direct links to malware files.

[Tags:]