How can DiskShield be integrated into CFP v3 to offer what functionality?

[Guest]

[Melih]

Hi guys

Here is an interesting topic. We want to integrate DiskShield into CFP (of course you can continue enjoying it as a stand alone too, but we will offer its functionality as an option for people who want it).

Now, here is the question: What features do you like to see by utilising DiskShield in CFP? Please give us some really creative ways in which we can use DiskShield in CFP..

thanks

Melih

[tormod]

 You could set up rules for applications that would make everything run virtualized unless specifically allowed actual disk access, including giving that option when CFP pops up an alert saying such-and-such a program is attempting to create a directory, alter a file, etc. Actually this sounds more like a sandbox integration than an all-or-nothing access like diskshield seems to provide, but this seems more logical to integrate into the firewall, at least to me.

[Info-Sec]

I agree with tor, this can be used to counter OA's 'defanged mode' except this will be COMODO's hardcore security mode.  A certain process may be able to load into a virtualized piece of memory, and all files written from that program are also virtualized (however existing files being read arent virtualized), and you may be able to rollback the changes.

Example:  I Knowingly download a virus, I run it in our virtual state, then the virus downloads 200 files.  I roll back poof, virus and 200 files are gone.

Also I think that CFP can move files being examined by D+ into a temporary virtualized state.  For example a new file is detected.  D+ intercepts that file, loads it onto a virtualized space, D+ alerts user, user allows the file is commited to disk unless user wants the file to run in a virtualized space, if user denies that virtual space is deleted, along with the file.  Of course that can cause some inconveniences but this is just an idea board so.

Why not? 

[Star Shadow]

I agree with the above that certain programs can be told to run in the virtualized state.

I also see something like this as a possibility:
User runs an installer and the alert box pops up. Currently right now a user can allow with options or deny. However, with CDS integrated, there is a new option: Test in Virtual System. When this is done, the program is ran in a CDS environment. All of the executables it installs are are also run in the CDS environment, but other preinstalled stuff is not, unless it is modified by the installer. After this, the user can look at the log of all files that were created, modified, or deleted and also all reg keys added/modified. The user can see if the program modified existing dlls/executables and judge if the software is malicious. Next, the built in malware/virus scanners (or third party scanners) can scan that environment for anything malicious. Sometimes installers seem innocent to av/malware scanners until they are run then the virus/malware is detected in the modified files. This will give a clear picture as to what exactly is going on.

Does this all make sense? I tend to not be clear sometimes.

[Info-Sec]

I agree with the above that certain programs can be told to run in the virtualized state.

I also see something like this as a possibility:
User runs an installer and the alert box pops up. Currently right now a user can allow with options or deny. However, with CDS integrated, there is a new option: Test in Virtual System. When this is done, the program is ran in a CDS environment. All of the executables it installs are are also run in the CDS environment, but other preinstalled stuff is not, unless it is modified by the installer. After this, the user can look at the log of all files that were created, modified, or deleted and also all reg keys added/modified. The user can see if the program modified existing dlls/executables and judge if the software is malicious. Next, the built in malware/virus scanners (or third party scanners) can scan that environment for anything malicious. Sometimes installers seem innocent to av/malware scanners until they are run then the virus/malware is detected in the modified files. This will give a clear picture as to what exactly is going on.

Does this all make sense? I tend to not be clear sometimes.

Yes.  I see what your saying.  Its somewhat of a resident debugger/unpacker.  Its a larger version of some of the techniques used by antiviruses, except this one is much more effective.

[tormod]

I agree with the above that certain programs can be told to run in the virtualized state.

I also see something like this as a possibility:
User runs an installer and the alert box pops up. Currently right now a user can allow with options or deny. However, with CDS integrated, there is a new option: Test in Virtual System. When this is done, the program is ran in a CDS environment. All of the executables it installs are are also run in the CDS environment, but other preinstalled stuff is not, unless it is modified by the installer. After this, the user can look at the log of all files that were created, modified, or deleted and also all reg keys added/modified. The user can see if the program modified existing dlls/executables and judge if the software is malicious. Next, the built in malware/virus scanners (or third party scanners) can scan that environment for anything malicious. Sometimes installers seem innocent to av/malware scanners until they are run then the virus/malware is detected in the modified files. This will give a clear picture as to what exactly is going on.

Does this all make sense? I tend to not be clear sometimes.

Excellent idea IMHO

[Melih]

These are excellent ideas for our upcoming Sandboxing built into CFP.
The file specific virtualisation is the job of a Sandbox. CDS is slightly different cos its the whole HD virtualisation.

However, one idea from the above examples you have given would be CFP gives you an alert and you have an option to put your whole HD into a virtualisation mode to test things out. Of course you need a re-boot to come out of this mode and poof goes everything you have done since you put the whole HD into virtualisation after that alert. (Quite neat really)

Pls keep them coming.

thanks
Melih

[3xist]

These are excellent ideas for our upcoming Sandboxing built into CFP.
The file specific virtualisation is the job of a Sandbox. CDS is slightly different cos its the whole HD virtualisation.

However, one idea from the above examples you have given would be CFP gives you an alert and you have an option to put your whole HD into a virtualisation mode to test things out. Of course you need a re-boot to come out of this mode and poof goes everything you have done since you put the whole HD into virtualisation after that alert. (Quite neat really)

Pls keep them coming.

thanks
Melih

This sounds extremely powerful.

The power off CFP 3+Sandbox+DiskShield sounds very very promising.

[yk1234]

It's really a great idea that DiskShield be integrated into CFP v3 as "hardcore security mode". However,I think both Sandbox and DiskShield should be optional during installation because not everyone need them and not everyone is able to use them .Maybe for some people,a great firewall with HIPS is enough.

[panic]

I might be on my lonesome here, but I don't think DiskShield lends anything to a firewall in terms of functionality.

A firewall and a sandbox are, to my mind, transactional in nature, where data packets and applications come and go and are dealt with as and when they appear. DiskShield, being system wide, affects all things, and this may not be desired.

Ewen :-)

[Star Shadow]

However, one idea from the above examples you have given would be CFP gives you an alert and you have an option to put your whole HD into a virtualisation mode to test things out. Of course you need a re-boot to come out of this mode and poof goes everything you have done since you put the whole HD into virtualisation after that alert. (Quite neat really)

Excellent! We still need the logs of all files modified for easy checking.

Hmm ... just a general switch in CFP that turns on CDS without a pop up. Also, right-click integration with Sandbox would be cool: right-click on a program and run it in a sandbox, the one integrated in CFP.

[3xist]

I agree with panic.

If Sandbox AND DiskShield are to be integrated into CFP 3, They should be optional during installation with a brief description (Exactly like Defense+ & Firewal & SafeSurf currently are during installation).  

Try to make things as optional as possible & stand a lone, I know you will, Melih

Josh

[LeoniAquila]

How can DiskShield be integrated in CFP?

I agree with Ewen and Josh. I can see future complaints of CFP getting bloated if more things get integrated; like DiskShield. It's a great idea for a comprehensive security product; a suit, but a firewall is still a firewall...

Try to make things as optional as possible & stand a lone, I know you will, Melih

+1

LA

[Graham1]

I agree with Ewen and Josh. I can see future complaints of CFP getting bloated if more things get integrated; like DiskShield. It's a great idea for a comprehensive security product; a suit, but a firewall is still a firewall...

I would not like to see DiskShield intergrated into CFP3. I would prefer DiskShield as a standalone product. Personally, I prefer the firewall to just handle communication in and out of the computer with Defense+ (hips) being handled by a seperate HIPS application.

[DaRtH VaDeR.]

Good day!

This could sound weird to some people, but I write it anyways:

The firewall is smart now, but it can be smarter. The improved firewall should come with more artificial intelligence and should use it in this kind of manner in combination with COMODO SANDBOX:

* The firewall should detect if someone is making a wrong decission (read: wrong choices about allowing some dangerous activity) the firewall should activate automatically the sandbox feature for you so there is no effect of the bad decission.

* The firewall should virtualize browsersessions for you. If you open your browser cfp should ask you if you want to virtualize the browsersession. And if you want the virtualize session to end, you can simply turn of the feature.

Okey, Have a nice day!!

 

[Tags:]