Poll regarding the whitelist..

[Guest]

[commanding the celsius]

I just stumbled across this topic. And I see a request to include a "Remote Support Software" called UltraVNC in the white-list.. A program that can be used to Remote control an other computer, much like a trojan, but more "legit" (eg not hiding it self or its installation progress..)..

Despite this Iam thinking should remote control software really be white-listed??  After all as much as they can be used for good, they can be used for bad.. And people who need to use these sorts of programs for "good" is usually not the average computer noob that can't read a popup anyway.. I personally believe such software should present pop-ups..

Here is UltraVLC's own description of its latest version:

UltraVNC is a powerful, easy to use and free software that can display the screen of another computer (via internet or network) on your own screen. The program allows you to use your mouse and keyboard to control the other PC remotely. It means that you can work on a remote computer, as if you were sitting in front of it, right from your current location. If you provide computer support, you can quickly access your customer's computers from anywhere in the world and resolve helpdesk issues remotely! With addons like SingleClick your customers don't even have to pre-install software or execute complex procedures to get remote helpdesk support.

Anyway, perhaps Iam exaggerating.. What do you think, Include or don't include legit remote help software's in the white-list?   

[JoWa]

UltraVNC_1.0.8.2_Setup.exe is a safe application… (but UltraVNC_1.0.8.2_Setup.tmp could not be recognized) It is also signed (by uvnc bvba)…

[eXPerience]

Hi, you still need to send your username and passport to the other person, so normally you should be fine.

best regards,
eXp

[HeffeD]

The problem here is that you are starting to get on a bit of a slippery slope with a product like this. The application itself may be safe, but the processes are just too similar to trojan-like behavior. My stance is that if a user considers this application safe on their computer, then they can put it in their safe files.

I happen to have some macro recording software on my system for program automation that is viewed as suspicious by Comodo, which I don't have a problem with because it's essentially a keylogger.

It all boils down to, how good is the software at determining what is good versus bad behavior? The processes look exactly the same to the computer.

Flag it as suspicious because indeed its behavior is suspicious, and then let the user decide if they want it to run on their system.

[commanding the celsius]

The problem here is that you are starting to get on a bit of a slippery slope with a product like this. The application itself may be safe, but the processes are just too similar to trojan-like behavior. My stance is that if a user considers this application safe on their computer, then they can put it in their safe files.

I happen to have some macro recording software on my system for program automation that is viewed as suspicious by Comodo, which I don't have a problem with because it's essentially a keylogger.

It all boils down to, how good is the software at determining what is good versus bad behavior? The processes look exactly the same to the computer.

Flag it as suspicious because indeed its behavior is suspicious, and then let the user decide if they want it to run on their system.

Iam with HeffeD on this one. And I don't believe anyone really will feel a major loss regarding usability just because some remote tools are none white-listed..

"Normal" users (and these are the once who struggle most with the pop-ups) don't play around with these tools, and those who do (hopefully) knows enough to see why the file isn't presented as safe..

I personally dislike the stance that SAS (and some others) has on commercial key-loggers and such:

We (SUPERAntiSpyware) specifically don't detect the commercial keyloggers as they are used by many companies, etc. for legitimate purposes. We may add them in the future as "warning/notification" rules/definitions.

source: http://www.wilderssecurity.com/showpost.php?p=1033239&postcount=11

I believe its in the users best interest to not have these sort of files white-listed. After all, remote control is among the things we want CIS to protect us from...

[SS26]

Voted "Abolutely".  Because i don't find practical scenario where untrusted status of remote support app gives extra gain (more protection) over trusted status.

Here is mine scenario (example):

Supposing there is a whitelisted remote support app on victim's computer.  Supposing this app will be granted all necessary permissions (as it is whitelisted) to establish unwanted remote session once it is launched. 
So attacker should somehow launch remote support app on victim's host (!).  This is only possible if there is a special malware executable on victim's host (!) which is coded to launch that support app.  Malware executable would be stopped by Def+. 
As you can see in this case it does not matter whether remote support app has trusted status or untrusted.


I can think of more scenarios when trusted VS untrusted does not make difference but these (scenarios) are too integrated.

PS 1.  I use remote support app which digital signature i added to trusted vendors.

PS 2.  It was already mentioned that one thing makes our discussion useless:

you still need to send your username and passport to the other person

As for me, i prefer "no incoming connections allowed" option of remote support app

[The Joker]

I'm with SS26!

One thing is tell the user that program X is safe, other is allow this safe program X to run. In earlier times Defense+ acts like that.

[Tags:]