Defense+ file integrity detection

[Guest]

[gpnx]

I was having really high hopes to replace the Tiny Firewall Pro i am using with Comodo (because of switching to vista) but i guess comodo is not there yet.

What a HIPS is for if it does not do INTEGRITY check on the executables with the original that the policy was applied to? You put some policy on executable and then modify this executable and the comodo does still think its the old executable and applies the same policy w/o even a warning...and thats how most of the malware comes to your pc ... via some trusted system component who got hacked.

I really don't get it why you guys don't have that yet and seems like some of you don't think its necessary...
All the serious HIPS have integrity checks...

[Vettetech]

 

[Vettetech]

Well thats odd cause I can prove you wrong. I just downloaded the GRC leak test and ran it and it past. Then I deleted the entries of the leak test in the firewall and D+. Then I renamed the leak test like GRC says to. I renamed it Firefox.exe which is an already trusted program and guess what. D+ gave me an alert. Works fine for me.

[gpnx]

Here is what i did:
put a notepad.exe in some folder. run it. allow all the activit (its the notepad..) downloaded some of the leaktests (the one which changes the desktop - breakout2.exe). replaced with it the notepad.exe in that folder... it ran using the notepad security ( it means it changed my desktop etc..)

now, maybe in your case firefox.exe is in the "my protected files"?

i tried puting that notepad.exe in "My safe files", but there is still no integrity check for them either...what a joke again.

don't get me wrong, i like comodo (at least the interface), but this is unaceptable non integrity check version.

I really really would suggest the developers to take a look at the Tiny Firewall Pro 6.5.xxxx . I think thats the best firewa//hips. I really really regretd CA bought them and shelved the tiny - seems like that , cuz their firewall is completely different.

I will be interested which files/group you put you firefox. But anyway, the fact is there is no integrity check. You may protect your files with some non modifying policy , but i can do that with the NTFS too.. Why i need comodo HIPS then?

[Vettetech]

I do not use protected files. Everything is at default values from install except I use D+ in safe mode. Which option are you using D+ in I might ask? Do you know what all the different levels of D+ mean?

Paranoid Mode: This is the highest security level setting and means that Defense+ will monitor and control all executable files apart from those that you have deemed safe. The firewall will not attempt to learn the behavior of any applications - even those applications on the Comodo safe list. and will only use your configuration settings to filter critical system activity. Similarly, the firewall will not automatically create 'Allow' rules for any executables - although you still have the option to treat an application as 'Trusted' at the Defense+ alert. Choosing this option will generate the most amount of Defense+ alerts and is recommended for advanced users that require complete awareness of activity on their system.


Safe Mode: While monitoring critical system activity, the firewall will automatically learn the activity of executables and applications certified as 'Safe' by Comodo. It will also automatically create 'Allow' rules these activities. For non-certified, unknown, applications, you will receive an alert whenever that application attempts to run. Should you choose, you can add that new application to the safe list by choosing 'Treat this application as a Trusted Application' at the alert. This will instruct the firewall not to generate an alert the next time it runs. If your machine is not new or known to be free of malware and other threats as in 'Clean PC Mode' then Safe Mode' is recommended setting for most users   - combining the highest levels of security with an easy-to-manage number of Defense+ alerts.


Clean PC Mode: From the time you set the slider to 'Clean PC Mode', Defense+ will learn the activities of the applications currently installed on the computer while all new executables introduced to the system are monitored and controlled. This patent-pending mode of operation is the recommended option on a new computer or one that the user knows to be clean of malware and other threats. From this point onwards Defense+ will alert the user whenever a new, unrecognized application is being installed. In this mode, the files in 'My Pending Files' are excluded from being considered as clean and are monitored and controlled.

'Installation Mode:  Installer applications and updaters may need to execute other processes in order to run effectively. These are called 'Child Processes'. In 'Paranoid',  Safe' and 'Clean PC modes', Defense+ would raise an alert every time these child processes attempted to execute because they have no access rights.  Whilst in one of these 3 modes, Comodo Firewall Pro will make it easy to install new applications that you trust by offering you the opportunity to temporarily engage 'Installation Mode' - which will temporarily bestow these child processes with the same access rights as the parent process - so allowing the installation to proceed without the usual alerts

[Vettetech]

Tiny Firewall isn't even listed in Matousec. Not even on the bottom so how good can it be.

[gpnx]

1) Tiny is not listed because CA bought them like 1-2 years ago.
2) i use even paranoid mode. the same result. just do what i did and will see.

If you search the forums here, there are more post/complains/feedback about this missing feature. Is not just me and i am not trying to bash comodo..i want them to implement this so i can use it.
Some of the comodo developers/moderators are trying to explain that i don't need this (haha, joke) because comodo does some more file protection or w/e their explanation is. Its a joke explanation because the user don't know all the time what happens on the system. For example you run an install on a product and you don't know what it modifies - what if its a malware and modifies a settings for which you have rules ? Here the integrity will help - next time you try to run a modified progy, you will get information.

[Vettetech]

Well it seems to me like your bashing. BTW I never download and install anything I do not know. I also scan everything before opening it. If I doubt the program I am installing then I Sandbox it.

[Kyle]

I ran the SSS utility to test your theory, I treated it as a Trusted application so everything it will do will be allowed. I then renamed the SSS utility to ZZZ, I tried to create a registry entry with ZZZ and D+ popped up.

[gpnx]

Vettetech:
1) Again, if you consider bashing constructive critique, this is your problem
2) If you do all these things (sandbox, etc..) then why you need HIPS at all then? And the usual user don't bother with these things....

Kyle:
Do what i did and lets see... What is the dialog box that poped up? I am testing comodo 3.0.25.378 x64 on vista. maybe there is bug with it. would be happy if thats the case. Maybe i am not doing something right. Would be even happier if thats the case.

[egemen]

Here is what i did:
put a notepad.exe in some folder. run it. allow all the activit (its the notepad..) downloaded some of the leaktests (the one which changes the desktop - breakout2.exe). replaced with it the notepad.exe in that folder...

At this point, you are skipping something:

You manually replacing a file and a virus replacing/infecting a file are 2 different things and D+ default policy is aware of this fact. So unless you dont use explorer.exe, D+ will NOT allow any file replacements without any authorization. What makes you think that a virus can infect a file without being catched by D+?

To better understand please search this forum first. I have explained this before.

D+ is a sophisticated piece of security software, and you changing something manually will be known by D+ as a non-malicious act, and because of its intelligence manual modifications like what you did, will be allowed without disturbing you. Try to do that in a way that malware would and see how D+ will pounce on it! Pls give us "some" credit! We have innovated new ways of checking for integrity which is more efficient and doesn't disturb the user as often!

[Vettetech]

Very true egemen. A virus has to run first and when it tries to run D+ will catch it. You are manually doing this which a virus cannot do invisibly. I Sandbox my browser when needed not my whole pc. If you use Sandboxie you still need and HIPS and AV and Firewall.

[Melih]

Very true egemen. A virus has to run first and when it tries to run D+ will catch it. You are manually doing this which a virus cannot do invisibly. I Sandbox my browser when needed not my whole pc. If you use Sandboxie you still need and HIPS and AV and Firewall.

You are right. even if you run a sandbox you will still need to run security apps as some malware can jump out of a sandbox right into your OS.

Melih

[Vettetech]

Listen gpnx. Anyone who makes a thread and calls it " D+ what a joke" is clearly bashing. Why didn't you go into the Comodo help area and ask why does D+ fail this. That would have been a better thing to do.

[gpnx]

Feel free to move this thread to whatever is the appropriated forum. I didnt consider "what a joke" bashing... but if sounded like this i am sorry. As you see from my msg context i am not bashing, just trying to help improve it.

[Tags:]