Defense+ file integrity detection

[Guest]

[deleiro]

I still Don't understand what the problem is, You can Modify a program because "explorer.exe" usually has those permissions, But for malware to modify a trusted program, you have to allow "Malware.exe" to modify "Notepad.exe"

In "install mode" is possible I think.

[Vettetech]

No. Install mode is for installing things. Have you ever used install mode? If I am installing something the first thing I do is put D+ into install mode by click on "switch to install mode" via the main GUI.Then I go back into Comodo and click " switch to previous mode". Then I launch the program I just installed and as all of us know what happens....................You get a D+ alert about Explorer.exe trying to allow program ".

[Vettetech]

Instead of questioning Comodo's D+ and calling it a joke why don't you look hard at yourself. If your installing something you have no idea what it is then you deserve to be infected.

[egemen]

Why you still brining this "i alloweed it"....  In this case yes, i did modify it..but even if i did, a normal HIPS will catch that a file was modified , thus his integrity was compromised.

Because this is the root of the issue. You modifying it or a virus modifying it are 2 different and detectable things. Why bother user with this again? Ofcourse if you dont want, and if you belive you are a HIPS expert, you can delete the default policy of CFP and create your own. You will see it is going to ask you more than you want. You are trying to think the previous approaches like keeping hashes for applications etc. is the smartest way. We were doing this in CPF 2.4 because we did not have a full file system inspection. CFP 3.0 has "Stateful File Inspection". This means it knows everything modified in the system and acts accordingly.

It PREVENTS unauthorized modification instead of detecting it and letting you know. Stateful File Inspection is a very well thought out algorithm and more powerful than so called signature cheking software. There are many viruses in the wild, which can change some files and none of those so called SHA1 hash checking software can detect.

Let see this scenario:
Some system component got hacked (there is incident with this all the time - just check the MS security bulletin). Sooo, a hacker gains access and changes stuff.... HERE is where HIPS should help - notifying me that a piece of a trusted before exe/file got modified.

Lets see this scenario:
I run install program, i put it "threat as isntall bla bal" it has all rights etc...so it does modify stuff that i don't know. THERE I NEED HIPS to tell me what/if something gets modified that should not. And, its a plan logic to not threat as same the app which has changed...

Oh in this case, you should worry about more things than file modification. You are running a virus with maximum acess rights (Installer or not, if it is modifying something you dont want.), and expecting HIPS to help you by listing the modified files. If your only aim is to get the list of modified files, set CFP to clean PC mode, and cfp will again intelligently list you the files modified and NOT SAFE.

But you are already doomed at first place. Plus if you are technically qualified enough to differentiate between legitimate changes and illegitimate changes, why arent you just let CFP to ask you each and every file modification requests and approve/disapprove it instead of checking the changes after the fact?

Windows update updates your files almost everyday. So everytime a file is updated, the integrity of the system should be assumed broken? This is ofcourse not a case. The keyword for you to searh more is "Stateful File Inspection".

E

[egemen]

I still Don't understand what the problem is, You can Modify a program because "explorer.exe" usually has those permissions, But for malware to modify a trusted program, you have to allow "Malware.exe" to modify "Notepad.exe"

Yep. He needs to play more and understand the D+ operations deeply. HE is assuming D+ is incapable rather than it is smarter than his previous HIPS.

[Vettetech]

The only thing I can think of to relate to this is awhile back I tried Online Armor for a bit. A patch came out for one of my games (WOW) so I applied the patch. WOW was already a trusted program in Online Armor. After the patch was done I launched WOW. Online Armor gave me an alert about a trusted program has changed and if I want to allow this change so I clicked allow. I did the same thing with Comodo and I was never alerted of the change.

[3xist]

Because this is the root of the issue. You modifying it or a virus modifying it are 2 different and detectable things. Why bother user with this again? Ofcourse if you dont want, and if you belive you are a HIPS expert, you can delete the default policy of CFP and create your own. You will see it is going to ask you more than you want. You are trying to think the previous approaches like keeping hashes for applications etc. is the smartest way. We were doing this in CPF 2.4 because we did not have a full file system inspection. CFP 3.0 has "Stateful File Inspection". This means it knows everything modified in the system and acts accordingly.

It PREVENTS unauthorized modification instead of detecting it and letting you know. Stateful File Inspection is a very well thought out algorithm and more powerful than so called signature cheking software. There are many viruses in the wild, which can change some files and none of those so called SHA1 hash checking software can detect.

Oh in this case, you should worry about more things than file modification. You are running a virus with maximum acess rights (Installer or not, if it is modifying something you dont want.), and expecting HIPS to help you by listing the modified files. If your only aim is to get the list of modified files, set CFP to clean PC mode, and cfp will again intelligently list you the files modified and NOT SAFE.

But you are already doomed at first place. Plus if you are technically qualified enough to differentiate between legitimate changes and illegitimate changes, why arent you just let CFP to ask you each and every file modification requests and approve/disapprove it instead of checking the changes after the fact?

Windows update updates your files almost everyday. So everytime a file is updated, the integrity of the system should be assumed broken? This is ofcourse not a case. The keyword for you to searh more is "Stateful File Inspection".

E

Very Good Egemen!

Google= Stateful File Inspection 

[gpnx]

Very Good Egemen!

Google= Stateful File Inspection 

1) There seems to be more talks for statefull PACKET inspection, not file. The only reference of stateful file inspection i found is at comodo formums.

http://forums.comodo.com/feedbackcommentsannouncementsnews/application_control_checksum_hash_control_and_gui_redesign_v3013268-t15702.0.html

Which actualy brings the same issue i brought.

In that post some one mentions that if i have a FIREWALL, not just defence policy for my executable, i will get notified if it changes. I tried that and did not get notified

Anyway, the point i am trying to make here and it seems the developers don't agree with me for some reason is that there are ways to get around that "state full inspectiosn" of yours - namely - installations and hacked trusted apps. Both of these are very common and the only thing i am asking for is - being notified when a executable for which i have firewall/defence policies is modified , i should get notified .

[egemen]

1) There seems to be more talks for statefull PACKET inspection, not file. The only reference of stateful file inspection i found is at comodo formums.

http://forums.comodo.com/feedbackcommentsannouncementsnews/application_control_checksum_hash_control_and_gui_redesign_v3013268-t15702.0.html

Which actualy brings the same issue i brought.

In that post some one mentions that if i have a FIREWALL, not just defence policy for my executable, i will get notified if it changes. I tried that and did not get notified

Anyway, the point i am trying to make here and it seems the developers don't agree with me for some reason is that there are ways to get around that "state full inspectiosn" of yours - namely - installations and hacked trusted apps. Both of these are very common and the only thing i am asking for is - being notified when a executable for which i have firewall/defence policies is modified , i should get notified .

There are no ways to get around it. You are just making legitimate changes and assuming you are getting around it. If you install simple firewall and NOT defense+, CFP will still prompt you before the change happens. CFP has patent pending algortihms. So it is ok you are surprised it works differently from other software. For example Sateful File Inpection is a term only we use in the house to describe CFP file modification logic.

If I were you, I would install CFP into a virtual machine. Find some viruses. And run them against it. Afterall, all viruses infect other executables and hence cause those so called changes in the trusted applications. See the alerts, gain some confidence. This is the right direction.

[gpnx]

It would help the developers if you can provide us the installations/hacked trusted apps here?

Links? Info?

Josh

1)For the installation i mean any installation. For example you download a piece of shareware to try. Then suddenly it has some hidden "features"... It changes for example some apps for wich i alredy have rules. I just want to be notified about that. And I understand I RAN this install, but hey..i have to install stuff.

2)Just check what is the latest Microsoft security patches and you will get the idea what i am talking about.

I just tried the again The clean pc mode and i get notifications about changed exe's (in the pending files). Now, can we get these notifications in Safe/Paranoid mode and can we also automaticaly mark the policies of these modified exe as needed for review or something?

Agian, my point is, if an exe i have policy for gets modified  i want this policy to require my review. Lets forget for hash checksume etc... just this plain requirement. If there is a feature currently that i can enable to have this i will be so happy.

[egemen]

1)For the installation i mean any installation. For example you download a piece of shareware to try. Then suddenly it has some hidden "features"... It changes for example some apps for wich i alredy have rules. I just want to be notified about that. And I understand I RAN this install, but hey..i have to install stuff.

2)Just check what is the latest Microsoft security patches and you will get the idea what i am talking about.

I just tried the again The clean pc mode and i get notifications about changed exe's (in the pending files). Now, can we get these notifications in Safe/Paranoid mode and can we also automaticaly mark the policies of these modified exe as needed for review or something?

Agian, my point is, if an exe i have policy for gets modified  i want this policy to require my review. Lets forget for hash checksume etc... just this plain requirement. If there is a feature currently that i can enable to have this i will be so happy.

No. There is no such feature in CFP. And you dont need it. You will have to review those changes before they happen. This means you will have to approve each and every change manually. You can do this easily. Just dont use Installer or Update feature or dont trust the installer. Let CFP ask you the questions and answer them.

If you dont trust the installer you are running, why would you use Installer or Updater policy?

E

[gpnx]

No. There is no such feature in CFP. And you dont need it. You will have to review those changes before they happen. This means you will have to approve each and every change manually. You can do this easily. Just dont use Installer or Update feature or dont trust the installer. Let CFP ask you the questions and answer them.

If you dont trust the installer you are running, why would you use Installer or Updater policy?

E

I use the installer mode just because i don't have to click on all the changes popups. I want to aprove only the "important ones" - changes to files  for which i have defined policies .

Anyway, i want to close this discussion with the following feature suggestions:
1) Before a policy is applied to executable, make sure thats the original executable (or approved modified one) for which the policy was created or at least notify the user.

2) In install mode, at the end of install (or switching bak from install mode) show some summary what was changed.

3) Make the files for review available in Safe/Paranoid mode, not just clean pc.

thanks

[egemen]

I use the installer mode just because i don't have to click on all the changes popups. I want to aprove only the "important ones" - changes to files  for which i have defined policies .

An excellent request. To do so, all you need to do is to empty my protected files or remove "executables" from my protected files. In this case, CFP, although my protected files is empty, will ask only for the files for which you defined a policy. You can finetune my protected files for this purpose.

By default, all the applications you defined a policy, are protected. This is valid for the firewall applications too.

[deleiro]

By default, all the applications you defined a policy, are protected. This is valid for the firewall applications too.

Now we found the key to the hidden room 

Thanks for that clarification it's key point. That way programs could be installed easily  without "install mode" making  sure that apps with privileged rules and access will remain intact.

[gpnx]

An excellent request. To do so, all you need to do is to empty my protected files or remove "executables" from my protected files. In this case, CFP, although my protected files is empty, will ask only for the files for which you defined a policy. You can finetune my protected files for this purpose.

By default, all the applications you defined a policy, are protected. This is valid for the firewall applications too.

Thanks, good sugestion - i guess this works for the installations case (removing the executables). Do i see the executables for which i defined policys in the protected files area?. I still believe thou, that  my sugestion (1) is needed. There will be cases when a malware/virus/worm will break in via some system process buffer overrun or w/e and can modify exe's for which i have defined rules w/o notification.

[Tags:]