Welcome to the Comodo Forum
Welcome,
Guest
. Please
login
or
register
.
October 07, 2008, 08:28:47 AM
1 Hour
1 Day
1 Week
1 Month
Forever
Login with username, password and session length
197814
Posts
22768
Topics
54720
Members
Latest Member:
Cache22
more news...
Search:
Advanced search
|
Tag Cloud
Welcome to the Comodo Forum
Desktop Security Products
Comodo Firewall
Feedback/Comments/Announcements/News
Defense+ file integrity detection
« previous
next »
Poll
Question:
EDIT by Mod: Changed Topic title to not be a joke
Members can change their own topic titles themselves editing the subject field of their 1st post.
0 (0%)
Please remember to keep this topic polite and avoid personal attacks.
0 (0%)
Please submit suggestions to
Comodo Firewall Wishlist V6
0 (0%)
Total Voters: 0
Pages:
1
2
[
3
]
4
5
Author
Topic: Defense+ file integrity detection (Read 3152 times)
deleiro
Newbie
Offline
Posts: 14
Re: Defense+ file integrity detection
«
Reply #30 on:
July 14, 2008, 07:38:38 AM »
Quote from: Kyle on July 14, 2008, 07:25:14 AM
I still Don't understand what the problem is, You can Modify a program because "explorer.exe" usually has those permissions, But for malware to modify a trusted program, you have to allow "Malware.exe" to modify "Notepad.exe"
In "install mode" is possible I think.
Logged
Vettetech
Computer Security Testing Group
Comodo's Hero
Offline
Posts: 4631
Re: Defense+ file integrity detection
«
Reply #31 on:
July 14, 2008, 08:09:32 AM »
No. Install mode is for installing things. Have you ever used install mode? If I am installing something the first thing I do is put D+ into install mode by click on "switch to install mode" via the main GUI.Then I go back into Comodo and click " switch to previous mode". Then I launch the program I just installed and as all of us know what happens....................You get a D+ alert about Explorer.exe trying to allow program ".
Logged
Vettetech
Computer Security Testing Group
Comodo's Hero
Offline
Posts: 4631
Re: Defense+ file integrity detection
«
Reply #32 on:
July 14, 2008, 08:28:35 AM »
Instead of questioning Comodo's D+ and calling it a joke why don't you look hard at yourself. If your installing something you have no idea what it is then you deserve to be infected.
Logged
egemen
Administrator
Comodo's Hero
Offline
Posts: 1734
Re: Defense+ file integrity detection
«
Reply #33 on:
July 14, 2008, 08:50:58 AM »
Quote from: gpnx on July 13, 2008, 10:21:32 PM
Why you still brining this "i alloweed it".... In this case yes, i did modify it..but even if i did, a normal HIPS will catch that a file was modified , thus his integrity was compromised.
Because this is the root of the issue. You modifying it or a virus modifying it are 2 different and detectable things. Why bother user with this again? Ofcourse if you dont want, and if you belive you are a HIPS expert, you can delete the default policy of CFP and create your own. You will see it is going to ask you more than you want. You are trying to think the previous approaches like keeping hashes for applications etc. is the smartest way. We were doing this in CPF 2.4 because we did not have a full file system inspection. CFP 3.0 has "Stateful File Inspection". This means it knows everything modified in the system and acts accordingly.
It PREVENTS unauthorized modification instead of detecting it and letting you know. Stateful File Inspection is a very well thought out algorithm and more powerful than so called signature cheking software. There are many viruses in the wild, which can change some files and none of those so called SHA1 hash checking software can detect.
Quote
Let see this scenario:
Some system component got hacked (there is incident with this all the time - just check the MS security bulletin). Sooo, a hacker gains access and changes stuff.... HERE is where HIPS should help - notifying me that a piece of a trusted before exe/file got modified.
Lets see this scenario:
I run install program, i put it "threat as isntall bla bal" it has all rights etc...so it does modify stuff that i don't know. THERE I NEED HIPS to tell me what/if something gets modified that should not. And, its a plan logic to not threat as same the app which has changed...
Oh in this case, you should worry about more things than file modification. You are running a virus with maximum acess rights (Installer or not, if it is modifying something you dont want.), and expecting HIPS to help you by listing the modified files. If your only aim is to get the list of modified files, set CFP to clean PC mode, and cfp will again intelligently list you the files modified and NOT SAFE.
But you are already doomed at first place. Plus if you are technically qualified enough to differentiate between legitimate changes and illegitimate changes, why arent you just let CFP to ask you each and every file modification requests and approve/disapprove it instead of checking the changes after the fact?
Windows update updates your files almost everyday. So everytime a file is updated, the integrity of the system should be assumed broken? This is ofcourse not a case. The keyword for you to searh more is "Stateful File Inspection".
E
Logged
egemen
Administrator
Comodo's Hero
Offline
Posts: 1734
Re: Defense+ file integrity detection
«
Reply #34 on:
July 14, 2008, 08:54:02 AM »
Quote from: Kyle on July 14, 2008, 07:25:14 AM
I still Don't understand what the problem is, You can Modify a program because "explorer.exe" usually has those permissions, But for malware to modify a trusted program, you have to allow "Malware.exe" to modify "Notepad.exe"
Yep. He needs to play more and understand the D+ operations deeply. HE is assuming D+ is incapable rather than it is smarter than his previous HIPS.
Logged
Vettetech
Computer Security Testing Group
Comodo's Hero
Offline
Posts: 4631
Re: Defense+ file integrity detection
«
Reply #35 on:
July 14, 2008, 09:10:06 AM »
The only thing I can think of to relate to this is awhile back I tried Online Armor for a bit. A patch came out for one of my games (WOW) so I applied the patch. WOW was already a trusted program in Online Armor. After the patch was done I launched WOW. Online Armor gave me an alert about a trusted program has changed and if I want to allow this change so I clicked allow. I did the same thing with Comodo and I was never alerted of the change.
Logged
3xist
Global Moderator
Comodo's Hero
Offline
Posts: 2581
Re: Defense+ file integrity detection
«
Reply #36 on:
July 14, 2008, 09:19:06 AM »
Quote from: egemen on July 14, 2008, 08:50:58 AM
Because this is the root of the issue. You modifying it or a virus modifying it are 2 different and detectable things. Why bother user with this again? Ofcourse if you dont want, and if you belive you are a HIPS expert, you can delete the default policy of CFP and create your own. You will see it is going to ask you more than you want. You are trying to think the previous approaches like keeping hashes for applications etc. is the smartest way. We were doing this in CPF 2.4 because we did not have a full file system inspection. CFP 3.0 has "Stateful File Inspection". This means it knows everything modified in the system and acts accordingly.
It PREVENTS unauthorized modification instead of detecting it and letting you know. Stateful File Inspection is a very well thought out algorithm and more powerful than so called signature cheking software. There are many viruses in the wild, which can change some files and none of those so called SHA1 hash checking software can detect.
Oh in this case, you should worry about more things than file modification. You are running a virus with maximum acess rights (Installer or not, if it is modifying something you dont want.), and expecting HIPS to help you by listing the modified files. If your only aim is to get the list of modified files, set CFP to clean PC mode, and cfp will again intelligently list you the files modified and NOT SAFE.
But you are already doomed at first place. Plus if you are technically qualified enough to differentiate between legitimate changes and illegitimate changes, why arent you just let CFP to ask you each and every file modification requests and approve/disapprove it instead of checking the changes after the fact?
Windows update updates your files almost everyday. So everytime a file is updated, the integrity of the system should be assumed broken? This is ofcourse not a case. The keyword for you to searh more is "Stateful File Inspection".
E
Very Good Egemen!
Google= Stateful File Inspection
Logged
||
***Please Read The Forum Policy Before Posting ANYTHING, Thanks!***
||
gpnx
Comodo Member
Offline
Posts: 27
Re: Defense+ file integrity detection
«
Reply #37 on:
July 14, 2008, 09:55:33 AM »
Quote from: 3xist on July 14, 2008, 09:19:06 AM
Very Good Egemen!
Google= Stateful File Inspection
1) There seems to be more talks for statefull PACKET inspection, not file. The only reference of stateful file inspection i found is at comodo formums.
http://forums.comodo.com/feedbackcommentsannouncementsnews/application_control_checksum_hash_control_and_gui_redesign_v3013268-t15702.0.html
Which actualy brings the same issue i brought.
In that post some one mentions that if i have a FIREWALL, not just defence policy for my executable, i will get notified if it changes. I tried that and did not get notified
Anyway, the point i am trying to make here and it seems the developers don't agree with me for some reason is that there are ways to get around that "state full inspectiosn" of yours - namely - installations and hacked trusted apps. Both of these are very common and the only thing i am asking for is - being notified when a executable for which i have firewall/defence policies is modified , i should get notified .
Logged
egemen
Administrator
Comodo's Hero
Offline
Posts: 1734
Re: Defense+ file integrity detection
«
Reply #38 on:
July 14, 2008, 10:32:55 AM »
Quote from: gpnx on July 14, 2008, 09:55:33 AM
1) There seems to be more talks for statefull PACKET inspection, not file. The only reference of stateful file inspection i found is at comodo formums.
http://forums.comodo.com/feedbackcommentsannouncementsnews/application_control_checksum_hash_control_and_gui_redesign_v3013268-t15702.0.html
Which actualy brings the same issue i brought.
In that post some one mentions that if i have a FIREWALL, not just defence policy for my executable, i will get notified if it changes. I tried that and did not get notified
Anyway, the point i am trying to make here and it seems the developers don't agree with me for some reason is that there are ways to get around that "state full inspectiosn" of yours - namely - installations and hacked trusted apps. Both of these are very common and the only thing i am asking for is - being notified when a executable for which i have firewall/defence policies is modified , i should get notified .
There are no ways to get around it. You are just making legitimate changes and assuming you are getting around it. If you install simple firewall and NOT defense+, CFP will still prompt you before the change happens. CFP has patent pending algortihms. So it is ok you are surprised it works differently from other software. For example Sateful File Inpection is a term only we use in the house to describe CFP file modification logic.
If I were you, I would install CFP into a virtual machine. Find some viruses. And run them against it. Afterall, all viruses infect other executables and hence cause those so called changes in the trusted applications. See the alerts, gain some confidence. This is the right direction.
Logged
gpnx
Comodo Member
Offline
Posts: 27
Re: Defense+ file integrity detection
«
Reply #39 on:
July 14, 2008, 10:39:05 AM »
Quote from: 3xist on July 14, 2008, 09:58:47 AM
It would help the developers if you can provide us the installations/hacked trusted apps here?
Links? Info?
Josh
1)For the installation i mean any installation. For example you download a piece of shareware to try. Then suddenly it has some hidden "features"... It changes for example some apps for wich i alredy have rules. I just want to be notified about that. And I understand I RAN this install, but hey..i have to install stuff.
2)Just check what is the latest Microsoft security patches and you will get the idea what i am talking about.
I just tried the again The clean pc mode and i get notifications about changed exe's (in the pending files). Now, can we get these notifications in Safe/Paranoid mode and can we also automaticaly mark the policies of these modified exe as needed for review or something?
Agian, my point is, if an exe i have policy for gets modified i want this policy to require my review. Lets forget for hash checksume etc... just this plain requirement. If there is a feature currently that i can enable to have this i will be so happy.
Logged
egemen
Administrator
Comodo's Hero
Offline
Posts: 1734
Re: Defense+ file integrity detection
«
Reply #40 on:
July 14, 2008, 11:27:18 AM »
Quote from: gpnx on July 14, 2008, 10:39:05 AM
1)For the installation i mean any installation. For example you download a piece of shareware to try. Then suddenly it has some hidden "features"... It changes for example some apps for wich i alredy have rules. I just want to be notified about that. And I understand I RAN this install, but hey..i have to install stuff.
2)Just check what is the latest Microsoft security patches and you will get the idea what i am talking about.
I just tried the again The clean pc mode and i get notifications about changed exe's (in the pending files). Now, can we get these notifications in Safe/Paranoid mode and can we also automaticaly mark the policies of these modified exe as needed for review or something?
Agian, my point is, if an exe i have policy for gets modified i want this policy to require my review. Lets forget for hash checksume etc... just this plain requirement. If there is a feature currently that i can enable to have this i will be so happy.
No. There is no such feature in CFP. And you dont need it. You will have to review those changes before they happen. This means you will have to approve each and every change manually. You can do this easily. Just dont use Installer or Update feature or dont trust the installer. Let CFP ask you the questions and answer them.
If you dont trust the installer you are running, why would you use Installer or Updater policy?
E
Logged
gpnx
Comodo Member
Offline
Posts: 27
Re: Defense+ file integrity detection
«
Reply #41 on:
July 14, 2008, 11:48:23 AM »
Quote from: egemen on July 14, 2008, 11:27:18 AM
No. There is no such feature in CFP. And you dont need it. You will have to review those changes before they happen. This means you will have to approve each and every change manually. You can do this easily. Just dont use Installer or Update feature or dont trust the installer. Let CFP ask you the questions and answer them.
If you dont trust the installer you are running, why would you use Installer or Updater policy?
E
I use the installer mode just because i don't have to click on all the changes popups. I want to aprove only the "important ones" - changes to files for which i have defined policies .
Anyway, i want to close this discussion with the following feature suggestions:
1) Before a policy is applied to executable, make sure thats the original executable (or approved modified one) for which the policy was created or at least notify the user.
2) In install mode, at the end of install (or switching bak from install mode) show some summary what was changed.
3) Make the files for review available in Safe/Paranoid mode, not just clean pc.
thanks
«
Last Edit: July 14, 2008, 11:49:56 AM by gpnx
»
Logged
egemen
Administrator
Comodo's Hero
Offline
Posts: 1734
Re: Defense+ file integrity detection
«
Reply #42 on:
July 14, 2008, 12:07:17 PM »
Quote from: gpnx on July 14, 2008, 11:48:23 AM
I use the installer mode just because i don't have to click on all the changes popups. I want to aprove only the "important ones" - changes to files for which i have defined policies .
An excellent request. To do so, all you need to do is to empty my protected files or remove "executables" from my protected files. In this case, CFP, although my protected files is empty, will ask only for the files for which you defined a policy. You can finetune my protected files for this purpose.
By default, all the applications you defined a policy, are protected. This is valid for the firewall applications too.
Logged
deleiro
Newbie
Offline
Posts: 14
Re: Defense+ file integrity detection
«
Reply #43 on:
July 14, 2008, 12:19:20 PM »
Quote from: egemen on July 14, 2008, 12:07:17 PM
By default, all the applications you defined a policy, are protected. This is valid for the firewall applications too.
Now we found the key to the hidden room
Thanks for that clarification it's key point. That way programs could be installed easily without "install mode" making sure that apps with privileged rules and access will remain intact.
Logged
gpnx
Comodo Member
Offline
Posts: 27
Re: Defense+ file integrity detection
«
Reply #44 on:
July 14, 2008, 12:53:08 PM »
Quote from: egemen on July 14, 2008, 12:07:17 PM
An excellent request. To do so, all you need to do is to empty my protected files or remove "executables" from my protected files. In this case, CFP, although my protected files is empty, will ask only for the files for which you defined a policy. You can finetune my protected files for this purpose.
By default, all the applications you defined a policy, are protected. This is valid for the firewall applications too.
Thanks, good sugestion - i guess this works for the installations case (removing the executables). Do i see the executables for which i defined policys in the protected files area?. I still believe thou, that my sugestion (1) is needed. There will be cases when a malware/virus/worm will break in via some system process buffer overrun or w/e and can modify exe's for which i have defined rules w/o notification.
«
Last Edit: July 14, 2008, 12:55:52 PM by gpnx
»
Logged
Tags:
Pages:
1
2
[
3
]
4
5
« previous
next »
Jump to:
Please select a destination:
-----------------------------
** New to the Comodo Forum? Start Here! **
-----------------------------
=> New Member Information
-----------------------------
Want to help Comodo?
-----------------------------
=> Help Spread the Word - Official Comodo banners and logos
=> How can you help Comodo? (Please we do need you!)
===> Help spread the word! (Please read and help)
===> Comodo website issues for submitting website problems only
=> Please tell us your views and Vote here!
-----------------------------
General Category
-----------------------------
=> Melih's Corner - CEO Talk/Discussions/Blog
=> Which Product do you want Comodo to develop next?
=> General Discussion (off topic) Anything and everything...
===> Member Confessions :-)
===> Funny Photos :-)
===> Cool Stuff
-----------------------------
Desktop Security Products
-----------------------------
=> Comodo Firewall
===> Feedback/Comments/Announcements/News
===> Leak Testing/Attacks/Vulnerability Research
===> Help for v3
===> Help for v2
===> Frequently Asked Questions (FAQ) for Comodo firewall
===> Comodo Firewall Translations
===> Bug Reports
=> Comodo Internet Security - CIS
===> Overview - CIS
===> Help - CIS
=====> Anti Virus Help
=====> Firewall Help
=====> Defense+ Help
=====> Install / Setup / Configuration Help
===> FAQ - CIS
=====> Anti Virus FAQ
=====> Firewall FAQ
=====> Defense+ FAQ
=====> Install / Setup / Configuration FAQ
===> Feedback/Comments/Announcements/News - CIS
===> Guides - CIS
=====> Anti Virus Guides
=====> Firewall Guides
=====> Defense+ Guides
=====> Install / Setup / Configuration Guides
===> Wishlist - CIS
=====> Anti Virus Wishlist
=====> Firewall Wishlist
=====> Defense+ Wishlist
=====> GUI -Graphical User Interface - Wishlist
===> Bug Report - CIS
=====> Anti Virus Bugs
=====> Firewall Bugs
=====> Defense+ Bugs
=====> Other - General - GUI etc Bugs
=====> False Positive/Negative reporting - (Is this a malware that CIS has/not detected?)
=> Comodo Anti-Viruspyware (CAVS)
===> Help for Comodo AntiVirus
===> FAQ for Comodo Anti-ViruSpyware
===> Feedback/Comments/Announcements/News about CAVS
===> Virus/Malware Removal Assistance
=> Comodo BOClean Anti-Malware
===> Announcements
===> Comodo BOClean Anti-Malware FAQ
=> Comodo Instant Malware Analysis - Online (CIMA)
=> Comodo DiskShield
=> Comodo Disk Encryption
=> Comodo Secure Email (CSE) Product
===> Frequently Asked Questions (FAQ)
===> Feedback/Comments/Announcements/News about CSE
===> Bug Reports
===> Help for Comodo SecureEmail
=> Comodo Memory Firewall(Buffer Overflow Protection)
===> Help
===> Frequently Asked Questions (Comodo Memory Firewall)
===> Feedback/Comments/Announcements/News
=> Comodo TrustConnect - Securing the Wireless world!
=> Comodo SafeSurf and (Comodo's own toolbar)
=> Backup
===> FAQ for Comodo Backup
===> Help
=> Verification Engine (allows you to verify what you see on the Internet)
=> Comodo Vulnerability Analyzer
=> AntiSpam
=> i-Vault
=> Launch Pad
=> Trusttoolbar
-----------------------------
Desktop Utilities
-----------------------------
=> Comodo Registry Cleaner
-----------------------------
Enterprise Security
-----------------------------
=> Comodo Endpoint Security Manager
-----------------------------
Compliance
-----------------------------
=> PCI DSS Compliance
-----------------------------
Learn about Computer Security and Interact with Security Experts
-----------------------------
=> Computer Firewalls
=> Anti Virus/Malware Products/Other Security products
=> Free Virus/Spyware/Trojan/Malware Removal by Comodo Experts
=> HIPS (Host Intrusion Prevention Systems)
=> Anti Phishing solutions
=> Digital Certificates, Encryption and Digital Signing
=> General Security Questions and Comments (not product related)
-----------------------------
Free Services for End Users
-----------------------------
=> UserTrust - First Independent Website Rating - Empowering our users!
=> User Anywhere (Remote Access product)
=> Comodo Meet (Web Conferencing Product)
=> Hacker Guardian
=> Trustfax (free Trial) (online faxing)
-----------------------------
Free Products
-----------------------------
=> Link to Free Comodo Products
-----------------------------
International Comodo Forums
-----------------------------
=> International Comodo Forums
===> 汉语语言, 漢語語言 / Chinese Simplified, Traditional
===> Nederlands / Dutch
===> Francais / French
===> Deutsch / German
===> ελληνικά / Greek
===> Magyar / Hungarian
===> Italiano / Italian
===> Nihongo / Japanese
===> Norsk / Norwegian
===> Polski / Polish
===> Português/Portuguese
===> По-русски / Russian
===> Espanol / Spanish
===> Svenska / Swedish
===> Turkce / Turkish
===> Українська / Ukrainian
===> tiếng Việt / Vietnamese
-----------------------------
Digital Certificates
-----------------------------
=> Code Signing Certificate
=> Content Verification Certificate
=> Email Certificate
=> SSL Certificate
-----------------------------
Web Server Products
-----------------------------
=> Two Factor Authentication for Web Applications
=> Trustlogo
-----------------------------
Infrastructure Products
-----------------------------
=> ZTL
=> Trustix Enterprise Firewall
-----------------------------
Other
-----------------------------
=> Forum Policy Violation Board
Page created in 0.27 seconds with 21 queries.
Powered by SMF 1.1.5
|
SMF © 2006, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks
Design by
7dana.com