Application Behavior Analysis alerts

[Guest]

[ptfreed]

I've been using Comodo on several systems for about 6 months, and even though I like it I am considering a change to another firewall - probably Sunbelt (nee Kerio).  But it's certainly worth wating for CPF 3 before I take such a drastic action. 

It's obviously too late to get involved in feature selection for this release, but these are the reasons that CPF hasn't been working for me.  (FYI:  I'm on CPF 2.4.18.184)

• I have the security level set fairly high; I want to know if one program is launching or using another, and I want to be able to set the list of IPs that a system might access.  I particularly use this latter facility for mail -- I want my mail program to talk to my mail servers, but not to any web or other servers.
  
  The problem is that as I switch between tasks, Comodo believes that the old task is somehow controlling the new one.  As a result I get a message that Eudora is trying to do something with Firefox, when what really happened is that I alt-tabbed from Eudora to Firefox and clicked on a link.  By now, I almost reflexively click OK on those messages, which makes them next to useless.
  
  
• There are problems with application rule order:
  
  • Rule order often changes when a rule is edited.  This is a big problem if you want the last rule to be "deny everything else."
    
    
  • Rules sometimes change order even when you're not editing rules.  This has caused caused some grief when an email app suddenly stops working, and it turns out that the "deny everything else" rule has drifted up.  I'm not sure what precipitates this, but it probably caused by creating or denying an ad-hoc (i.e. "don't remember me") rule in a pop-up.
    
    
  • I cannot easily change the order of rules.  In order to get the "deny everything else" rule back to the bottom, I repeatedly edit it and save it.  This brings the rule up to the top of the list (for that application) and then drops it back to the bottom.

Those are the problems.  As for my wish list:

• I would love an "allow for X minutes" option, with a pop-up telling me that the rule has expired.  Or even better, an option to renew for another Y minutes.  This would be a great assist during installs or patch loading.
  
  
• I would like a way to review, change, and optionally save the ad-hoc rules that have been established without the "Remember this answer" box clicked.  Occasionally someone clicks a rule forbidding Firefox from doing something -- typically because of a "parent application" error, as mentioned above.
  
  Even shutting down Comodo doesn't seem to clear these rules; rebooting is the only solution I have found.
  
  
• It would be useful to be able to double-click on the "details" box in the activity log and have it bring me to the rule responsible, regardless of what area the rule is in.  (e.g. Application Monitor, Component Monitor, ad-hoc temporary rule, etc.)

All that being said, it's clear that Comodo is a great product, and kudos to the developers.  I have often found that I use applications in a way that differs from the norm, and as a result I have unusual requirements.  I'll wander around the forums; it's likely that some of these issues have been addressed elsewhere.  But I thought I'd throw my 2 cents in anyway.  Thanks for listening.

[Little Mac]

Welcome to the forums, ptfreed ~

I'll attempt to address the points you raised.

Issues:
1.  This has no real bearing on Alert Frequency (that just adds more detail...); it's all about Application Behavior Analysis (ABA).  There are numerous posts about ABA issues/confusions; I won't recap all those here.  These alerts about behind-the-scenes communication are problematic for many users, and I agree tend to train to click "OK" without considering the consequences.

This will change with v3 of the FW, as it all relates to the encrypted safelist of applications.  In v2 this list is rather small; in v3 it will be quite large.  As long as both applications are on the safelist, you won't see these alerts.

2.  This also does not happen with v3, as each application has sub-rules.  So it's a different structure, and those do not seem to change in order.  You can also position those with "Move" buttons.

Wishlist:
1.  At present, all "ad hoc" rules (no "Remember") are for session only; being only temporary, there are methods in place to monitor them.  An "Install Mode" has been requested for v3.  I like the idea of some way of setting the time limit, and having a visual reminder of that.

2.  Again, since these rules are temporary, there is no methodology in place to edit them.  Typically, closing the application in question (rather than CFP) should clear the rule, since it's for that application's session.  The only caveat to that (in my experience) is for COM/OLE alerts; these seem to require a reboot (on my system).  Perhaps a button to "Clear temporary rules"...

3.  I agree.  Very helpful for on-the-fly rules editing/tweaking.

LM

[ptfreed]

Thanks for the quick response.  Item (1) on this list -- the errant reports about the parent procedure -- is really the most troubling to me.  Is V3 better in this regard?

As for the other items -- all I can say is keep up the great work!

 

[AnotherOne]

I too had the experience of having a program appear as the parent of my email software, but in my case, I had just finished uninstalling the program.  Naturally, I disallowed the connection, thinking the worst, and was unable to use my email for my mistake.  Closing it and re-opening fixed the problem, but it is annoying and misleading to have such alerts.  I had noticed some peculiar "parents" in the past, but I liked the idea that the originating application is knowable.  When there are such erroneous parent identifications, the value of the "parent application" designation is close to worthless.  Since I frequently install and uninstall software, a "safe list" would not make the problem vanish.  It only makes new software more suspect - even though there is (possibly) no reason for it.  It becomes hard to know whether the new software is really a threat, and that is something that I need to be able to depend on the firewall to properly handle. 

[Soyabeaner]

If v3 still requires a restart of the applications, I think it might be helpful/wise to include in the alert a link to more info on this requirement or step so that the user can at least understand why their internet is "cut off".

[Little Mac]

Item (1) on this list -- the errant reports about the parent procedure

It's not reporting erroneously.  The communications occur on level unseen by users.  It's a valid interapplication/interprocess communication technique, and not a cause for concern as long as you know both applications involved.  The time to be concerned is if you do not know both applications (for example, all of a sudden f129834fasdjfh.exe is using your browser...).  Naturally, malware attempts to utilize the same "behind-the-scenes" com techniques to get back out of your machine; a call placed in this manner can be executed at a future time, even after an application is closed.

Safelisting is the answer to the issue.  Otherwise you would have to answer popups for every derivation of every application and every combination of communications; this could be thousands of popups every day.  The encrypted safelist approach will whitelist those known applications (a database of a few tens of thousands in v2.4, but close to half a million in v3) as well as user-initiated profiling to monitor.

There are multiple threads on the safelist approach in the HIPS section of the forums, and multiple threads on users' ABA concerns in both FAQ and Help section of the FW forums.  You will probably find it very helpful to review these for more information.

LM

[ptfreed]

It's not reporting erroneously.  The communications occur on level unseen by users.  It's a valid interapplication/interprocess communication technique, and not a cause for concern as long as you know both applications involved.

Not to be difficult, but Comodo really is reporting erroneously.  As I mentioned in my email, I can switch from Eudora (or any other app, apparently) to Firefox using alt-tab, click on a link in Firefox, and as a result have Comodo report that Eudora is trying to control Firefox.  Since I know both applications involved, I know that's not what's happening.

A safe list is a frequently mentioned "solution" to this problem, but it really isn't an answer at all.  Eudora is not "safe" in my estimation -- and neither is any other email client.  In exchange for the safety of knowing when Eudora is trying to open a web page, I don't mind having to click OK when it's something I initiated.  I just hate not being sure if it really was Eudora (or Excel, or Irfanview, or Notepad), or if it's just Comodo having its fun with me.

[Melih]

i think this question shoudl be split and moved to a relevant area so that it can benefit from others seeing this question and come up with a potential answer. I think it is being lost in this thread.
melih

[AnotherOne]

I really don't think that a safe list would work for software (shareware and freeware) that is being frequently changed, updated, rewritten from scratch etc.  How would you identify such "safe" software - a signature file?  Who would keep that up-to-date?  Especially for the vast number of small programs out there?  On your other point about erroneous reporting...  How is it not wrong for the firewall to report that a program that has just been uninstalled is the parent of an internet connection??  That is exactly the kind of report that I need to be able to reply on to be accurate.  If the program is trying to connect after it has been uninstalled, does that not describe a Trojan?

[Little Mac]

How is it not wrong for the firewall to report that a program that has just been uninstalled is the parent of an internet connection??

These types of calls to other applications can be placed to activate at a future time.  This is also normal, and again is a technique that can be utilized by malware.  If you don't recognize the applications in question, be concerned; if you do, and have just uninstalled one, then allow or deny to your heart's content.

I really don't think that a safe list would work for software (shareware and freeware) that is being frequently changed, updated, rewritten from scratch etc.

Melih is better equipped to answer that question, as he's the one with the vision on this.  To me it sounds like a large undertaking involving the cooperation/compliance of developers, users, and Comodo.  I know that the encrypted list would be updated by Comodo based on submissions to them from users; how that would work as far as from a developer's standpoint, I don't know.

LM

[Zito]

I really don't think that a safe list would work for software (shareware and freeware) that is being frequently changed, updated, rewritten from scratch etc. 

I think what you need here to resolve this particular issue is a wizard which works along similar lines as "Scan for known applications" one. Generally speaking when an executable has been patched, the version number changes, so what you would need to do is to register the application's version number when the rule is first created and then have the wizard scan for changes to that version.

On the subject of email which ptfreed spoke about, there's an application called Mailwasher Pro which resolves that one. This program allows the user to read mail right off the ISP's mail server before deciding whether to download it or not. It's not free, but it's definitely worth buying the lifetime licence. I've been using it for five years now and I think it's worth every penny of the licence fee.

There's also a security application called Threatfire which repeatedly scans the system for activity which might indicate that a program has been compromised. It's mentioned in an article concerning Trojan activity on this site and would seem like a worthwhile addition to the many security applications which are around. There's a freebie as well as paid for licence.

[Little Mac]

There's also a security application called Threatfire which repeatedly scans the system for activity which might indicate that a program has been compromised. It's mentioned in an article concerning Trojan activity on this site

Wow!  That Threatfire screenshot looks like an identical twin (or clone) to the alerts from CyberHawk when it first came out.  Oh, I see... it is Cyberhawk; PCTools purchased it from Novatix.  Never mind...

LM

[ptfreed]

I'd like to revisit one of my key questions for v3.  I'll be brief in hopes of keeping things clear and simple.  Besides, this post is largely a rehash -- I just haven't seen the answer yet.

1)  Currently, Comodo falsely reports that application A is trying to control application B, and prompts for approval before permitting the network connection.  For instance, you might get a message asking if it's OK for Notepad to send data through Firefox.  If you answer no, you completely disable Firefox's ability to talk to the 'Net; you have to restart Firefox to fix this.

2)  When I ask about this, the response seems to be the V3 will fix it with safe lists.  But  I'm not sure how safe lists will work....  In the example above, would I need to put Firefox or Notepad on the safe list?

If it's Firefox, that's a problem.  It means that Comodo will no longer warn me when some program is trying to send messages through Firefox.

If it's Notepad, that's a problem.  It means that I won't get warned about Notepad any more, but these false messages can come from _any_ application:  Eudora, Excel, Keynote, IrfanView, etc.  I certainly don't want to make every application safe.

If it's the combination of Firefox and Notepad, that's the same problem as in the paragraph above.  Besides, this is what we have now, and it's not working.

....  It seems to me that the problem is not in marking applications as safe, but in properly analyzing and reporting on parent-child relationships.  So that's where the solution should be sought.
===

My questions:
(A)  Am I not understanding how safe lists will work?
(b)  Has other work been done in V3 to prevent these erroneous messages that doesn't involve making applications safe?
(c)  Are there other discussions on the forum that answer my questions?  If so, I would welcome links to them.

Thanks, as always.  I eagerly await v3, in hopes that I will not have to switch away from Comodo.   

[AnotherOne]

Hi ptfreed - have a look at:
http://forums.comodo.com/hips_host_intrusion_prevention_systems/hips_in_the_upcoming_cpf-t5025.0.html
There is a discussion on the method that is being planned for the upcoming v.3 of CPF.  I had some reservations about the list of safe software being a bit restrictive, but they assure me that users will have the option to add their own "safe" programs to the list.  It looks pretty good to me.  It means that unknown programs will be prevented from executing, never mind parenting an internet connection.

[ptfreed]

I feel extremely dense right now, or perhaps I'm just not expressing myself well.  But I read that thread:

http://forums.comodo.com/hips_host_intrusion_prevention_systems/hips_in_the_upcoming_cpf-t5025.0.html

and I still don't see how safe lists will resolve my problem.  As nearly as I can tell, a safe list is a way of checking an application to make sure it hasn't been modified, and then telling Comodo that I can trust it.  This is a great idea, and a useful one.

But I'm a paranoid fellow, and I don't trust my software.  There are plenty of clever folks out there just looking for a bug in Eudora that they can take advantage of.  If they find it, my "safe" mail program suddenly becomes problematic, even though the application itself hasn't changed.  So if Eudora is talking to Firefox, I want to know it.  Every time.  I like the little pop-up box that says "Eudora has modified the User Interface of Firefox by sending special Windows messages."  If it is something that I want to occur, I say yes.  If not, I can say no.  (OK -- Eudora is a bad example, since it's no longer being maintained.  But you get the idea.)

Right now, Comodo is badgering me with false positives.   It might tell me that Notepad is trying to do something to Firefox, when all that happened is that I alt-tabbed from one application to the other.  I have to click yes -- because if I click no I often wind up having to restart a program or even Windows itself.  Unfortunately, this means that if a malware warning comes up, I'm likely to ignore it as yet another false positive.  This is completely unacceptable.

So what I really want is for Comodo to eliminate these false positives, but to keep the real ones.  I don't see how safe lists will help with this.  But as I said at the outset, I'm feeling pretty dense right now.  What am I missing?

I don't want to sound like I'm complaining.  I like Comodo, and I think it has tremendous potential.  I really want to continue to use it, and to recommend it to others.  I am hope that V3 will let me do that.

[Tags:]