HIPS in the upcoming CPF

[Guest]

[gibran]

(R)
Hi, buddy! When I used Prevx and safe'n'sec pro FYI my computer got a mule or a turtoise and I had had with the second one too many splash screens that I almost went bananas! Thus, I woudn't like CFP got that way! I think in my humble opinion it's too much aggressive for a security stuff ! I have the ghost security licenses but I stopped using because a lot of popups. It's annoying.Best Regards.
 

That's a good point, maybe it would be useful a setting to choose the hips depth level.

About HIPS training there is a workaround... Like I suggested elsewhere.

SNIP...

Training a HIPS is way more difficult that configuring CPF.

A solution would be a STANDARDIZED Signed Certificate which carry all the info needed to train a HIPS (Melih?  ).

However this solution will not catch fake legit behaviours for a specific software. But it would really be an Improvement.

If there is a widespread standard, every certificated developer could:

• digitally sign his apps(ok this is possible right away )
• include his app behaviour description in the certificate (called api, needed privileges, hips-behaviours and so on) so any hips can configure itself automatically

A side-effect would be that every user will know more about what's under the hood (if he wants). And potential dangerous behaviours and poor implementations will be know or audited using some automated software solution.
(Notepad app X has the rights to launch a kernel driver... and so on...)

Regarding Opensource developers or developers who cannot afford a certificate bundled with their app, something like PGP signed textual Behaviour Description would be a viable solution. You know this would be needed to avoid trusted-computing like grudges...

Users of such opensource softwares would only need to copy/paste these info in the hips (or use these info to manually configure the hips).

SNIP...

[jst42day]

I look forward to Comodo 3. The current version of the firewall has been great.
But I join the others who are saying, about all security software, that there is a need to keep in mind that most users are not technically inclined.
Does the wife or husband who comes home from work necessarily know about loopbacks or setting permissions for inbound and outbound traffic?
For all the progress you are making, please keep in mind that many companies lose customers/users because the users don't understand what they are supposed to do and don't want to study something just to be able to use their pc.
And I fall into that category too.
Thanks for a good product.
J.

[Damitha]

I look forward to Comodo 3. The current version of the firewall has been great.
But I join the others who are saying, about all security software, that there is a need to keep in mind that most users are not technically inclined.
Does the wife or husband who comes home from work necessarily know about loopbacks or setting permissions for inbound and outbound traffic?
For all the progress you are making, please keep in mind that many companies lose customers/users because the users don't understand what they are supposed to do and don't want to study something just to be able to use their pc.
And I fall into that category too.
Thanks for a good product.
J.

I agree with you to a certain extent! But you gotta remember that you can't write an essay without knowing grammar! The thing with firewalls are they are all about "computer jargon" as a novice would say! It's not like using a multimedia player! You gotta know what you are doing!

But then again as you said most users are not all that familiar with these terms. I think that's why they have given options like Low, Medium etc. etc. security level in configurations. And you can use the FW without any modifications! But if you want to go ahead and test out the "advanced options" then you have a problem! I really don't think such a system (novice friendly) would be easy to implement.

And that's where the Help comes in! Comodo forums are as good as any (if not the best) help you d find today! you just need to post your question and they'll tell you how to solve your problem step by step! And you don't have to wait for days to get the answer!

BDW if you want to learn what all these terms are it's not all that hard! Cuz you dont need to learn every little detail you just have to know "where" to put "what". And just like any other thing you will get familiar and then it's as easy as reading a book! (remember how hard it was to install XP or whatever the first time and now, you can do it with your eyes closed )

reagards,
Dam

[AnotherOne]

I notice a distinct lack of reference to the FAQ "How-to" pages.  Some of the questions can be answered here:
http://forums.comodo.com/new_member_information/links_to_faqs-t2519.0.html
The Firewall Tutorial Compilation has some useful descriptions of methods and background.

[panic]

I look forward to Comodo 3. The current version of the firewall has been great.
But I join the others who are saying, about all security software, that there is a need to keep in mind that most users are not technically inclined.
Does the wife or husband who comes home from work necessarily know about loopbacks or setting permissions for inbound and outbound traffic?
For all the progress you are making, please keep in mind that many companies lose customers/users because the users don't understand what they are supposed to do and don't want to study something just to be able to use their pc.
And I fall into that category too.
Thanks for a good product.
J.

G'day J,

I'm working on somehing like that at the moment, but it's a fair way off. I'll try and get a wriggle on. I did one earlier on explaining internet and technology terminology, using public phone system that everyone is familiar with.

How in depth do you think it needs to go? What topics do you think ne3ed to be covered?

Ewen :-)

[Steinsk]

Melih's explanation of HIPS was very informative

I know all answers are already in the forum, but I hope you will forgive me for trying to explain it loud to myself in my words on the forum. I'm really a layman here, but I'm trying hard to learn, and self-explenation is such a good way Would you please correct me if I'm wrong...

1) (Easy step): A firewall controls connections to (and from) internet. Very well, but once a connection is opened or a program is allowed access, the firewall doesn't really control what the connection is used for - eg. Opera downloading viruses...

2) An anti-virus checks for viruses or traces of such in files and processes, right? The problem with this is:
 - Detection is often based on detection lists and rules, which almost by definition is one step behind creation of viruses
 - In scanning processes, it is already "too late". Although processes can be stopped and terminated, they have already reached a certain point in execution, and might have inflicted damage at the point when they are detected. So, the AV scanning "memory processes" is a bit on its heels...

These points also apply to anti-spyware. (?!) (So far so good??? )

3) A HIPS-system monitors "wannabe-processes."  How to say? The seeds of processes?  As it can prevent them from executing (becoming processes), it also is several steps ahead of any AV / AS.  As I understand it, a good HIPS enginge is also able to check if a prosess is trying to launch "by proxy" - through or by the help of another "accepted" program.

(Does CFW2 in that respect already work as a "mini-HIPS" in the sense that it detects if a program or process tries to access internet through or by another program? )

If (if, if!!) I got it so far, I'm really happy with myself    But if this is correct (or anyway), why CF3 with HIPS? What is the connection between forewall and HIPS? Why not develop a seperate HIPS program?

Thanks for your patience  (L)

[Melih]

Melih's explanation of HIPS was very informative

I know all answers are already in the forum, but I hope you will forgive me for trying to explain it loud to myself in my words on the forum. I'm really a layman here, but I'm trying hard to learn, and self-explenation is such a good way Would you please correct me if I'm wrong...

1) (Easy step): A firewall controls connections to (and from) internet. Very well, but once a connection is opened or a program is allowed access, the firewall doesn't really control what the connection is used for - eg. Opera downloading viruses...

2) An anti-virus checks for viruses or traces of such in files and processes, right? The problem with this is:
 - Detection is often based on detection lists and rules, which almost by definition is one step behind creation of viruses
 - In scanning processes, it is already "too late". Although processes can be stopped and terminated, they have already reached a certain point in execution, and might have inflicted damage at the point when they are detected. So, the AV scanning "memory processes" is a bit on its heels...

These points also apply to anti-spyware. (?!) (So far so good??? )

3) A HIPS-system monitors "wannabe-processes."  How to say? The seeds of processes?  As it can prevent them from executing (becoming processes), it also is several steps ahead of any AV / AS.  As I understand it, a good HIPS enginge is also able to check if a prosess is trying to launch "by proxy" - through or by the help of another "accepted" program.

(Does CFW2 in that respect already work as a "mini-HIPS" in the sense that it detects if a program or process tries to access internet through or by another program? )

If (if, if!!) I got it so far, I'm really happy with myself    But if this is correct (or anyway), why CF3 with HIPS? What is the connection between forewall and HIPS? Why not develop a seperate HIPS program?

Thanks for your patience  (L)

10/10!!!

welldone.. you got it!

Melih

[AnotherOne]

I recently participated in beta-testing for a security program.  In that time there were frequent updates - sometimes every few days.  This safe list approach would make that effort a major pain, since I would have to submit the most recent beta to Comodo for inclusion in the safe list and by the time I got it back, the next beta would be ready to go.  This also would mess up updates of ordinary software.  You would not be able to install the security patch or whatever until a signature is included in the safe list from Comodo.  I know that you guys are fast in getting back to us with responses, but this looks like trouble to me.  Don't you think that it would be a good idea to give us users a way to add the most recent keyboard driver update from my computer manufacturer's Auto-Update service to some kind of ignore/exclude/safe list?  I would be a bit irritated if I could not use my keyboard until you put out the next signature file. (ok, there are ways around it, but you get the idea).

[panic]

In CFP V3Beta, you can already add files that you know to be safe to your own "My Safe Files" list. This safe files list is read in conjunction with the safelist DB.

Cheers,
Ewen :-)

[AnotherOne]

Thanks Ewen...  At one point there was talk of not having such a feature because it would then be possible for a script to alter the "My Safe Files" list to accept a virus.  I assume that they have a password or some other protection for the safe list...

[panic]

Thanks Ewen...  At one point there was talk of not having such a feature because it would then be possible for a script to alter the "My Safe Files" list to accept a virus.  I assume that they have a password or some other protection for the safe list...

  or something ...

[Tags:]