Author Topic: CFP versus malware- interesting lacking features in Defence Plus?  (Read 14273 times)

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 722
I tried three malware samples.

1- Aliz worm
2- Sober worm

Both these worm spread themselves by sending their copies by e-mail. They get the e-mail addresses from windows address book and Sober worm also scans many files( like text files) on the PC  and finds e-mail addresses.

3- GPcode trojan- A malware that encrpts many files on infected PC( say text files for example) causing data loss.

NG gave pop ups for all these actions though it was not fully successful to stop the damage( like it did not stopped the encrption of text files by malware) but it,s interesting to see such a functionality.

I did not get any such popups from CFP Defence Plus( let me admit that I have not yet fully tested Defence plus aginst these malware samples). I wish if the developers can add such a functionality to mitigate the damage caused by such malware if their execution is allowed. See such features of Neoava Guard in the screenshots.

What are your thoughts? Thanks


[attachment deleted by admin]
« Last Edit: July 05, 2008, 05:01:19 PM by aigle »

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #1 on: July 05, 2008, 05:54:02 PM »
I guess that adding some control and differentiation over file delete, create and move could be useful.

As for Windows addressbook protection there is an easy way to get that adding *.wab to My protected files.

Maybe some programmer could suggest some specific approach using registry keys and COM interfaces too...
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline Ehgreg

  • Computer Security Testing Group
  • Comodo Loves me
  • *****
  • Posts: 116
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #2 on: July 06, 2008, 11:58:51 AM »
You can set comodo not to just let cmd.exe run automatically.
Scowlcroft is a Rising Fanboy.(:LGH)

Offline Ehgreg

  • Computer Security Testing Group
  • Comodo Loves me
  • *****
  • Posts: 116
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #3 on: July 06, 2008, 12:16:52 PM »
Really tho Neova looks good here for specific actions right down to the last fatal. I'd think you would get some prompt from Comodo after running for windows messages or something.
Scowlcroft is a Rising Fanboy.(:LGH)

Offline bellgamin

  • Newbie
  • *
  • Posts: 12
    • BibleBell Chronicles
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #4 on: July 07, 2008, 12:14:28 AM »
I did not get any such popups from CFP Defence Plus( let me admit that I have not yet fully tested Defence plus aginst these malware samples). I wish if the developers can add such a functionality to mitigate the damage caused by such malware if their execution is allowed.
I strongly endorse aigle's suggestion to increase CFP's functionality so as to protect against the threats illustrated by his tests.

Offline Ehgreg

  • Computer Security Testing Group
  • Comodo Loves me
  • *****
  • Posts: 116
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #5 on: July 07, 2008, 02:04:11 AM »
I don't think default settings would protect (or those who install things with too loose rules) but you can add things to be proteted against in the blocked files setting under D+ adv. cp policy for cmd.exe. I have cmd.exe set custom policy.
Scowlcroft is a Rising Fanboy.(:LGH)

3xist

  • Guest
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #6 on: July 07, 2008, 07:49:33 AM »
I wish if the developers can add such a functionality to mitigate the damage caused by such malware if their execution is allowed.

Yep. I agree on this...  :-TU

Josh

Offline pastport

  • Comodo Member
  • **
  • Posts: 37
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #7 on: July 07, 2008, 08:03:52 AM »
V3's FD isn't global.
If you don't add files to my protected files, they won't get protection.

Wish new features will be added to improve the situation.

Offline salmonela

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 637
  • COMODO Volunteer DEModerator
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #8 on: July 07, 2008, 09:16:32 AM »
Hmm... I think CFP3 don't have reading protection capability, please correct me if I'm wrong.
So there is nothing from above recognition, there will be only warning for modification and write for default configuration file types or for extensions manually added, unless of course somebody find "around" way which gibran suggested...
Bad English, I know...
Thanks
PLEASE DO NOT REPLY DUMB QUESTIONS/ANSWERS

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #9 on: July 07, 2008, 10:03:08 AM »
Hmm... I think CFP3 don't have reading protection capability, please correct me if I'm wrong.
So there is nothing from above recognition, there will be only warning for modification and write for default configuration file types or for extensions manually added, unless of course somebody find "around" way which gibran suggested...

IIRC CFP trap file accesses but it will not make any difference for reading/writing/moving/deleting.

At the same time CFP doesn't account for file access frequency.
Monitor frequency behaviour could prove useful but those alerts will only be displayed after a number of such activities already occurred.

In theory it would be still possible to use CFP to tailor a tight ruleset to limit such scenarios but the efforts required will not make it feasible from most user and I guess it require to use D+ Safe mode.

I mean each end user-app has a specific behaviour. It is associated with specific file types, needs to access specific folders, needs specific DLLs to work and so on.
Expecially on XP admin account each app has the right to do pretty much everithing anyway most apps don't require such many rights.

IMHO enforcing a strict behavior on existing apps is akward for two reasons:

There is no easy way to guess an application behavior before it runs other than applying a strict policy and looking at D+ logs or guessing at the program purpose to apply some additional restiction (eg: limiting access only to specific filetypes) or relying on alerts (which protect the system according to CFP "my protected something" settings)

CFP GUI ruleset editing features and ruleset language current status will not make this an easy task (eg single application policies cannot be exported, jolly chars are limited to ? or *, there are only few special path like %windir%)

I guess that CFP engine true potential cannot be fully exploited as of now but I'm confident that future version will overcome current limitations.
Even so CFP is still a powerful product. (R)
« Last Edit: July 07, 2008, 10:24:48 AM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline salmonela

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 637
  • COMODO Volunteer DEModerator
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #10 on: July 07, 2008, 11:32:48 AM »
It seems Comodo crew added itself pretty heavy job on other projects...
So I can only guess how much time will pass for next CFPv.>major build<
Also, it is a shame to applications sophisticated as NG, "fading away", abandoned...  (:SAD)
« Last Edit: July 07, 2008, 11:41:27 AM by salmonela »
Bad English, I know...
Thanks
PLEASE DO NOT REPLY DUMB QUESTIONS/ANSWERS

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14691
    • Video Blog
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #11 on: July 07, 2008, 12:35:44 PM »
It seems Comodo crew added itself pretty heavy job on other projects...
So I can only guess how much time will pass for next CFPv.>major build<
Also, it is a shame to applications sophisticated as NG, "fading away", abandoned...  (:SAD)

actually there are more people working on CFP now than last month and will continue pooring resources to extend.
We have over 200 developers (yep just developers) working on our projects and we continually increase this number as we find good devs. All the projects we do have "their own teams" and each team is growing in number each month. I would like to challange anyone if they can show me another Research and Development facility who has generated such a breadth of Security related products such short time! (don't confuse marketing companies buying products and bundling them with R&D) Just stop for a minute and take a look, we mean business!!

As to adding more rules etc into CFP. well, for us to know what rules to add, we must know what the malware does. If we know what malware does, then we can add
1)malware signature
2)some heuristic
into our AV product to catch it.

So I think its more sensible to create the sigs and some heuristics for our AV rather than try to put some heuristic rules into CFP.

thanks
Melih

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #12 on: July 07, 2008, 02:18:25 PM »
CFP engine as is it is powerful indeed but IMHO it has some unexploited potential, though.
I'll wait whatever time it takes to see that potential fulfilled.

For example D+ engine can be used not only as a malware shield but also as a system gatekeeper.
Using custom ruleset it could be possible to enforce specific safe behaviours.
For example even if the save as dialog of an application permit to rewrite any type of file it is possible to prevent users to overwrite executable applications.
The same goes with the firewall as users can chose to limit even legit behaviours (eg call-home connections)

I came to like CFP more as a behavioural enforcer than a malware shield.
Improving CFP GUI ability to edit rules and configurations, improving the ruleset language will make CFP even more powerful without even adding new features to CFP core engine.

A strict D+ policy could even defeat a 0-day BO exploit if the malicious code attempt something different from the rules enforced for that app.

Improving CFP rule import export capabilities and ruleset language could make possible to share single application policies and make them cross-compatible with different machines.

Improving Digital Signature support to warn about invalid digital certificates of to optionally add them to trusted vendors will even reduce the need of scanning some files.

CFP engine can do many things already and most of the things I could say are merely tiny details.

I'm waiting forward to CFP sandboxing technology as IMHO it could be a good way to peek in those software blackboxes.
It would be great if such sandboxing technology could be used to automatically create an application policy for file/registry accesses the user can later refine.  (:LOV)

"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline pastport

  • Comodo Member
  • **
  • Posts: 37
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #13 on: July 09, 2008, 11:03:15 PM »
CPF isn't AV right.
Plz enhance D+ features rather than add malware signature and some heuristic.

3xist

  • Guest
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #14 on: July 10, 2008, 01:34:12 AM »
CPF isn't AV right.
Plz enhance D+ features rather than add malware signature and some heuristic.

No it's not a Traditional AV that uses Signatures. CFP 3 uses Heuristics & HIPS to prevent known and unknown malware.

Off course D+ will continue to improve.

Josh

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek