CFP will need new self defense protection modules

[Guest]

[samtsam]

Matousec has released new tests for proactive security challenge including autorun, file and registry tests. At this moment, CFP's D+ system will need introducing new features for protect its functionality.
 

[EricJH]

You already know what is going to be tested? You know anything we don't know? I am listening......

[soyabeaner]

He means this: http://www.matousec.com/info/?news=134-Another_Proactive_Security_Challenge_milestone__ndash__it_now_contains_148_tests

I don't think there's a need to mention this, as I'm sure Comodo and other vendors (like in the past) are periodically contacted by Matousec about his updates well before he publishes his articles.  

Although this does paint a clearer picture of his true intentions.

The main goal of matousec.com is to improve security of end-users with its own security related projects and research.

I think it's obvious that if that was the main goal, he wouldn't have waited until a few vendors have achieved a 100% perfect score on those leak-tests.  If it really was about end-users, he should have continually researched and release new attack POC's.  It's always business before justice

[ailef]

the good new is the OS tested now : they'll use windows 7 64bit.
i looked at the comodo version tested, it was the 3.12 build 560.
i hope they're ready for some tests so we will see if the last comodo build fixed many problems or if the new tests will hurt our favorite FW. and what is cool is the use of win7 64bit, we will see how comodo works under 64bit system. is it able to run as fine as the 32bit version as it has to deal with the guardian kernel...

[SiberLynx]

Hi Guys,

All those tests regarding the Firewall whether it's 32bit or X64 with the Patch Guard present should be carried out without any presence of the Defense+
If you can show whether that specific point is a part of methodology  - that would be helpful.

Sure, we are interested  in "the last comodo" version being tested, but that has to be Firewall only  . The same applies to any other Firewalls participating in any test

Testing any Firewall should not contain additional layer(s) of protection
The Defense+ conceptually does not belong to the Firewall

The Firewall  has to be strong and not leaking irrespectively - no HIPS (and users' decisions)  - that would be a subjective and correct testing

What do you think?

Cheers!

[ailef]

Defense+ is useless on win 64 ?
the guardian kernel is able to give the same level of protection as Defense+ can ?
the guardian kernel never informs me about what's happening on my win7 64, i cant create my own rules, it's like running totally blind in the street, i have no infos, it doesnt help to understand how the system works.
so finally, is Defense+ useless on win7 64 or not ?

[SiberLynx]

Defense+ is useless on win 64 ?
the guardian kernel is able to give the same level of protection as Defense+ can ?
the guardian kernel never informs me about what's happening on my win7 64, i cant create my own rules, it's like running totally blind in the street, i have no infos, it doesnt help to understand how the system works.
so finally, is Defense+ useless on win7 64 or not ?

Hi ailef ,

I didn't get your message clear.

The Defense+ seems to be working the same way currently on win7 x64 as it is working on XP 3bit.
It is just more talkative regarding the service.exe and I encountered the loss of previously set policy for just a few Applications (say 7z) after few days of work but not much more.

I have to admit that I am not using win7 x64 constantly though, but when I was setting up stuff after installing Comodo Firewal & the Defense+ there - all necessary alerts were fired up for all Applications  (sure there were pure Firewall Aalerts too)

So what do you mean by "the guardian kernel never informs me about what's happening"? and what is the connection with Defense+?

Cheers!

[ailef]

probably i understood bad your message, i'm not native english.
about the guardian kernel and Defense+ on 64bit system, can the guardian kernel completely replace Defense+ and give the same level of protection ?
i mean that guardian kernel works the same as defense+ or not on 64bit ?
that's why i would like to know if Defense+ is usefull on 64bit or it's not necessary as the guardian kernel is able to protect the 64bit system like Defense+ does ?
what's your opinion about 64 bit systems, the guardian kernel can do the job of Defense+ ?
i maybe understood bad as i thought u were telling that there's no need for Defense+ in 64bit cause of the guardian kernel able to protect the system the same way as Defense+ ?
so i would like some clarifications on this point for 64bit OS, do we need defense+ or guardian kernel can protect the system without the need to use Defense+ ?

[SiberLynx]

Hi ailef

The language is not a problem. English is not my 1st language too. If people want they can understand each other.

==============

The PatchGuard or Kernel Patch Protection (KPP) has nothing to do with Defense+ or any HIPS / and other ways to monitor & secure the system.

This is the feature of x64 editions of Microsoft Windows that prevents patching the kernel.

Patching the kernel used by many security Software to prevent attacks.

At the same time malicious Software often is using the same method as well.

E.g:  a dynamically generated hidden driver  mchinjDrv.sys - Mad Code Hook Injection Driver  - used by security and used by malware.

Basically in x86 (32bit) both “good & bad guys” were able to  patch openly and easily

Antiviruses; Anti-malware / Behavioral blockers are using kernel patching on 32 bit systems

As an example the SandBoxing in 32 bit is pretty much strong because of that.

On x64 MS is protecting the kernel patching and that technology by their PatchGuard

So neither “good” nor “bad guys” can do that.
  
Therefore creating security for x64 by any 3rd party vendors now is different and basically patching the kernel cannot be used by them

That is why, say the development of SandBoxie  for x64 was initially dropped by the creator, but lately he just made a compromised variant and clearly stating that it is much vulnerable compare to “32bit brother”. By his estimation more than 10% (which is huge number )  of malware  definitely cannot caught and the system cannot be protected by SandBoxing x64. There are other cases when the processed can escape and be invoked outside the sandbox

Interestingly enough when writing the malicious software you still can circumvent that protection by the PatchGuard  but it makes it just much more difficult and the malware creators  have to be quite proficient.

That is mainly about the  PatchGuard in brief, but that has nothing to do with the idea of having security and its own features including Defense+ (HIPS)  or others
Those just has to be implemented differently having in mind all implications, pluses and minuses of such system defense feature (or preventing measure) as MS PatchGuard.

My regards

[ailef]

ok thanks, so the guardian kernel doesnt allow any modification of a microsoft file by any file that is not signed by microsoft too. so it keeps the system files safe.
but defense+ has others features than just only block any access to system files by patching them or add it some unknown dll, etc.
I understood first that guardian kernel would be able to replace Defense+ if it was good.
ok, so there's no prob on 64bit OS and Defense+, the tool is monitoring all we want it to, as guardian kernel is just the guardian of the system and block anything that tries to modify anything that is detected as a potential danger that would break the kernel security.
but Defense+ works as good on 32bit than 64 bit ? or does this guardian kernel have effects so Defense+ is a little less secure on 64bit ?

[Tags:]