I would like to see improved portability. In the current beta CCE saves its settings in the registry while KillSwitch uses the user profile; CCE also leaves some DACS logs in the user profile (tested on XP SP3). The end result is that it’s currently impossible to preconfigure either product in preparation for using it on other systems.
No files, or registry entries, should be removed without user interaction.
As I said in the usability study group I would like to CCE to supoort multi core cpu and that CCE has cpu management where you can select the amount cpu cores and how much of the cpu it should use; you will be able to scan without slow down. I have seen that it uses 50% which is okey; cmdagent uses more.
Regards,
Valentin N
hello Melih
we are talking about the full scan option in CCE , we want all the unknown files on the hard drive to be checked by DACS or at least all the suspicious files on the hard dirve , not only the active processes.
have a look here plz …
In CCE, if the antivirus portion that downloads the database scanner file is the same engine and database as Comodo Antivirus, then have a function that simply copies/pastes the database file from CAV to CCE if it detects CAV is installed on the users computer.
I can’t understand why I am downloading the same db twice on my computer if it is the same thing.
How about also offering to scan the files with ThreatExpert and Anubis?
Also, for the behavioral analyzers it would be useful, for advanced users, if you could provide links to the results.
I thought I would share these wishes with all forum members (they were originally posted in the usability forum, which is accessible only to users with special privileges).
Auto suspend
How about an option for Killswitch to automatically suspend any newly launched process that is unknown, suspicious, or malicious?. If you have this option, it may be helpful in two scenarios:
-
Have a small installer that can install a special “lock-up rescue” version of killswitch. This installer would early-load killswitch on start-up (using a random filename), but this version of killswitch will automatically “suspend all unsafe objects” when it starts. When an infected system is too bogged down by malware, trying to run killswitch in its current configuration is often impossible.
-
Running Killswitch in background. If you have malware that keeps re-launching new processes, Killswitch will automatically suspend the processes and not let them lock up the machine. This would be most useful for zero-day malware for which there is no signature (so verdict from comodo, other AV vendors, and CAMAS may be unknown).
When the Internet Connection is disabled
Provide a method to download the latest AV database and white list for CCE. If malware disables the internet connection, then CCE and killswitch cannot access DACS, CAMAS, the cloud, and updates. In this case, you need to download the most up-to-date information from another computer, and transfer the files to the infected computer.
Eliminate traces
Also, it would be nice if CCE eliminated malware “traces”. I know the most important issue is getting rid of active or potentially active malware (“acid” cleaning), but getting rid of traces is a nice way to add a “polished shine” on what you’ve just cleaned.
Tools That Fix system settings
Add tools to scan for and correct system changes made by malware (e.g. deactivation of task manager, home page hijack, disable control panel, etc.). Maybe you can build these into the standard scan.
+1000
+1
Yes, especially the CIMA results.
Color Coding in Killswitch
The colors currently do not reflect the verdict (which is the most important piece of information). The color should be based primarily on verdict (i.e. this characteristic takes priority when color coding is displayed). - See attached pic.
Safe = white (or perhaps green instead)
Unknown = yellow
Suspicious = light red
Malicious = red
Other criteria (such as CPU usage), should use other colors (such as orange, navy blue, light blue, brown, purple, light purple).
Grey would still show which object is selected.
This would draw attention directly to the worrisome objects.
[attachment deleted by admin]
This concept by elliotcroft may be an interesting addition to Killswitch.
Elliotcroft suggests a “process tracking” feature that logs the activities of a process. The user would designate which process he wishes to track, and then Killswitch will create a log for that process. The tracker may help with debugging and with malware research.
Elliotcroft also proposes a rollback (or “undo”) feature. If a process is malicious or causing crashes/freezes, the user can undo all the activities created by the process (it should probably also terminate the main process and all the processes it spawned). Kind of like Time Machine for processes.
I think that’s far beyond the scope of the program. You’ll also have to clarify what operations you intend to track, because many (e.g. terminating a process, sending network data) are not reversible. Why not just use a sandbox program?
In my opinion this option could only belong in a program that is meant to keep a computer clean. From my understanding CCE is meant to clean a computer that is already infected or ensure that it is not infected. Thus I don’t see the purpose of tracking processes as killswitch already can tell you which are dangerous and which are safe.
Maybe I’m missing something. Please enlighten me if I am.
Thanks.
I am no expert, but it seems to me that Killswitch cannot identify 100% of malicious processes, and it sure cannot predict which non-malicious processes are causing conflicts/freezes. I thought process tracking may be helpful in identifying the activity of zero-day malware (no detections yet) and for monitoring processes that you suspect may be causing a conflict or crash. I do not fiddle much with process snooping, so those who have more experience with these issues can determine the utility of the suggestion. I merely bring it to your attention.
+1000
It’s so annoying right now.
KillSwitch:
Add Comodo File Intelligence as search engine in right-click menu.
Add Verified Signer in Modules tab in Properties.
Thanks. 
I’ve already implemented this in Process Hacker 2.9. Seems like they were using an old version for KillSwitch.
Have you already any idea how to improve the whitelist using DACS?
What about something like this:
If after 2 weeks of an undetected file by DACS the file remains undetected, the file goes to the whitelist. The file also need to be seem several times, so you can be sure that the file is quite extended, so have more chances to be a popular safe file
Is not 100% perfect, anyway you are having problems with some trusted certificates in malware so I guess that this process is not completely manual either
we cannot asume a file is safe only for the quantity of users uploading it or the time being undetedted
but if no antivirus detect it in one week… i think its other case. but im not sure on how to implement it
it would be like in the future cis vercion with dacs, to stop autosanboxing old files
i just recently tested CCE to clean a friends computer and love it. one thing that i would like to see get added is a new tab to killswitch that has the startup programs. This would be good to stop any malware from starting especially because a lot of malware disables the run feature to run msconfig.
i liked the restart feature cuz there was a rogue and after it restarted cce blocked the rogue from starting up so it could scan with no problems.
keep up the great work.
A way to report false positives in KillSwitch
And what it is the FLS scanner?