a simple keylogger or a backdoor server dont need to install or to access to net in case of local network (one execution alert )
and any new bie can alowit to connect if you change the icon to a commercial icon
for that the behavior can be an important way to keep user informed about anything in her pc
for any av they have alot of way to bypassed
The big picture that I can see is a big mistake! If I want use a HIPS, it should tells me about anything on my pc! That’s the reason for me use a HIPS. AV intercepts the keylogger, but my girlfriend, my brother or even me, by mistake, can allow it, and when Defense+ doesn’t do his job, I’m unsafe. Defense+ doesn’t put me anymore in control of my whole pc.
As I already sad:
In the end…
I don’t feel like argument about this. 88)
But there is no way you will run a keylogger with only one execution alert… At least not if CIS is set to proactive…
If so please provide a POC, or in the wild keylogger sample. (:KWL)
Ofcourse it would show you an alert connecting to the network,
And any application can have a different Icon… CIS can’t control what icons applications use.
Don’t forget, when you can a pop-up you can click on the file to get more info about it.
Comodo is spreading the load on all of its components which is making it more userfriendly. For example, if you install CIS without the AV the settings will be high, With the av it’s slightly reduced. You can still also switch configurations or manually change D+'s options around to get the same level of protection.
https://forums.comodo.com/empty-t30473.0.html
Hope this helps.
With the AV installed and enable, with Defense+ set to safe mode and with CIS set to proactive defense I canno’t get the same level of protection.
Let’s put a solution to this problem? Give us the following option:
-
If CAV says that X or Y is a malware, and independently of the user choice (quarentine, remove or allow the malware), Defense+ don’t ask! (a userfriendly default action)
-
If CAV says that X or Y is a malware, and independently of the user choice (quarentine, remove or allow the malware), Defense+ ask! (a hard user optional action).
And now, can COMODO do this? If yes, please, go on… If no…
Ofcourse CIS offers the same level of protection, The options are there to select to monitor for keyboard access or not.
If X is malware CIS will quarintine the threat, you there for don’t need D+ to do anything.
If for some reason you want to allow this malacious file to run just click Ignore\add to exclusions and then D+ will alert you as need be.
Anyway, The options for what ever level security you want are there, How ever the default are like this because comodo believes that this option is user friendly and is effective. (It spreads the load onto multiple components requiring less user input).
I spoke to Melih about this late last year..and this is what I interpreted.As I already said, my CIS is set to proactive defense, so, my keyboard access is monitored.
As I already said, I install SC-KeyLog 2.25 for test purpose on my pc, CAV alerts me about malware, I add that malware to the exclusion list, and Defense+ didn’t detect when my key strokes were being logged and didn’t warn/block the action.
Try it for youself and see!
Hi all,
I can confirm that for instance AKLT.exe, the anti keylogger test application, has 1 screenshot-taking test (out of ttl of 5 test, of which the other 4 get flagged by Defense) which goes undetected for Defense+, even in Proactive setting with all boxes ticked ( as I explained in some topic before)
The .exe file gets flagged by CAV as malware, but if ignored, no warnings are created by Defense.
And in the other forum topic we also ended up in the argument that all is ok since CAV detects the application as malware. Tried also there to explain that that is not the point (for me at least), but that the point is I would like to know which register/memory/etc… region the application is able to access which seems not to be protected by CIS’s Defense protected regions.
Anyway…
brgds
mack
Q. If you install CIS WITHOUT the AV component AND your profile is set to Proactive (so the keyboard is getting monitored), does Defense+ detect the keylogger?
I’m very interested to hear whether this configuration detects or fails.
If D+ does detect the keylogger under these setup conditions, the originally described condition may be caused by D+ accepting what the user had previously accepted (by ignoring the malware alert in the AV).
Cheers,
Ewen 
I’ll try that tomorrow Panic and I’ll give you my feedback! But, as I already said, we have two types of users, and maybe COMODO should think on that.
Best regards!
Thanks in advance for testing. I’ll keep my eyes peeled for your results.
Cheers,
Ewen
so CIS passed, without the unnecessary d+ alerts. Also did the firewall alert you when the key logger was trying to send the “logs” to the host?
spreading the load over all the components.
Let’s go, CIS with the AV uninstalled tested. CIS in proactive mode, Firewall in custom policy mode and Defense+ in safe mode.
I receive alerts during the installation of SC-KeyLog 2.25, but I’m not complaining about the possibility on not of the installation, am I?
The problem is, once installed, Defense+ didn’t detect when my key strokes were being logged and didn’t warn/block the action. I create a process called “explorer.exe” with the keylogger, it copy my key strokes without any alert from Defense+.
The Firewall ask when the keylogger tryed connect to the internet.
Here you can get it: Download SC-KeyLog - MajorGeeks
Kyle, do you judge the fact that malware got by an AV and allowed to fully run (added to the exclusion list, by mistake for anyone, let’s say), and without any alert from the main protection that CIS has, Defense+, as a sucessfull result? Does CIS passed? Not in my opinion.
Maybe you are satisfied with the fact that the AV component got the malware, but I’m not, I use a HIPS to take control of my whole pc, and if Defense+ can’t provide it, Defense+ fail.
Maybe you prefer a userfriendly CIS, but as I’m hard user, I dislike.
You obviously ignored my earlier post.
A keylogger is not, in and of itself a malicious app. there has been a lot of debate over the years on this.
The same as a lot of networking tools, it can be used or misused.
That aside, read my prior post.
You, disabled AV to avoid a pop up. OK.
You installed it again answering the pop ups so you could install it.
Once you have it installed it is just another app accessing the key board how is CIS supposed to know
good access vs. bad access. Psychic maybe ?
Then because it is a legitimate application installed by you, SURPRISE it works.
I know that unless someone else has physical control of your machine there is no way a drive by or malicious install can get by CIS and run the app and phone home.
So you are the one that doesn’t seem to “get it” mkay.
Don’t mean to sound mean, just tired. Later.
Keyloggers, good or not? We are not discussing this!
If a “legitimate application” try to get my key strokes, CIS, that aparently monitor my keyboard access, should ask me!
Warned about the execution of the keylogger, but not warned about what it does.
The options are there if you want to D+ monitor the keyboard.
I know Kyle, but as I already use proactive defense, that options are ticked!
Then what’s the problem? I’m confused.