Author Topic: Proofs of Concepts Vs. CFP3  (Read 43880 times)

Offline qwerty

  • Comodo Loves me
  • ****
  • Posts: 155
Re: A small program which cann't be blocked by CFP (Defense+) (add two new ones)
« Reply #30 on: September 23, 2007, 10:06:33 PM »
You're missing the point.
It's two different things.
One is a user initiated shut down, the other is a software initiated shutdown, without any input from the user.

Some malware will cause a system shutdown, the exitwindows trojan for eg. (useful for loading rootkits, drivers, etc I imagine)

SSM will ask about any process trying to shut down windows, CPF3 should do the same.

Offline rcbblgy

  • Comodo Loves me
  • ****
  • Posts: 130
Re: A badjoke program CFP cann't block (defense+)
« Reply #31 on: September 23, 2007, 10:17:02 PM »
I MUST DISAGREE, because if the program is sth you don't know it's bad, then Comodo should block it's BAD actions for your protection... if other HIPS can do it then Comodo is in need of a new function, despite what you say, it is not human error but a program error if Comodo doesn't have the ability to block a kill function in a program...
I am sorry , I have read your post twice , but I don't know what you want to say , although I know the meaning of every sentence you said , I couldn't understand your meaning . You disagree what and agree what ?
I just hope CFP becomes stronger and it has all functions which other hips has .

Offline rcbblgy

  • Comodo Loves me
  • ****
  • Posts: 130
Re: A small program which cann't be blocked by CFP (Defense+) (add two new ones)
« Reply #32 on: September 23, 2007, 10:24:50 PM »
You're missing the point.
It's two different things.
One is a user initiated shut down, the other is a software initiated shutdown, without any input from the user.

Some malware will cause a system shutdown, the exitwindows trojan for eg. (useful for loading rootkits, drivers, etc I imagine)

SSM will ask about any process trying to shut down windows, CPF3 should do the same.
Yes , I agree .
Not only SSM can do that , but also EQScure and ProSecurity can .

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: A small program which cann't be blocked by CFP (Defense+) (add two new ones)
« Reply #33 on: September 24, 2007, 03:42:32 AM »
You're missing the point.
It's two different things.
One is a user initiated shut down, the other is a software initiated shutdown, without any input from the user.

Geez ;D I think not. That was exactly my point and you falled for it ;)

In terms of functions there is NO difference. So you say the user initiated shutdown because you KNOW what these commands do.
This means that a HIPS that is not blindly acting should KNOW these as well and don't act or CFP execution blocker will have the same outcome (If the rule was not marked for remember) in terms of functionality.

These commands could be written in a bat file as well or the shutdown command could be changed to notepad.exe or added to the registry run keys. The user might not know these as well so from his perspective those acts like viruses :o
Isn't there a way to block those programs with V3 once you know what they will do?

Since these are legit functions they could be used by many legit softwares as well so this protection only adds another popup that will interferes with these programs. Is this really an issue that requires a new whole batch of alerts?

Yep, I already know your answer ;D
« Last Edit: September 24, 2007, 03:48:05 AM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline foxman

  • Comodo Loves me
  • ****
  • Posts: 193
Re: A small program which cann't be blocked by CFP (Defense+) (add two new ones)
« Reply #34 on: September 24, 2007, 06:44:04 AM »
I believe that argument is that (which it does bother me at times), even though CFP intercepted a bad program and asked user whether to allow execution or not, the user may not be knowledgeable enough to make the right decision, well, "is it a bad guy or not?". And what a he would say "yes", CPF would have a built-in mechanism to stop this program from doing harmful thing, say, hey! that's where stuffs like boclean comes in, isn't it?  (:KWL)

Offline nubiatech

  • Comodo Family Member
  • ***
  • Posts: 94
Re: A small program which cann't be blocked by CFP (Defense+) (add two new ones)
« Reply #35 on: September 24, 2007, 07:08:27 AM »
Geez ;D I think not. That was exactly my point and you falled for it ;)

In terms of functions there is NO difference. So you say the user initiated shutdown because you KNOW what these commands do.
This means that a HIPS that is not blindly acting should KNOW these as well and don't act or CFP execution blocker will have the same outcome (If the rule was not marked for remember) in terms of functionality.

These commands could be written in a bat file as well or the shutdown command could be changed to notepad.exe or added to the registry run keys. The user might not know these as well so from his perspective those acts like viruses :o
Isn't there a way to block those programs with V3 once you know what they will do?

Since these are legit functions they could be used by many legit softwares as well so this protection only adds another popup that will interferes with these programs. Is this really an issue that requires a new whole batch of alerts?

Yep, I already know your answer ;D

I beg to differ: there is a HUGE difference!

It comes down to this: blocking the execution of a process is just a fraction of what a modern HIPS  does. There are many malware delivery and infection mechanisms that can easily defeat execution blocking.

Is Defense+ is a full blown HIPS? Does it measure up to other HIPS on the market?
IMHO, the answer is NO, at least not yet.
(Here is a good comparative: http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm )

Will Defense+ catch up to the other HIPS out there?
I sure do hope so, and would love to hear from Melih and the Comodo team  8)

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: A small program which cann't be blocked by CFP (Defense+) (add two new ones)
« Reply #36 on: September 24, 2007, 07:51:43 AM »
I see, but that comparative its about unhooking and doesn't mention V3. Did yoy actually ran those tests against V3?

There are many malware delivery and infection mechanisms that can easily defeat execution blocking.
This point is a bit undeveloped too, I beg you to add just that tiny bit of details so yours will not appear as a groundless statement. :)
« Last Edit: September 24, 2007, 08:13:33 AM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline Little Mac

  • Forum Volunteer
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6303
  • The Colonel told me to.
Re: A small program which cann't be blocked by CFP (Defense+) (add two new ones)
« Reply #37 on: September 24, 2007, 10:49:38 AM »
I agree that a popup would be a nice, user-friendly thing to have, to warn that some application is trying to shut down the system.

However, I think this is something that v3 can indeed handle at the moment (in a not-so-user-friendly kind of way).  Think thru the process - what has to happen in order for the system to be shut down?  Processes must be terminated, yes?  So without process termination, there is no unauthorized shutdown.  Use Protection Settings with defined exclusions for the required system processes and what can shut them down.  Then Protect those files that are authorized to perform system shutdown.

Not so user-friendly, I agree, but I think can be done...

LM
These forums are focused on providing help and improvement for Comodo products.  Please treat other users with respect and make a positive contribution.  Thanks.
Forum Policy

Offline nubiatech

  • Comodo Family Member
  • ***
  • Posts: 94
Re: A small program which cann't be blocked by CFP (Defense+) (add two new ones)
« Reply #38 on: September 24, 2007, 03:49:21 PM »
I see, but that comparative its about unhooking and doesn't mention V3. Did yoy actually ran those tests against V3?
This point is a bit undeveloped too, I beg you to add just that tiny bit of details so yours will not appear as a groundless statement. :)

No, I did not run any of these tests.  I added the link above just to show that there are many features that are missing in Defense+ compared to other HIPS.

The point, again, is this:
Defense+ is far behind other HIPS like EqSecure, Neoava Guard, SSM, ProSecurity, etc ....
The original poster gave you proof of concept.

And, speaking of groundless statement, here is your statement:

Quote
In terms of functions there is NO difference. So you say the user initiated shutdown because you KNOW what these commands do.
This means that a HIPS that is not blindly acting should KNOW these as well and don't act or CFP execution blocker will have the same outcome (If the rule was not marked for remember) in terms of functionality.

Please tell me that you actually tested SSM ,EqSecure, or any other HIPS before making that statement, did you? On what grounds did you boldly state that there is no difference?

I'm not sure what you are trying to accomplish here, but you come across as an apologist for Comodo. I hope some one from the development team adds some comments on this topic.

That being said, I have nothing more to add to this thread.


Peace, out.

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14690
    • Video Blog
Re: A small program which cann't be blocked by CFP (Defense+) (add two new ones)
« Reply #39 on: September 24, 2007, 03:53:53 PM »
thanks for all the discussions guys.

ok

Is it a feature that is missing in CFP or a default configuration? (there is an important differenc here)

If its a feature what is that feature you want adding?
if its a configuration, then what is that configuration?


thanks
Melih

Offline Little Mac

  • Forum Volunteer
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6303
  • The Colonel told me to.
Re: A small program which cann't be blocked by CFP (Defense+) (add two new ones)
« Reply #40 on: September 24, 2007, 05:29:14 PM »
I think what seems to be "missing" is an alert to the user; other HIPS provide an alert about shutdown.  This seems to be based on the way their protection settings are configured; perhaps a little more "automatic" than v3 at the present.

v3 can be configured to protect system processes required to be running (so as to prevent an unauthorized application from terminating), but it's rather in-depth and requires the user to know what processes/applications must be protected, and what must be on the Exclusion list to be authorized to shut down the system.

For the "set & forget" users, perhaps a wizard-driven configuration, based on Q & A to the user, would be good (hasn't that been mentioned before?).

LM
These forums are focused on providing help and improvement for Comodo products.  Please treat other users with respect and make a positive contribution.  Thanks.
Forum Policy

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: A small program which cann't be blocked by CFP (Defense+) (add two new ones)
« Reply #41 on: September 24, 2007, 05:30:21 PM »
No, I did not run any of these tests.  I added the link above just to show that there are many features that are missing in Defense+ compared to other HIPS.
I may not be able to understand your style of discussion. To me that was only a comparative about HIPS memory unhook protection. That never mentioned V3 plus there is a disclaimer in that page claiming

Quote from: http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm
DISCLAIMER : These tests do only focus on a very special kind of malware, and therefore should not be seen as an assessment of the general efficiency of the programs tested, in any way

The original poster gave you proof of concept.
So there are many and not only one. I was commenting on the latest shutdown-based one.

And, speaking of groundless statement, here is your statement:

Please tell me that you actually tested SSM ,EqSecure, or any other HIPS before making that statement, did you? On what grounds did you boldly state that there is no difference?
See, you may want to read what I posted again. I have no need to make any bold statements nor I usually cite links that are not effectively add some more information to the discussion at hand. The reply you cited referred tho the fact that there is NO functional difference with shutdown -s or RUNDLL32.EXE user.exe,exitwindows and considering them safe because they could have been user initiated IS misleading 88)
Do I need to install another hips to state that? I don't think so.

Quote from: http://en.wikipedia.org/wiki/Logical_fallacies
Irrelevant Conclusion (also called Ignoratio Elenchi), wherein, instead of proving the fact in dispute, the arguer seeks to gain his point by diverting attention to some extraneous fact (as in the legal story of "No case. Abuse the plaintiff's attorney").

The fallacies are common in platform oratory, in which the speaker obscures the real issue by appealing to his audience on the grounds of
purely personal considerations (argumentum ad hominem), popular sentiment (argumentum ad populum, appeal to the majority), fear (argumentum ad baculum), conventional propriety (argumentum ad verecundiam)

In the end all that I asked was a more detailed discussion about the benefit of such options other than V3 doesn't have it only.
There are many testers already complaining with this level of alerts so what's wrong with wanting to know a more thoughtful description of one's suggestion?
« Last Edit: September 24, 2007, 05:52:44 PM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline nubiatech

  • Comodo Family Member
  • ***
  • Posts: 94
Re: A small program which cann't be blocked by CFP (Defense+) (add two new ones)
« Reply #42 on: September 24, 2007, 05:46:50 PM »
I may not be able to understand your style of discussion. To me that was only a comparative about HIPS memory unhook protection. That never mentioned V3 plus there is a disclaimer in that page claiming
So there are many and not only one. I was commenting on the latest shutdown-based one.
See, you may want to read what I posted again. I have no need to make any bold statements nor I usually cite links that are not effectively add some more information to the discussion at hand. The reply you cited referred tho the fact that there is NO functional difference with shutdown -s or RUNDLL32.EXE user.exe,exitwindows and considering them safe because they could have been user initiated IS misleading 88)
Do I need to install another hips to state that? I don't think so.

In the end all that I asked was a more detailed discussion about the benefit of such options

You can have the last word. I am done with this thread.

Offline MasterTB

  • Comodo Family Member
  • ***
  • Posts: 85
Re: A badjoke program CFP cann't block (defense+)
« Reply #43 on: September 25, 2007, 11:23:33 AM »
I am sorry , I have read your post twice , but I don't know what you want to say , although I know the meaning of every sentence you said , I couldn't understand your meaning . You disagree what and agree what ?
I just hope CFP becomes stronger and it has all functions which other hips has .


I am saying that I disagree with Little Mac when he says that if you're allowing the program to run then the shutdown initiated by that program is a human error and not an error of the Comodo Firewall because you allowed the program. (and I quote) "If you're allowing it to execute using CFP, then I don't think CFP has missed it; it's doing what you told it you wanted to do.  That would qualify under "user" error, rather than "program" error..."

I am saying that I disagree because you allowed the program to run, but maybe you didn't know that the program was a bad program that was going to initiate a shutdown and then CPF should have the ability -Like other HIPS have- to alert you about that shutdown and stop it if it was not your intention to shutdown the machine.

I'm sory if I was or am not very clear, English is not my native language and I'm doing my best to make myself clear.
AMD Phenom II 955 BE [at]3.81 Ghz.
MSI 790FX-GD70 Mobo
Sapphire HD 5830 GPU (OCed)
4GB DDR3 RAM
Creative X-Fi Fatal1ty ExremegamerPro
2x1TB SATA II HDD'2
LG LED 24" Monitor

Offline Little Mac

  • Forum Volunteer
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6303
  • The Colonel told me to.
Re: A small program which cann't be blocked by CFP (Defense+) (add two new ones)
« Reply #44 on: September 25, 2007, 11:38:03 AM »
For what it's worth, MasterTB, I understood you!  ;D  The problem with any HIPS is that at some point it relies on user interaction.  If the user is unable to make an appropriate decision regarding blocking something, then the HIPS will not function.  There are some (such as CyberHawk) that try to incorporate behavior-blocking techniques to remove some of the need for user response.

Each development team has to decide what is an appropriate level of automation vs user fatigue (for clicking on alerts).  v3 can be configured to block more things, but it's not user-friendly at the moment.  It does not automatically monitor/intercept the type of shutdown sequence caused in this scenario, which some others obviously do.  There are potentially hundreds (maybe thousands) of actions each application could take; the developers have to decide how many of those will generate a response from CFP by default, and how many the user has to tell CFP they want to see.

I personally think that a Q & A Wizard (either during installation, or after - like the current Profiler) is a good solution.  I know this has been discussed before; starting with a basic question about the overall level of paranoia the user has (and how tight they want things); this would configure some basic settings, and then prompt for more questions about details.  So as the user is interviewed by the software, it is creating rules/settings based on the answers.  All this would have to be completely reversible, of course, as well as import/export friendly.  I'll refer, as I have before, to products like Samurai for Windows and Bastille for Linux (Bastille has a nicely-detailed interview process).

LM
These forums are focused on providing help and improvement for Comodo products.  Please treat other users with respect and make a positive contribution.  Thanks.
Forum Policy

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek