CVA improvement suggestions & Wish-List

[LeoniAquila]

Please post your CVA improvement suggestions and wishes in this thread! Thank you.


I'm first out:

1) Present a scan log which programs and system details CVA has scanned. If CVA, for example, doesn't know anything about a certain program - it would be nice to know that. Like a warning "this program isn't recognized by CVA, you should i) look for updates manually and ii) submit it to Comodo so we can add it to our database". In case there already is a log available (I haven't completely checked out the features of CVA), please ignore this suggestion.

2) Tell me that I had Defense+ disabled!

3) If CVA doesn't already check for the latest Microsoft hotfixes, maybe this could be a useful feature? I know that most people have Windows Automatic Updates, but if that feature for some reason misses a patch or two, CVA could cover that.

Thanks!
LA

[LeoniAquila]

Umesh replied here, but now his post is gone? Anyway, Umesh confirmed that my first and third suggestions are planned to be part of CVA (that's how I remember it, if I'm wrong, please correct me).

LA

[herman the german]

i've got a sugestion as well. i've been using rival secunia's PSI which is in rc2 atm i think and when it detects something is out of date it offers a direct link to the website where the updated version can be found i was wondering if the vulnerability advisor could do the same?

cheers

herman the german

[Umesh]

Hi LeoniAquila,
I also wonder where my post has gone!

Yes we will have 1st and 3rd requests covered in forthcoming versions. Next version which we plan by 3rd week of June, 2008 is expected to have missing Windows patches information.

Regarding 2nd request, it was kind of connecting two products which we won't like to do, may be CFP can be improved to show you some balloon messages every often if D+ is disabled.

Regarding  herman the german question if we take user as from where he can download latest version,
please check attached snap where CVA takes user to
http://www.rarlab.com/download.htm
when it finds an old version of Winrar is installed.
So CVA also has this feature.

Thanks
-umesh

[attachment deleted by admin]

[Zero3K]

It should show a list of the ones that it knows about.

[Ronny]

In reply to the 2nd request, i also found that a lack of CPF, the icon doesn't change if you disable the firewall or D+ to something with a red cross in it so you can see it's disabled. Therefore i wrote a small program that check's the Firewall and D+ State in the Registry and shows a balloon when the config is not in my own "default" state.
I think this would be a nice feature for an upcomming CPF release.

[LeoniAquila]

In reply to the 2nd request, i also found that a lack of CPF, the icon doesn't change if you disable the firewall or D+ to something with a red cross in it so you can see it's disabled. Therefore i wrote a small program that check's the Firewall and D+ State in the Registry and shows a balloon when the config is not in my own "default" state.
I think this would be a nice feature for an upcomming CPF release.

I agree, but now you've gone off the CVA topic, so I suggest you put this on the CFP 3 wishlist!

Thanks,
LA

[spasserfan]

• It would be nice if one could schedule scans. Since I do not want the program to run all the time these schedules should start the program, and if there is any updates prompt the user. When the job is finished the program should automatically close
• As an addition to the above it would also be a great feature if CVA could be set to automatically install the updates by prompting the user when they are found: "updates has been found, will you update these programs now, later or manually?"

[Umesh]

Hi spasserfan,

    * It would be nice if one could schedule scans. Since I do not want the program to run all the time these schedules should start the program, and if there is any updates prompt the user. When the job is finished the program should automatically close

would you like to see this implemented as Windows Tasks? That means CVA can provide an interface and using that details like they are entered in Windows Tasks about timing can be entered. So CVA is run by Windows at that time and generates the report under specified folder.

    * As an addition to the above it would also be a great feature if CVA could be set to automatically install the updates by prompting the user when they are found: "updates has been found, will you update these programs now, later or manually?"

This is not trivial thing, updates vary from product to product and they can be very product specific. Like no other product can provide updates for Comodo Firewall Pro, b'caz the nature of updates, similarly can be the case for many other products.

Even if we venture out in this, we won't be able to cover all products, so the best is product in question updates itself which is done best by itself rather any other product.

Thanks
-umesh

[gibran]

I guess I'll add mine too.

Making CVA act as a frontend to Windows tasks would be nice but if possible I wish for a realtime vulnerability check too.
Secunia PSI beta had a something like this (although it didn't appear to be really realtime).

Maybe some sort of realtime scanning could be added making CVA-aware a future version of CFP.

Another nice feature would be to make CMF CVA-aware that is if there is a chance to let CMF know if a specific BO event can be linked to a specific exploit/advisory.

[Umesh]

Hi gibran,
Real time scanning is in the pipeline, we will have it.

We although can change CMF so when it detects any vulnerability, it can send information about it to comodo.
But even though CMF alerts about any vulnerability, that product has to be analyzed and vulnerability has to be confirmed.
As of now role of CVA is just to inform users about known vulnerabilities and as of now Comodo is not in the business of exposing vulnerabilities and publish them.

Thanks
-umesh

[gibran]

Real time scanning is in the pipeline, we will have it.

That's great news 

We although can change CMF so when it detects any vulnerability, it can send information about it to comodo.
But even though CMF alerts about any vulnerability, that product has to be analyzed and vulnerability has to be confirmed.
As of now role of CVA is just to inform users about known vulnerabilities and as of now Comodo is not in the business of exposing vulnerabilities and publish them.

Sorry I didn't explain myself as I know nearly nothing about BO and exploits. As I understand Vulnerability research require a cooperative approach and I understand that there is no way for a single company to take such a heavy task.

I always wondered if there could be a different way to warn user about a specific exploit attack. Usually AV signature-based approach can identify specific exploit code and alert the user.
However this type of detection is somewhat limited as changing the code to leverage on the same vulnerability could be undetected.
CMF instead trap BO on the fly and it can detect even new exploit code on the act. However as end user there is no sure-strike way to know if an alert was due to a malicious attempt.

As I don't have the necessary know-how I don't know it an existing BO vulnerability is able to trigger a well defined range of alerts regardless of the exploit code or end-user machine specific setups.

If there is a way to to bind an existing reported exploit/vulnerability to a specific set of alert characteristics then there would be an alternate way to detect exploits without relying on exploit code signatures.

Since CMF is monitoring BO events I wondered if there could be something like a BO signature (based for example only on memory range exception addresses, exploitable component name/signature and type of BO) specific enough to link a specific BO alert to an existing reported vulnerability (if that vulnerability provided exploit code to gather such data).

I don't know if there is a way to define something like a BO signature but I imagined if something like this was possible then it could be used an a way to complement existing AV code signature based approach (creating a chance for researchers to add such BO signature to new full disclosure advisories).

[spasserfan]

Hi spasserfan,

would you like to see this implemented as Windows Tasks? That means CVA can provide an interface and using that details like they are entered in Windows Tasks about timing can be entered. So CVA is run by Windows at that time and generates the report under specified folder.

This is not trivial thing, updates vary from product to product and they can be very product specific. Like no other product can provide updates for Comodo Firewall Pro, b'caz the nature of updates, similarly can be the case for many other products.

Even if we venture out in this, we won't be able to cover all products, so the best is product in question updates itself which is done best by itself rather any other product.

Thanks
-umesh

Implementing as windows task was just what I wanted, that way the check could be done when the system is idle. If CVA doesn't find any vulnerabilities then the program just shuts down silently, but if any vulnerabilities has been found it prompts the user.

As for updating programs automatically, it would be nice if one could specify a command line which CVA should run if vulnerabilities is found in a particular program (many programs has an external updater or some could be updated by using a command line switch). Of course the command line should be an option (deselected by standard) to make CVA user friendly but also making a good program for professionals.

The way you could implement this could be like this: The first time a vulnerability has been found in a program CVA would prompt the user (if the command line option is selected ) if he wanted to:

• Set a command line for this program
• Not to run a command line with this program

And of course an "remember" option (like in CFP) to let CVA run the specified command line every time a vulnerability has been found for that particular program or never run a command line for that particular program but instead prompt the user to manually update.

[Umesh]

Hi gibran,
Your ideas are great, we would consider it down the road.

Thanks
-umesh

[3xist]

Hi Guys,

I made this a sticky. This is now also the wish list for CVA.

Josh