Author Topic: Query on configuration of Defense+/HIPS  (Read 2096 times)

Offline MarkDym

  • Newbie
  • *
  • Posts: 3
Query on configuration of Defense+/HIPS
« on: October 14, 2014, 04:24:28 AM »
Hi

I am looking at alternatives to our current security solution and am interested in learning more about CESM.

I have watched the demos etc, and have had a quick look through the forums.

Our environment comprises a Windows Active Directory domain with 4 servers and 35 clients plus 4 laptops. We use Windows Vista, 7, 2008 Storage Server, 2008 Standard, 2012 standard and 2012 Standard R2.

Now, I have used Comodo in the past on home systems. I am quite happy with it except for the Defense+/HIPS feature. I have always felt that the feature was unable to distinguish between legitimate operating system access and malicious activity. My experience was that it would alert the user to all access. This is, in my opinion, overkill as the majority of users will have no idea if a process should be trying to access xxx.

So, considering this, I was a little concerned to read this thread. If HIPS is going to block legitimate activity then there will always be a doubt in my mind that it is doing its job.

Can a 'threshold' or sensitivity level be set for HIPS in CESM, and can it be configured to ask the user about operations it is not sure about?

Thanks

Offline georgianas

  • CESMUser
  • Comodo Family Member
  • *
  • Posts: 68
Re: Query on configuration of Defense+/HIPS
« Reply #1 on: October 14, 2014, 08:53:54 AM »
Hi,
The user notifications with the default policies is turned off and the administrator can control what to whitelist. He can use the centralized Sandbox or unrecognized file or quarantined files.
You can setup the HIPS level: Paranoid Mode, Safe Mode, Clean PC Mode,Training Mode.

In the policy configuration it's recommended to whitelist any vbs script, unsigned software, etc that is, or might be categorized as unrecognized and run fully virtualized.
And in the worst case scenario if something legitimate gets blocked, gathering the HIPS logs - Defense+ reports from ESM console, submit them to us by email, to identify the cause.
« Last Edit: October 14, 2014, 09:04:46 AM by georgianas »

Offline MarkDym

  • Newbie
  • *
  • Posts: 3
Re: Query on configuration of Defense+/HIPS
« Reply #2 on: October 14, 2014, 11:22:29 AM »
Hi, georgianas, thanks a lot for replying.

I appreciate what you are saying. However, I am still not assured the software is making intelligent decisions.

For example, I use another security product on my home PC at present that uses behavioural analysis to determine whether activity is legitimate or malicious. Luckily, my PC is clean, and I see no alerts for normal usage. If I download a file that contains crapware, or if a new game is installed and started I will see alerts from the program about the crapware, or about the game accessing the keyboard etc. If I install CIS I will see alert after alert from Defense+ - not only about the examples given but a myriad other things as well.

The issue I have is that on my home system I am able to make an informed decision. On my network, our staff are not IT literate, and if legitimate applications that are sandboxed are deemed malicious (in whatever degree), that is wasted time. If alerts are displayed they will be unsure how to react and will ask my advice, which for the most part will be a waste of my time. I understand I can use Comodo's excellent support but it does not help when the program needs to be used immediately and work has to be completed within a deadline. There is the option to disable the software but that leaves the machine wide open to infection.

Also, you can only whitelist what you know about. I am about to roll out Office 2013 ProPlus across our network and I am not familiar with how it works. I would, therefore, in the example given in my previous post, be unable to whitelist something if I am not aware of it.

Please don't take my post the wrong way. Comodo's products are great, but I have to make the right choice when choosing network security software.

One other thing I was wondering about, but have not seen in the CESM demos is web filtering. Is this something that Comodo may be integrating into the product in the future?

Offline georgianas

  • CESMUser
  • Comodo Family Member
  • *
  • Posts: 68
Re: Query on configuration of Defense+/HIPS
« Reply #3 on: October 15, 2014, 05:59:00 AM »
I understand the reservation for the default deny system, because it involves the control over all the apps, files, etc running on the endpoints. The approach is whitelisting those files that are trusted, intelligent automatic decision, and adding the admins decision for those that are in the sandbox.
Regarding:
'For example, I use another security product on my home PC at present that uses behavioural analysis to determine whether activity is legitimate or malicious.'
The files are categorized as good, bad and the unrecognized(sandbox).
The process is the following:
'After an unknown application has been placed in the sandbox, CES also automatically queues it for submission to Comodo Cloud Scanners for automatic behavior analysis. Firstly, the files undergo another antivirus scan on our servers. If the scan discovers the file to be malicious, then it is designated as malware, the result is sent back to the local installation of CES and the local black-list is updated. If the scan does not detect that the file is malicious then its behavior will be monitored by running it in a virtual environment within Comodo's Instant Malware Analysis (CIMA) servers and all its activities are recorded. If these behaviors are found to be malicious then the signature of the executable is automatically added to the antivirus black list. If no malicious behavior is recorded then the file is placed into 'Unrecognized Files' (for execution within the sandbox) and will be submitted to our technicians for further checks.'

Regarding those alerts you can select like default answer for when the events happen on the endpoint, example if option in Sandbox 'Detect programs which require elevated privileges' it's enabled and you disable the notification , so the user won't have to do the decision for that unknwon program to
 make changes to important areas from the computer, it will block it.

'The issue I have is that on my home system I am able to make an informed decision. On my network, our staff are not IT literate, and if legitimate applications that are sandboxed are deemed malicious (in whatever degree), that is wasted time. If alerts are displayed they will be unsure how to react and will ask my advice, which for the most part will be a waste of my time. I understand I can use Comodo's excellent support but it does not help when the program needs to be used immediately and work has to be completed within a deadline. There is the option to disable the software but that leaves the machine wide open to infection'.

What I would suggest would be the following, password protect the CES local GUI and disable the Computer administrator, so you deny access even to those users that have local admin rights, through the policy that is applied on the endpoint.

Make sure the endpoint is clean: do the update and the full scan.

Do the test on a template machine , most programs that are used in the company, check for your own what % of 'legitimate' programs, files are sandboxed.
Script created , those programs, files that aren't signed need manual whitelisting, because they might be categorized as unrecognized.
Please see here the process for unknown files:
http://help.comodo.com/topic-84-1-604-7502-Unknown-Files---The--Scanning-Processes.html

If a legitimate program gets sandboxed and user is requesting the whitelisting, add it only through 2 clicks from the console in the trusted files list will be whitelisted for all endpoints using that policy.

If after doing your general whitelisting, for those other programs that run in the sandbox,if you aren't sure, leave it to run in the sandbox.
Whitelist what you know.
Unrecognized option from ESM console will help you in your unknown file assessment.
http://help.comodo.com/topic-84-1-496-7903-Viewing-and-Managing-Unrecognized-Files.html

If you are thinking a rol out of Office 2013 ProPlus accross the network, would suggest a simulated rol out on one test machine, to see the result of install and after the install, like day to day use, prepare the policy before for the endpoints, like if the script needs whitelisting, then white listed it. Once it looks good, apply the updated policy, do another test same machine , or another  and check how it goes.
If everything looks good, start the roll out in stages maybe.

Thank you for your posting and a suggestion to make the right decision is to trial first Comodo ESM.
https://www.comodo.com/business-enterprise/cesm3/index_v2.php

Yes, web filtering is something that will be integrated in ESM.

Hope this helps :)
« Last Edit: October 15, 2014, 06:01:26 AM by georgianas »

Offline MarkDym

  • Newbie
  • *
  • Posts: 3
Re: Query on configuration of Defense+/HIPS
« Reply #4 on: October 20, 2014, 10:34:59 AM »
Hi, georgianas

Thanks very much for your comprehensive reply. I will definitely consider CISM when the time comes to review our security software.

One last question, if I may: our present license gives us the same number of home licenses as we have business licenses for free. Does the licensing for CISM allow for this as well?

Offline MichelB

  • Comodo's Hero
  • *****
  • Posts: 516
Re: Query on configuration of Defense+/HIPS
« Reply #5 on: October 20, 2014, 04:39:43 PM »
Hi Mark,

The ESM server does not differentiate, the licenses you purchase are yours to do with as you please as long as the amount purchased are not exceeded.

Regarding your prior whitelisting/HIPS configuration. Whitelisting by its nature is aggressive in that it will not run files/dependancies that are not explicitly trusted either through a valid code-signing certificate or by the administrator. It is simple however to add whitelisting rules through the ESM console.

Kind regards,
Michél

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek