Author Topic: CFP versus malware- interesting lacking features in Defence Plus?  (Read 14300 times)

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 722
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #15 on: July 10, 2008, 02:08:58 AM »
As to adding more rules etc into CFP. well, for us to know what rules to add, we must know what the malware does. If we know what malware does, then we can add
1)malware signature
2)some heuristic
into our AV product to catch it.

So I think its more sensible to create the sigs and some heuristics for our AV rather than try to put some heuristic rules into CFP.

thanks
Melih
That is good for an AV not a HIPS. Real Power of CFP is in Dfence Plus HIPS, not the AV signatures and heuristics.

It will be really nice to add some filters like:

Detection of a process rapidly reading many files in a short time
Detection of a process rapidly deleting many files in a short time
Detection of a process rapidly modifyiong many files in a short time

With these features such a malware can be detected, though the behavior will be detected when the malware will already had done some damge but atleast the damage will be minimal rather tahn loosing all ur data.

Thanks

Offline pastport

  • Comodo Member
  • **
  • Posts: 37
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #16 on: July 10, 2008, 06:54:05 AM »
I do like to see V3's Fd and Rd become global,So those things won't happen completely.

It will be really nice to add some filters like:

Detection of a process rapidly reading many files in a short time
Detection of a process rapidly deleting many files in a short time
Detection of a process rapidly modifyiong many files in a short time

Interesting features.

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 722
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #17 on: July 10, 2008, 12:07:10 PM »
Another ransomware bypassing CFP Defence Plus, seems so interesting.

http://www.wilderssecurity.com/showthread.php?p=1278002#post1278002

I will try to test some more.

Offline salmonela

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 637
  • COMODO Volunteer DEModerator
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #18 on: July 10, 2008, 02:59:28 PM »
So I think its more sensible to create the sigs and some heuristics for our AV rather than try to put some heuristic rules into CFP.

thanks
Melih

Prevention please, AV should be back up solution only...
I think HIPS should be developed further by adding more advanced behavior detection technique, do not abandon prevention please, CFP can do much, much more ...

P.S. leave "FPs" to CFP HIPS, please be careful with CAVS heuristic (FPs are unwanted here)
« Last Edit: July 10, 2008, 03:05:42 PM by salmonela »
Bad English, I know...
Thanks
PLEASE DO NOT REPLY DUMB QUESTIONS/ANSWERS

Offline deleiro

  • Newbie
  • *
  • Posts: 16
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #19 on: July 10, 2008, 04:32:09 PM »
The mentioned trojan can't do nothing if the cared files are in protected folder.

As far as I can see the only feature that is needed to easily counter worm's attacks is reading protection. I'm I right?! If it is appended no worm will be able to do it's nasty work.

I know, the user must shake his a** a little to secure what he deems important but hey - you can't expect to have unbreakable defense against the most sophisticated new threats by install&forget.

Quote
It will be really nice to add some filters like:

Detection of a process rapidly reading many files in a short time
Detection of a process rapidly deleting many files in a short time
Detection of a process rapidly modifyiong many files in a short time

Imho, this could add unnecessary complexity to CFP that will  likely be paid with other problems and lost devs's time.
 

Offline salmonela

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 637
  • COMODO Volunteer DEModerator
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #20 on: July 11, 2008, 09:09:51 AM »
The mentioned trojan can't do nothing if the cared files are in protected folder...
...and if right extension is tagged, I assume...
Bad English, I know...
Thanks
PLEASE DO NOT REPLY DUMB QUESTIONS/ANSWERS

Offline deleiro

  • Newbie
  • *
  • Posts: 16
Re: CFP versus malware- interesting lacking features in Defence Plus?
« Reply #21 on: July 11, 2008, 09:44:28 AM »
...and if right extension is tagged, I assume...

I think it's enough to enter the whole folder. At least this is my experience for now. May be I'm missing something because I'm still new to this wonderful program  (R)

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek