Author Topic: Protection vs Cleaning….two very different things!  (Read 100253 times)

Offline BlueGuppy

  • Newbie
  • *
  • Posts: 8
Re: Protection vs Cleaning….two very different things!
« Reply #30 on: February 26, 2011, 06:29:24 PM »
Unfortunately, the security product is only one third of the needed requirements for safety and security.  Nothing is 100% all of the time.
 
The other third is taking the time to update and patch all of your programs to prevent as many vulnerabilities as possible.  Some of those vulnerabilities are in the browser, before it even hits the machine or the security software.
 
The final third is user interaction.  If the user does not take the time to understand how malware works, changes and is injected, the user is going to click the wrong link, respond incorrectly to the threat, or fail to take it seriously when infected.

the user has to take responsibility for the security of the machine.  It can't all be laid at the door of the security developers to protect users from themselves.  God knows, they all try.  88)

Offline wasgij6

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5520
Re: Protection vs Cleaning….two very different things!
« Reply #31 on: March 03, 2011, 01:21:23 AM »
i personally think a version of cce should be built into cis i read this post in the cis forum and it really shows this

I Think that a Timer is an imperative option that needs to be added to CIS as soon as possible! This feature has been desired by many CIS users for two years now and I feel it should be the next new feature added to CIS before any other:

http://forums.comodo.com/wishlist-cis/a-timer-or-warning-please-t35701.0.html;msg253926#msg253926

Here's why:

Part 1

Yesterday a friend (a novice computer user) called me and said that she couldn't get on the Net and was getting a lot of fake AV popups. I had her check her CIS settings and we found out that all CIS features had been disabled (through the normal system tray icon). She was infected (see Part 2). Come to find out that her husband and his friend were trying to install a program (not infected) and CIS was doing its job with the normal alerts. This annoyed his friend, so he disabled CIS for the install. After they were done, he didn't re-enable CIS. After a week of surfing and what-not, they caught a trojan. If CIS had a timer feature or at least a warning, they would have noticed that CIS was disabled! Once we re-enabled CIS, it went crazy protecting the system with many CFP and D+ popups. Once we had blocked actions with the alerts, her system settled down and now it was time to clean her computer. It wasn't CIS' fault that they got infected (since it was disabled), but there should be consideration for a timer to be developed as soon as possible. It would be a wonderful feature!

Part 2

I'm a big fan of CIS but I now realize that CAV needs improving. Since we determined that she was infected, we ran a complete CAV scan. It found absolutely nothing! She was infected with QSC.EXE (Trojan.Agent/Gen-Frauder). We ran SAS and MBAM and together they both destroyed the trojan. I later ran the rootkit portion of the CAV scanner and it found 58 rootkit entries, but I was afraid to clean them for fear of messing up the registry (I didn't trust CAV since it missed the trojan to begin with).

Should I trust and remove the rootkit entries found by CAV? I don't want to damage the registry.

this post also tells how much a timer or warning system is needed. even just a small bubble in front of the cis tray icon changing colors with the status of cis. blue cirlce for game mode, green for everything being ok, red for errors, yellow for components disabled.
| Win 10 Pro (x64) | UAC Disabled | CFW | Intel i7 4770k | Asus Maximus VI Formula Mobo | Asus GeForce GTX 780 | G.Skill TridentX 32gb RAM | Samsung 850 Pro SSD |

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14604
    • Video Blog
Re: Protection vs Cleaning….two very different things!
« Reply #32 on: March 03, 2011, 06:52:55 AM »
i personally think a version of cce should be built into cis i read this post in the cis forum and it really shows this

this post also tells how much a timer or warning system is needed. even just a small bubble in front of the cis tray icon changing colors with the status of cis. blue cirlce for game mode, green for everything being ok, red for errors, yellow for components disabled.

so you expect CCE to be able to clean something that CIS misses?

Offline wasgij6

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5520
Re: Protection vs Cleaning….two very different things!
« Reply #33 on: March 03, 2011, 09:38:57 AM »
so you expect CCE to be able to clean something that CIS misses?

yes i do because cis is only as strong as the user. if the user makes a mistake and lets a piece of malware through cis then it should also be able to clean it.
| Win 10 Pro (x64) | UAC Disabled | CFW | Intel i7 4770k | Asus Maximus VI Formula Mobo | Asus GeForce GTX 780 | G.Skill TridentX 32gb RAM | Samsung 850 Pro SSD |

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14604
    • Video Blog
Re: Protection vs Cleaning….two very different things!
« Reply #34 on: March 03, 2011, 10:54:18 AM »
yes i do because cis is only as strong as the user. if the user makes a mistake and lets a piece of malware through cis then it should also be able to clean it.

but if its a malware and CIS knows it as a malware it will tell the user its a malware.

Offline akhil

  • Comodo Family Member
  • ***
  • Posts: 74
Re: Protection vs Cleaning….two very different things!
« Reply #35 on: March 03, 2011, 12:15:50 PM »
dear Melih
full scan looks similar to CIS
what exactly is the difference ?
excuse me for my ignorance please
kill switch is impressive
and  would love it to be always on
that is a cool nifty tool can be built into cis itself
regards


Offline wasgij6

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5520
Re: Protection vs Cleaning….two very different things!
« Reply #36 on: March 03, 2011, 12:28:29 PM »
but if its a malware and CIS knows it as a malware it will tell the user its a malware.

true but im saying as a backup
like the quote i posted earlier. if someone turns off comodo for whatver reason and forgets to turn it back on and they get infected or an unknown file is ran on a computer and the user thinks its safe and removes it from
sandbox to let it run they get infected.

i know this isnt how cis should be used all unknown files should be ran in the sandbox but sometimes users dont use cis correctly

in these instances cce integrated into cis would be extremely beneficial
| Win 10 Pro (x64) | UAC Disabled | CFW | Intel i7 4770k | Asus Maximus VI Formula Mobo | Asus GeForce GTX 780 | G.Skill TridentX 32gb RAM | Samsung 850 Pro SSD |

Offline deadman

  • Comodo's Hero
  • *****
  • Posts: 267
  • I love COMODO.
Re: Protection vs Cleaning….two very different things!
« Reply #37 on: March 03, 2011, 05:52:33 PM »
full scan looks similar to CIS
what exactly is the difference ?
Read here what features CCE has. The main differences is that CCE uses DACS, it is able to scan MBR for modifications and repairs disabled Task Manager, msconfig, Run, Regedit, etc.
kill switch is impressive
and  would love it to be always on
You can leave it open in background - just untick the Hide when closed option.

Offline akhil

  • Comodo Family Member
  • ***
  • Posts: 74
Re: Protection vs Cleaning….two very different things!
« Reply #38 on: March 04, 2011, 12:17:46 AM »
DACS can be enabled in cloud scanning mode in on demand scans
this will enhance i think the malware detection and reduce false positives too

Offline dariovolaric

  • Comodo Member
  • **
  • Posts: 31
    • Windows Software Tips
Re: Protection vs Cleaning….two very different things!
« Reply #39 on: March 08, 2011, 08:38:21 AM »
A Comodo boot clean CD sounds great! However, what do you do when a rootkit infected some important system files? Does Comodo 'clean' them or 'quarantine' them? Doesn't your PC become unbootable because of missing dll's?
The mind makes it real

Offline BlueGuppy

  • Newbie
  • *
  • Posts: 8
Re: Protection vs Cleaning….two very different things!
« Reply #40 on: March 09, 2011, 11:51:12 PM »
Symantec has gone this same route and in my estimation it is the wrong way to go.  They have a boot tool that is only good for some things and has to access the internet to install the latest definitions, which are much the same as Norton itself.  It can identify TDL3/4 infections but is not allowed to remove them.

The Norton Power eraser is the same, and while quite effective for fake AV's, it is quite dangerous for rootkit infections.

TDL3 infects system files such as atapi.sys (hard drive controller) or may report that atapi.sys is infected when it is actually another system driver that is infected.  If these files are deleted or quarantined, the computer will not boot.

If winlogon is reported as infected and deleted by a remediation tool, the machine can't load.  There are so many ways to turn a machine into a paperweight by using tools that are inadequate or improper for the purpose, that installing such a tool as part of my security suite gives me chills.

I would not like to see Comodo go the same way.

There is no one size fits all infection cleaner that quarantees a cleanup without risk to the machine.  Some things are best left to experienced virologists.

Offline dariovolaric

  • Comodo Member
  • **
  • Posts: 31
    • Windows Software Tips
Re: Protection vs Cleaning….two very different things!
« Reply #41 on: March 10, 2011, 04:42:23 AM »
If an important file like atapi.sys would be deleted or quarantined because it has been identified as infected (regardless if it's really infected or not), then your system indeed becomes unbootable. A virologist would most probably copy a clean version of atapi.sys for your specific OS into it's proper folder by using a bootcd tool (i.e. Hiren's Boot CD).

How Comodo could automate this is by combining Comodo Time Machine with CIS. If an important file gets infected, it would replace that file with the previous uninfected version. However, I do believe that Time Machine needs some major work as it is currently still unstable with raid disk systems.
The mind makes it real

Offline wasgij6

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5520
Re: Protection vs Cleaning….two very different things!
« Reply #42 on: March 10, 2011, 11:30:37 AM »
If an important file like atapi.sys would be deleted or quarantined because it has been identified as infected (regardless if it's really infected or not), then your system indeed becomes unbootable. A virologist would most probably copy a clean version of atapi.sys for your specific OS into it's proper folder by using a bootcd tool (i.e. Hiren's Boot CD).

How Comodo could automate this is by combining Comodo Time Machine with CIS. If an important file gets infected, it would replace that file with the previous uninfected version. However, I do believe that Time Machine needs some major work as it is currently still unstable with raid disk systems.

that would be a good idea except that CTM has to be installed and has to be installed when the system is in a clean state. the point of cce is to be portable and only be used wehn the system is infected so this in my opinion would work with CTM
| Win 10 Pro (x64) | UAC Disabled | CFW | Intel i7 4770k | Asus Maximus VI Formula Mobo | Asus GeForce GTX 780 | G.Skill TridentX 32gb RAM | Samsung 850 Pro SSD |

Offline Boris 3

  • Comodo's Hero
  • *****
  • Posts: 1351
Re: Protection vs Cleaning….two very different things!
« Reply #43 on: March 10, 2011, 03:25:02 PM »
Oh no please, no CTM automatically integrated with CIS. For disk images users it'll be a terrible mess as CTM and disk imaging software don't go along; they won't be able to use CIS anymore.

Offline Tech

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 3027
Re: Protection vs Cleaning….two very different things!
« Reply #44 on: March 16, 2011, 06:13:05 AM »
Oh no please, no CTM automatically integrated with CIS. For disk images users it'll be a terrible mess as CTM and disk imaging software don't go along; they won't be able to use CIS anymore.
But it could be an option, not mandatory, i.e., you can make a custom install. Why not?
avast! team member
Save freeware snapshot technology of Comodo Time Machine. Vote!

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek