Author Topic: The Good, The Bad and The UGLY (ugly because its unknown!!)  (Read 32518 times)

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #75 on: June 02, 2010, 03:13:14 AM »
Endymion you did not read post #69
http://forums.comodo.com/news-announcements-feedback-cis/the-good-the-bad-and-the-ugly-ugly-because-its-unknown-t56938.0.html;msg400888#msg400888
I realized that your thoughts were that txt files are not applicable. Thats why I modified the code so that instead of txt files it would Create, Modify and delete executable files.


Actually I did not ignore the code you modified but it was not much different from the example I previously provided.

So I summarized all the relevant informations there.
« Last Edit: June 02, 2010, 03:15:32 AM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline slangen

  • Comodo Family Member
  • ***
  • Posts: 88
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #76 on: June 02, 2010, 04:01:58 AM »
Still, The point remains; Run that code I made and you will not get any defense+ alerts. Compile the same code into an exe, Run it - you get plenty of alerts. Both 'items' perform exactly the same function.


Dude ur a kid so I'll explain easy.

I-
1. Get a free program called AutoIt (its a windows macro programmer. You can do anything with it that you can do in windows. It's got a lot of options & very powerfull & most exe's compiled by it are detected as viruses by an AV's heuristics. *grin*).
2. write some malicious code (pretty easy). Run it. Make Autoit.exe trusted and you'll see 0 alerts.
3. compile the same code into an exe (v.exe). Run v.exe, CIS will alert like a maniac. Get the difference? no?

The executor in point 2 is autoexe.exe, which is trusted (i.e. allowed to do everything. its also a signed executable) whereas in the 2nd case its v.exe (untrusted) so CIS pops like a 10yr old on seeing Cena.

Exactly the same will happen with java, python, c, C#, c+ etc etc in raw code format. But if you compile it into an exe, its a totally different ball game.

Try a thought experiment  :-La: Run a .bat file (which writes to system32) when cmd.exe is trusted. Do the same when it is un-trusted. Get it?

II- Malicious code could read your information and transmit it over the web.
1.CIS is designed to protect a pc from virus, malware, badware. etc. not safeguard it from prying eyes. For that there is encryption.
2.mal code would have to bypass the program (firefox/ie/chromes), in the sense exploit a vulnerability in the implementation of javascript/java. Remember no exe's, is has to be .js, .jar etc. So The code itself has to exploit the programming language's implementation. Java was designed to block this very thing from happening. In the old days (aahhh) I used to have an ActiveX exploit on my website which would read your directory structure and other sutff (.jpg files he he he) and display it on my webpage. It scared a lot of people. Old days= Ie5. these plugs existed with ActiveX and not the browser or the security app. The same thing is virtually impossible with remotely executed java/java script code.
3. how some piece of code will know that bank.txt is where or whats inside is.... guessing game? speculation? Luck? ... no malware author knows how to find info on a persons pc. they socially engineer it so that you, yourself type it out and send it to them.  :-La

You wanna be a programmer? Write some code? join a company which does that its way more rewarding than fighting/arguing/sparing with some randies on a web-forum not to mention paying. I have a few friends who work for google, microsoft, tcs, infosys etc. 16-20hr workdays, alcohol, fatty foods. its lifestyle. I hardly meet them though... they'r too busy.  :-[

V.

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #77 on: June 02, 2010, 04:44:18 AM »
Like here; (which gave me the reason to prompt and push comodo for a fix to protect users)
http://forums.comodo.com/news-announcements-feedback-cis/how-to-kill-cis-easily-t56353.0.html
He used Java to incapacitate CIS..

3. how some piece of code will know that bank.txt is where or whats inside is.... guessing game? speculation? Luck? ... no malware author knows how to find info on a persons pc. they socially engineer it so that you, yourself type it out and send it to them.  :-La

You wanna be a programmer? Write some code? join a company which does that its way more rewarding than fighting/arguing/sparing with some randies on a web-forum not to mention paying. I have a few friends who work for google, microsoft, tcs, infosys etc. 16-20hr workdays, alcohol, fatty foods. its lifestyle. I hardly meet them though... they'r too busy.  :-[

V.
3. You can search for file(s) etc and in their contents so yes you can search the pc for what you want, It's not a matter of luck.
Do I want to be a programmer? That is irrelevant to the issue at hand. Keep personal remarks to your self thanks.


I still don't know why this is ok -
https://forums.comodo.com/news-announcements-feedback-cis/the-good-the-bad-and-the-ugly-ugly-because-its-unknown-t56938.0.html;msg400888#msg400888
and here...
Melih can you tell me why CIS doesn't alert me when I run the code raw? and why does it alert me when It's compiled to an exe? The same actions are being done.

Thats the main question I have, Why is it ok that raw code has the ability to do things without alerts, yet when compiled defense+ goes nuts (both raw and compiled perform the same actions!)

« Last Edit: June 02, 2010, 04:50:05 AM by Kyle »
Don't worry, be happy ????

*No longer active*

Offline slangen

  • Comodo Family Member
  • ***
  • Posts: 88
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #78 on: June 02, 2010, 05:32:07 AM »
You act like you'd want to be a programmer. 6 figures; US, its a nice... .. i doub't you're gonna earn that much (except in banking), unless your dad own's a business. Anyways, no offense meant. Sorry.

Its ok because in the wild no such thing exists. Or if it exists it's not wide-spread. Who cares about some threat which is so remote. I think you're totally missing the point of any security applications. Its only a lock. It can be broken but most of the time it suffices. You act like Comodo Inc should run and fix all problems it finds. Are you kidding? They'll fix the most important ones and a POC is their last priority. Have you not noticed Microsoft's Fix-Release schedule or even ubuntu's? Top priority gets preference. All software's full of holes. Why except higher standard from Comodo? I think people arguing a moot point ..

Anyways, I am done here.

take care.

Offline lordraiden

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 921
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #79 on: June 02, 2010, 02:57:11 PM »
Comodo 4.1 is still vulnerable to screen capture, audio recording, and webcam capture.

http://www.spyshelter.com/download/AntiTest.exe

If a simple programmer of a security application is able to make a tool able to bypass comodo I dont want to  think what a real hacker is able to do.

Reported 1 month and a half ago, still not fixed... but you know? make a post to lose time criticizing Norton is more important than fix a vulnerability.

http://forums.comodo.com/news-announcements-feedback-cis/comodo-fails-with-the-new-spyshelter-leaktests-t55558.0.html
« Last Edit: June 02, 2010, 03:04:04 PM by lordraiden »

Offline burebista

  • Comodo's Hero
  • *****
  • Posts: 669
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #80 on: June 02, 2010, 03:12:35 PM »
If a simple programmer of a security application is able to make a tool able to bypass comodo I dont want to  think what a real hacker is able to do.
Then don't think do it and show us. Then we'll bash Melih together.  ;D
If it ain't broke... fix it until it is.

Offline Tech

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 3025
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #81 on: June 28, 2010, 01:09:10 PM »
The FP at least tells you it may be malicious, hence the option of submission to have it tested for absolute certainty.
Absolute? Well, you don't even have with virus total on demand scanners... You will have to trust everything in virus lab analysis... and it can always fail.

All security program claims it protects more and better than any other. No exceptions :)
http://www.comodo.com/home/internet-security/free-internet-security.php
But...
Would you buy software that advertises itself as letting viruses through or that there is a possibility that you'll be hacked?  ;) I don't think so.

Anyway the web is plenty of AV's better than CAV
I won't discuss which is better or best. I think this is not my point of discussion.
I do not use any Symantec product. I don't trust in the company, in the software development, in the sales/marketing policy, in the feedback and support, etc.

You are around long enough to know that sandbox, av and bb are very much there to lessen the amount of alerts from D+'s default deny strategy.
Lessen is always necessary. Popups are an annoying thing for common users. It the amount is huge, it's annoying even to advanced users.

Users make mistakes; so there is a potential source of getting infected.
That's the major point and the one I wish to discuss.
Seems that the advantage of a combined approach is necessary.
You can't rely only in "deny all" or in the popup of Defense+... Users will allow, sooner or later,
and won't wait for the answer of the Comodo labs...

Luckily CTM brings a solution to go back in time to get rid off an infection.
CTM is one of the most interesting software technology I've saw in the last time. You can really test software with security and I, myself, disabled other security programs resident (ThreatFire, Winpatrol, etc.) and improve my performance.

Do you belive what are you saying? so if I execute any malware in the world D+ is going to stop it the 100% of the times... Taking into account that D+ is going to ask me about to execute any file we could say yes, but them UAC is also 100% efficient.
I agree. This is the major point of discussion in the "default deny" / "default allow" policies.

That's exactly right!  And this is the reason why a default-deny approach is the best.
I think the opposite. When we come to users errors, the default deny has a lot of weakness...

therefore, the user doesn't need to make a decision of whether a file is bad or not
That's the "default allow" policy. The decision is made by the antimalware team/software.

Even if is true (is not true) who wants to make 50 click only to open and application, or 500 to install something, is not a real solution, and also you can get infected anyway if you dont make the right choice.
+1

More in a second post...
avast! team member
Save freeware snapshot technology of Comodo Time Machine. Vote!

Offline Tech

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 3025
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #82 on: June 28, 2010, 01:27:04 PM »
I have tested CIS 4.0 (Sandbox enabled  :) )with several hundred NEW malwares (many were not in any AV database and at least 140 were reported to Comodo for analysis) and NONE has infected my computer.
Because you didn't run them... it it passed by the AV and you click ok in Defense+... Against insanity or ignorance it's hard to fight... I'm talking about myself, not others. For sure I will allow some software that I shoudn't...

I'm not technical enough to discuss the points of Kyle and Endymion are involved. Sorry.

Summarizing my point of view:
I do trust in HIPS and Defense+ as being a layer of defense.
I also do trust in legacy antivirus as taking right decisions instead of the user.
Usability and configurability are must have in security world as I need to work with the computer, not take all my time to protect it.
I'm not a fanboy of anything (maybe only my soccer team ;D).
avast! team member
Save freeware snapshot technology of Comodo Time Machine. Vote!

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14692
    • Video Blog
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #83 on: June 28, 2010, 01:55:00 PM »
Because you didn't run them...

Tech

I think Ovidiu is saying that he run them and they were sandboxed.

Of course he can conirm that himself.

thanks
Melih

Offline Tech

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 3025
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #84 on: June 28, 2010, 02:07:19 PM »
Melih, I think the focus (at least mine) is not what can bypass (if any) Defense+ or the protection level you can achieve, or if a legacy antivirus is better than "default deny" policy.

I'm trying to discuss how Comodo could prevent a bad user decision without a good antimalware behind. It's not only a matter of reducing the Defense+ popups but preventing the user having to take a bad decision after 50 popups...
Seems I'm trying to defend the best of both worlds...
avast! team member
Save freeware snapshot technology of Comodo Time Machine. Vote!

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14692
    • Video Blog
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #85 on: June 28, 2010, 02:10:00 PM »
Melih, I think the focus (at least mine) is not what can bypass (if any) Defense+ or the protection level you can achieve, or if a legacy antivirus is better than "default deny" policy.

I'm trying to discuss how Comodo could prevent a bad user decision without a good antimalware behind. It's not only a matter of reducing the Defense+ popups but preventing the user having to take a bad decision after 50 popups...
Seems I'm trying to defend the best of both worlds...

First you need to narrow down as to when the "user decision" is required for CIS...

then analyse the alerts..and then tell us
1)how many alerts and when
2)if those alerts are not easily understood.

thanks
Melih

Offline Tech

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 3025
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #86 on: June 28, 2010, 02:15:21 PM »
First you need to narrow down as to when the "user decision" is required for CIS...

then analyse the alerts..and then tell us
1)how many alerts and when
Quite some when I install software... from the setup.exe file to invoking the .msi and saving files, etc.

2)if those alerts are not easily understood.
They're easy to understood.
But I want to install the software. Mostly I know the source and I'm not playing with fire. But I'm not a paradigm. People will understand the alerts and will bypass them because they want to install the software.
avast! team member
Save freeware snapshot technology of Comodo Time Machine. Vote!

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14692
    • Video Blog
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #87 on: June 28, 2010, 02:36:39 PM »
But I want to install the software. Mostly I know the source and I'm not playing with fire. But I'm not a paradigm. People will understand the alerts and will bypass them because they want to install the software.

How is that different when I receive a malware warning from a legacy AV, when, as you said:

"But I want to install the software. Mostly I know the source and I'm not playing with fire. But I'm not a paradigm. People will understand the alerts and will bypass them because they want to install the software."

You will still tell the legacy AV, hey its trusted..I want to install the software..Mostly I know the source and I am not playing with Fire....etc etc...

It is exactly the same scenerio.....

Melih

Offline languy99

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3981
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #88 on: June 28, 2010, 02:40:53 PM »
let me inject something here. My brother is now using comodo IS after using KIS 2010 for a whole year. He is fairly computer savvy, not a geek like me but not a total dud. He was telling me today that the computer works ok but he keeps getting firewall alerts and other popups the he does not know what they mean. He said he really liked kaspersky becasue it just worked and left him alone. So as far as comodo's usability is concerned, yes it has gotten better but for some people it is still too much. Today I will use EVPN to long on his computer and set it so he does not get anymore warnings.
http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14692
    • Video Blog
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #89 on: June 28, 2010, 02:54:31 PM »
let me inject something here. My brother is now using comodo IS after using KIS 2010 for a whole year. He is fairly computer savvy, not a geek like me but not a total dud. He was telling me today that the computer works ok but he keeps getting firewall alerts and other popups the he does not know what they mean. He said he really liked kaspersky becasue it just worked and left him alone. So as far as comodo's usability is concerned, yes it has gotten better but for some people it is still too much. Today I will use EVPN to long on his computer and set it so he does not get anymore warnings.

did the kaspersky he used had an outbound firewall?
what other alerts does he get? (are they sandbox information alerts or others?)

thanks
Melih

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek