I disagree, the famous “Default-Deny” technology was designed to well… default-deny, block every executable (in paranoid mode) from running unless the user chooses to allow the request, or trust the application. In this case, it can not do as it was originally designed to.
@Languy,
in reality you can't compare V3 to V4 or V5 reason, well V3 was a hardened HIPS application with some add-ons and goodies but at the core of it, it was HIPS. Now V4 brought along the sandbox, what happened then, well the restrictions placed upon the system by D+ were loosened becasue the sandbox takes up the slack. Now in v5 the D+ restrictions are loosed even more because the sandbox in V5 is even better and so is the AV. So in reality you can't compare each HIPS to each other becasue they are now acting differently. If you want to compare HIPS v5 to earlier versions, especially v3 you have to put it in paranoid mode becasue now it will basically act just like it did in V3.
Exactly, at the core of V3 and V4 are HIPS, a very strong one actually, one that I’ve never been able to bypass. But I see no need to rely on more and more new components for the same level of protection. I did and still do test in paranoid mode, without trusting applications, or creating rules for safe applications as I stated in the first post of the thread.
@Salmonela,
Your testing scenario is identical to mine own, I will boot back up the test PC later today and try to replicate the results again.
Well good-news / bad-news this morning. Good news, the [1091] beta install went great and blocked the first sample (video_part_07) but before I could test the second one I BSOD’d. I restarted, and was close to testing the second sample and BSOD’d again. I rebooted and let it sit at the desktop where 3 minutes later it BSOD’d once more.
I am however, unable to run the installer in safe-mode, can anyone else recommend a way to completely reinstall COMODO 5?
Exactly, at the core of V3 and V4 are HIPS, a very strong one actually, one that I've never been able to bypass. But I see no need to rely on more and more new components for the same level of protection. I did and still do test in paranoid mode, without trusting applications, or creating rules for safe applications as I stated in the first post of the thread.
actually there is a need, comodo is wanting to go from a small product that was great but needed very computer literate people to operate it to a much bigger product that the masses can use. For them to do that they have to implement technologies that can give you the same level of protection as in the earlier version but without user interaction.
Well good-news / bad-news this morning. Good news, the [1091] beta install went great and blocked the first sample (video_part_07) but before I could test the second one I BSOD'd. I restarted, and was close to testing the second sample and BSOD'd again. I rebooted and let it sit at the desktop where 3 minutes later it BSOD'd once more.
I am however, unable to run the installer in safe-mode, can anyone else recommend a way to completely reinstall COMODO 5?
sounds like you have a bad install, something happened with the drivers. Go to services in safe mode and turn off comodo’s services from starting. then boot into normal mode and use revo uninstaller to remove CIS5, clean out left overs reboot and reinstall.
actually there is a need, comodo is wanting to go from a small product that was great but needed very computer literate people to operate it to a much bigger product that the masses can use. For them to do that they have to implement technologies that can give you the same level of protection as in the earlier version but without user interaction.
Contradiction in terms.
My idea is that CIS 3 with proper settings is much more powerful then CIS 4 and CIS 5 and, observing the reported failures with the two latter, i am probably not the only one.
At the time speaking, the idea of building some security software without user interaction is nothhing but a myth.
actually it is not a myth, it can be done it just take some time and some creative programing and thinking. Anything can be done, it all depends on how bad they want to do it and how much comodo is willing to work for it. From what I can tell they really want it and and really working for it. So I bet they will achieve it sooner or later.
I still think it is plainly impossible, as no one uses the same hardware, os, software, and even if they do, not the same features.
But let us assume, i shall take your words, that it shall be done “sooner or later”.
Such an assertion would imply that v4 and v5 are only betas introduced in the production stage or, making a somewhat polemic statement, that they are only placebos in the litteral meaning of this word:
i want to please users who don’t want to be alerted to whatever, and i am ready to sell my soul and deny a very good but sometimes unfriendly software (v3) in order to gain market share.
This is a very short time minded point of view, and we should beware that all these users we want to ■■■■■■ won’t compare, in a near future, comodo to some editors (no name given, everyone knows what i am talking about) actually having a large market share, but a very negative feedback.
I tried really hard to bypass CIS RC, I tested with at least 200 live MDL links and ~300 samples from my collection and CIS passed them all, to be honest I strengthen it a little (added few new rules) to avoid traces… malicious scripts blocking/sandboxing and cloud are great addition… what to say I am very happy with CIS :BNC
P.S. Egemen can you do something with Spyshelter screenshot tests which D+ fails till the end of beta stage?
Egemen told in the mod board that they had run the new partially limited setting against 15k of malware and nothing had come through. That’s promising to say the least… O0
that is amazing, but I think there is more space to improve, especially with things like: %PROGRAMFILES%, %USERPROFILE%, and some regkeys *\software* etc. where traces usually live (from rogue AVs and things like that) to somehow be virtualised in “VritualRoot” automatically and not “policy HIPSed”…
Yes we are aware of that test. It is not a real risk. I am not aware of a malware which only takes a screenshot and does nothing…
Theoretical stuff. If it was a real threat, we would immeidately take care of it. Relax. For example, if it was a DLL injection method, or a way for malware to make itself persist a reboot , infect a file etc., it would be something.
Putting too many mouse traps can do more harm than protection.
Yes, I get your point, so scenario is something like this, logger will always use few methods of monitoring, so you will always catch one of them and be assured that this is some kind of logger even if one beh./API is missed and at the end you’ll block connection
what bothers me is if logger is sandboxed as “partially limited” there is no keylogg/screenshot blocking, not even silently (only hooking is covered by popup), so if “no malicious activity” someone will permit connection to remote server and sensitive infos are gone, I think “partially limited” is too weak, limited is best IMO coz it covers all protected APIs silently + hooking prompts, so even if you are not prompted you’ll at the end even if connection is allowed stays protected
I think at least all keylogger prompts should be enabled for “partially limited”, if not all then just for APIs most used by malware + hooking ones
1000
A keylogger has poatentialul to do more harm than a virus (can “steal”: money, email account, account of a game, etc.). Not here would need to make a compromise regarding safety.
Yes. The same concept. It can keylog passively i.e. without doing anything to the system or other processes. But what will it do after keylogging? Transmit them to internet? In that case, firewall will intercept. There is pretty much nothing it can do.
Limited, is also a good default but incompatibility is the problem with lower levels. If every sofwtare vendor followed the proper product development guideliness for windows, none of them would be incompatible with other modes. But we have seen seen that some of them dont even know what a non-admin mode is despite Windows Vista UAC!!
There is something very important in new CIS5. If a zero-day highly malicious program is observed, cloud behavior analysis will certainly return the analysis result back to the user in maximum 15 minutes. So if there is a malicious item, it will definetly be detected whether we intercept keystrokes or not, in maximum 15 minutes.
Cloud scanner alerts starting with CloudBehavior.XXXX comes from instant synamic analysis of malware.
I was trying to test conflicker worm a few hours ago. In order to make it infect the PC, i had to disable a lot of CIS components like antivirus, cloud analysis, sandbox, defense+ configurations. So one has to work a lot to bypass current CIS5. For example, my mother would not be able to make it infect the computer in 10 years.
Its realy sad how MalwareResearchGroup is only testing CIS for any bugs/bypass,
We already know that they are opposed against COMODO…
Why they try to find new Malware thats got passed by comodo, they are like kids who wanna fight for a toy…
i just ran all malware, sandboxed all unkown thing when proposed, choose clean when proposed (and allow firewall alert to connect www).
So i have found some malwares which write outside the sandbox, some cmd lunched bu nasties seems to run outside the sandbox, the count of malware catched is false, and like [1079] tdss can infect the system…
