A very good document about making Default Deny practical.


[attachment deleted by admin]

Great read, Melih :slight_smile:

Default deny is the best approach from a safety point of view, but not for usability.
If you have a high detection rate (not only by first-hand detection, but also by behavior and heuristic), then you can reduce the amount of unknown apps, thus making less troubles to the users and avoiding such negative experience:

Good document Melih :-TU

:-TU :-TU :-TU

that’s why we have containment. the unknown runs in containment hence there is no trouble for the users.

If you look at the post I quoted before, I don’t think that you didn’t cause any trouble to that user… he said he can’t even use his computer because comodo was sandboxing every app…

Fair enough :slight_smile:

isolated applications in the sandbox (the other two competitors partially block), still can run, background tasks. Capturing data … and depending on how and what the “unknown malicious application” was developed and although it is not directed to harm users of security suites, can ignore the protections provided to disable the suites. The test run of guesses and are never taken seriously because average user is not the end customer of the suites, but the “independent testing companies.” Is not it?

Bottom line is virtualized applications cannot alter the system. That is with a flaw/none the less designed that way for functionality. That is a recently pointed out and a newer post on the forum. Background tasks and capturing data can happen, but undone by the reset of the sandbox(unless uploaded to the web in real time- which requires firewall permisions). Is the sandbox perfect? No, but ■■■■ close. - Long time user and everyday tester

i repeat my statement above: high detection rate can help to reduce the number of really unknown files, so that sanbox will isolate few apps. If you wanna install an unknown program and the sandbox isolates it, later you will have to re-install it out of the sandbox (if it turns to be safe).
i read that webroot av has a kind of behavior analysis feature that can roll back every modification a malicious file can do to the real system. i don’t know if viruscope can do it, what i know is that in cis you have the option to let viruscope monitor either only sandboxed apps or every app

I only isolate unknown apps to test or run knowing what they are. With unknown apps you make the choice to install them on many factors. Download sites,MD5 and other hashes, and second opinion scanners. Once something is trusted you install it with full rights. Confirming an installers validity is a matter of common sense and a little bit of diligence. Follow this and eliminate your proclivities.

one flaw with that: what if the malware disables the AV? How will it reverse it?

Default Deny posture or Default Allow posture
Which one do you want Jon79?

Melih, I have already said that default deny is the best approach, that’s why i’m using cis (cfw and defense+) and that’s why i thank you for making it free :-TU
i’m just saying that comodo needs some improvements on the av portion of cis to reduce as much as possible the number of unknown apps which get sandboxed.

i have also tuned sandbox rules to block unknown apps instead of run them virtualized, then i can choose what to do after cis blocks them. and i keep hips enable to see what the app is trying to do to my computer

Fair enough, thank you! :slight_smile:

Hi Jon79,
The entity of CIS (AV + CFW + HIPS) provides zero day 100%
I am user of CIS on 15 PC (Windows7 Windows 10)
Unknown files are low

that’s true, but you can have nearly the same protection level without the av and like this your pc will react much faster: no slowdown when browsing files and folder (due to the av realtime protection), no need to download hundreds of mb of signature updates every day.
how often you get a popup from the av? and how often from fw or d+ ? comodo strength has always been in the fw and hips.

it’s a couple of months that i have removed the av module from cis and installed qihoo 360ts with only cloud av enable and i’m very happy with this configuration: great zero day detection from 360, great protection from comodo, plus several useful features from 360. and this combo is extremely lightweight.

i hope comodo will improve ccav so that i can reconsider to use a suite made by cfw, d+ and ccav. the best would be to offer ccav both as a standalone sw and as a module of cis ( with the option to use only the cloud av or cloud av + offline av)

Fewer and more truthful words has never been spoken. + 1

Sorry, but I don’t agree.
The great performance of CIS in zero-day malware comes from the Defense+ module, not the AV.
That’s why CIS is great in protection rather than detection.
In several years of full CIS use I have never had a single alert from the AV (apart from some tests with the EICAR file or such), while Defense+ (especially HIPS, but also sandbox) was always reacting great, as expected.

Anyway, I respect everyone’s opinion, but I think I can write my opinion too.
And my opinion is that it’s not worth to download hundreds of Mb of signature updates every day when, most of the time, they can’t detect the newest malware (and this is not my opinion only, it’s a fact. You can just look here https://forums.comodo.com/av-false-positivenegative-detection-reporting/submit-malware-here-to-be-blacklisted-2016-no-live-malware-t114158.510.html and check the virustotal links that users provide. Other AVs have much better detection than CIS).

I agree that protection is way better that detection, but, as I said before, if you just want 100% protection you don’t need to use the AV module of CIS, you can just install CFW and D+