I think it’s time that Comodo greatly increased the functionality of Threatcast. Comodo already has a list of millions of safe files. The same can be said for malicious files. They’ve even got Defense+ heuristics to let us know about files that are probably dangerous. The problem is that there are still too many unknown files. What I’d like to see is for CIS to be able to advise the user that a file is probably safe. Here’s some ways that I think Comodo could identify a safe file from one that is merely unknown.
1) It would be nice to be able to easily check if a file has been detected by any other AV. Even zero-day malware is usually detected by at least one AV. While this isn’t always true it would still be very useful information.
2) Comodo could use threatcast to also inform the user as to how many computers the particular file has been seen on, not just the number of times its been allowed or denied. If a file is present on many computers it’s, hopefully, not dangerous.
3) Another factor is whether it exhibits any suspicious actions as seen by the behavioral blocker.
4) How it was downloaded to the computer. (Did the user specifically click to download it or did it download itself). I’m not sure if this one is possible to detect, but it would be nice if it were.
5) How long has it been present on the computer. A file that’s been sitting on your hard-drive for a long time without being detected is unlikely to be malicious.)
6) Of course whether it’s been signed. Almost no malware will be signed.
I would like to see the Defense+ / Sandbox alerts be able to advise the user whether they should allow or deny the file. I just think that there are currently way too many unknown files and that maybe Comodo could implement something like this so that it will be easier for the user to make the right decision.
Please let me know what you think of the idea. Also, please post any suggestions you have for how to identify a safe file.
Edit: Just to make myself clear. These files would not be automatically allowed, but essentially this is an extension to Threatcast to give the user more information.
Your original post asked about adding a third file type (POSSIBLY SAFE) to CIS’s curent list of SAFE or DANGEROUS. If you look at it another way, you may see that a third category is, IMHO, not required.
Rather than SAFE or DANGEROUS, think of them as KNOWN (regardless of if they are KNOWN SAFE or KNOWN UNSAFE) or UNKNOWN.
If an object doesn’t fall into either the KNOWN or UNKNOWN categories, it should, by default, be treated as UNKNOWN until proven otherwise. An UNKNOWN object should be constrained in how it can impact the system.
Pregnant or not pregnant - an objects status should be one or the other and nothing should be halfway. Security is not an inexact science.
How horrifying would it be to hear someone utter the dreaded words “Possibly pregnant”?
In my way of looking at it there are currently 4 types of files. There are safe, malicious, unknown, and (because of Defense+ heuristics) probably malicious. What I am advising is that just as there is a probably malicious (for Defense+) that there can also be a probably safe.
But here’s another way to look at it.
If I run a software like HitMan Pro, which still isn’t in the whitelist, shouldn’t CIS be able to recommend that I can probably trust it. It’s obviously a safe application, but technically it’s still unknown. Why can’t there be a different recommendation then when I try to run malware that isn’t yet recognized and also isn’t detected with Defense+ heuristics.
Possibly under the information tab it can give more information than just the technical information about what the file is trying to do. Why can’t it give the information I advised (or more) and then state that it recommends allowing the application because of the following reasons (…) as long as the file came from a trusted source.
Personally, I think it would be very useful for most users and would make the software much easier to use. I don’t know of any other software that can do this, but I believe that CIS has the capability to do this now.
This assumes that we can immediately ascertain whether the file is malicious or not. This is not possible because there are too many files currently being sent to Comodo. What my advisement accounts for is the time in between when the file is first encountered and when Comodo is finally able to analyze it and determine that it is safe.
So are you saying that maybe my wish should be for the behavioral blocker? Essentially that I would like for it to be able to identify whether a file is probably safe.
My only problem with this is that this would still require the threatcast community (at least for most of my requirements).
I can understand your logic, but don’t necessarily agree with it.
Given your example of Hitman Pro, CIS could conceivably make a recommendation that it is PROBABLY SAFE, but CIS can have no idea where you downloaded the Hitman Pro from or whether it is a legitimate installer for Hitman Pro, thereby casting doubt on the PROBABLY side of things. They only way CIS could identify it as a legitimate installer would be if it was on some sort of a list of approved installers, in which case it would be classed as KNOWN.
Sorry, but I don’t want my system security to hinge on Douglas Adam’s principle of “Mostly Harmless”.
As Languy said, Comodo went the HIPs route. It’s probably safer than behavior blockers, but you have to deal with the popups. Personally I would rather have an advanced behavior blocker.
What I’m talking about is instead of Threatcast just telling you how many people allowed or denied the file it would provide all the information I suggested along with an automated decision about whether it is probably safe.
This would make it much easier for any user to make the right decision.
I’m not talking about automatically allowing or denying anything, just giving the user more information.
Something similar to virus total? Hmmm… What about the sheeper behavior of virus total? It would be up to the user to decide anyway… Well, advanced users use VT anyway…
Really? Number wouldn’t be a factor for decision in my opinion. Again, we need a better CAV to decide about unknown files.
I have already visited 100’s of threatcast like sites that pull up pseudo generated information when you type in a file-name to a search engine. (not to mention the 1000’s of scrape bot on’the’fly generated ■■■■ sites).
I can tell you that the whole idea of threat level is a bit ridiculous. Don’t you remember on the comedy shows how they would make fun of the threat level color, like “orange” - I feel orange today because I am just not sure.
;D
It is not whether something is absolutely safe, it is how it is used. It’s like a chainsaw that comes with a sticker that says 100% safe if used safely. I think it is context right?
The only relevant information would be if it is signed and by whom, along with company details and contact information to said company and maybe a home page if relevant, but I know that is stretching it. At least the signage is a very big hint for most people as to whether it is what they meant to run, or if it is in the context of what they are doing.
