Add Hips Technology to CCAV(Comodo cloud)
CCAV is dead. Last updated in Sept. 2018 (2.0.470195.867 Beta was never acknowledged officially, and nothing happened after it has been surreptitiously released back in January), which is exactly when Umesh Kumar Gupta ended his 14½ years at Comodo by moving to Verizon. Not a coincidence.
HIPS in Comodo cloud antivirus does not make sense, after all, in the case of a trojan with fake signature, but unknown of the security software industry. HIPS may fail;
Firewall would be more interesting (as long as it recognizes exploitation of secure applications or exploitation by command line - parent application> child), for exemple…
I see CCAV as being the more user friendly version of CAV/CIS.
As such, HIPS results in popups that typical users are not going to understand if they should allow or block.
As there is no AI in the system to determine this for the user, having HIPS fully on is not going to be a great experience for those types of users.
Therefore I would recommend having HIPS to help self protect CCAV and maybe the System, but nothing more.
Potentially there could be an Easy Mode with only CCAV and System protected & an advanced mode for full hips as per CIS.
My dad isn’t going to know if a safe application should be accessing memory from XYZ, nor should he be expected to know either. In my opinion there needs to be a balance so that both novice and experienced users can get the available options that best suite them.
But would your dad know when, why and how to run an app in the Sandbox? Many apps would simply crash in a Sandbox. Most people don’t understand the utility of a Sandbox: you either run an app or you don’t, full stop.
In my opinion, Sandbox is not for everyone. I’d rather prefer to have a sort of a HIPS the “Qihoo 360” style, when the user is prompted when an app (possibly a legitimate Setup) wants to add a StartUp item, to create a new scheduled task, or when it acts really suspiciously with regards to “protected system areas”. Everyone’s dad would know to accept such actions when installing a program from a legitimate source and to deny them all otherwise.
Most apps should work within the sandbox on default settings. That’s the point of it.
Issues tend to arise if you go into Settings and tighten what apps can access whilst in the sandbox.
Therefore all Comodo really needs to do, is make the ‘Shared Space’ feature more intuitive to the user.
I would recommend something on the lines of:
a. Display ‘Shared Space’ pop upon contained app informing user that all saved files can be stored in the ‘Shared Space’
b. Add ‘Shared Space’ shortcut to the ‘File Explorer’ sidebar.
c. If possible, launch another popup when the user launches ‘File Explorer’ from a contained app reminding users that they can use the ‘Shared Space’ folder to transfer files to and from a contained app. Maybe even also have a shortcut button within that popup that directs file explorer to the ‘Shared Space’ folder.
The sandbox in most cases works fine. The user experience in my opinion just needs refreshed a little so that new users can easily use sand-boxed apps without confusion.
Most apps might run in the Sandbox, but they should not be run in the Sandbox.
Even if you run a browser or an Office app in the Sandbox, the Setup meant to install them should be run “for real” to be able to properly install them.
So why should someone’s dad run an unknown app or an unknown setup? The regular user should only run:
- Trusted installers outside the Sandbox.
- Most apps outside the Sandbox (a: because they’re just apps; b: because they would still need to save their settings).
- Some apps in the Sandbox for the paranoid (Chrome/Firefox, for fear of unknown vulnerabilities; Microsoft Office, because of the scripts; and a few others).
The “modern” solution is “deny everything unknown” (which works fine with CCAV), but I DO NOT run any browser in the Sandbox! As it happens, I usually keep something like 200 tabs in 6 windows, all taking 6 GB of RAM, and I really want this ■■■■ to work, not to crash because of the Sandbox! Also, I download a lot of files and I don’t want to need to do anything special: if I download a file, I want it to be THERE.
The future belongs to: deny by default. But not to the Sandbox, I’m afraid. If something is really, really unknown, either don’t run it altogether or, if trusted (say, a program compiled by myself), just run it.
Do you know of anyone running Photoshop or Premiere or DaVinci Resolve Studio in the Sandbox? Why do we still have an OS able to run programs, if we don’t let it run them?
This being said, the “HIPS that is not really HIPS but it protects sensitive parts of the Registry and of the system” would be so useful, yet nobody bothers to fully implement it. I mean, something that combines CAV’s HIPS and 360’s non-signature protection, but in CCAV.
Try to explain the need for a Sandbox to your grandma.
I have forwarded the suggestion to our developers,they will discuss and decide about it.
Hmmm… maybe just release new, updated version of CCAV (which beta version leaked out somewhere else 7 months ago)? :THNK This product feels discontinued for now, and the vision of adding another major component like HIPS seems not helpful in resuscitating it to the functioning, regularly updated application.
Comodo does not typically sandbox the installers of popular office apps or content creation apps such as Photoshop.
If you know of any that it does, you can help by submitting them here
If something is really, really unknown, either don't run it
That in practice does not always work. Exploits in web browsers etc have been used to install and run executable files without the users permission. The Sandbox would be required in order to contain these types of attacks.
Again, typical users will not understand what to click on HIPS popups for every situation. Therefore it is pointless providing a technology that they do not know how to use.
Furthermore, as I have already stated “there could be an Easy Mode with only CCAV and System protected & an advanced mode for full hips as per CIS”.