Add monitoring and notification CIS capability for changed applications

Bruja · March 27, 2013, 12:43pm

It would be nice to have a monitoring and notification feature in CIS for applications in relation to the following threads:

https://forums.comodo.com/general-security-questions-and-comments/comodo-internet-security-bypassing-security-t93217.0.html;msg671175#new

https://forums.comodo.com/feedbackcommentsannouncementsnews/application-control-checksum-hash-control-v3013268-t15702.0.html

https://forums.comodo.com/firewall-help-cis/firewall-rules-for-changed-application-t70659.0.html

https://forums.comodo.com/news-announcements-feedback-cis/comodo-is-not-doing-so-good-lately-gpcode-issues-and-now-crippled-updates-t72382.0.html

An example of how the above-mentioned notification could look like:

http://www.cyberspacehq.com/products/privatefirewall/images/f_ss3.gif

I got it from a discussion on comodo in kaldata.com

Having this capability would only be a plus for Defense+ (let’s make it Defense++ :D)

Chiron494 · March 27, 2013, 5:36pm

It may be helpful. However, that sort of protection would also kick in any time an application was updated as well.

Therefore, what I would like to see is for this sort of addition to also help combat the problem of unsigned applications which update frequently constantly being put in the sandbox. Something like this could help protect against the referenced vulnerability and also add usability.

However, I believe it should not be activated by default. As long as it’s an opt-in configuration change I support this, but Comodo’s message should not be so scary. It should mention that it can also be caused by simple updating.

andrei1997 · March 27, 2013, 5:41pm

Good Idea. I voted yes. but optional

SanyaIV · March 27, 2013, 5:45pm

+1 about the not being scary part.

Radaghast · March 27, 2013, 9:48pm

You should qualify that Chiron. I use the nightly builds of firefox, which are unsigned, update every day and don’t generate any additional alerts, even when the version changes. However, with OA (see image) I know which I’d prefer…

[attachment deleted by admin]

Chiron494 · March 28, 2013, 12:52am

But I thought that with the changes advised in the first post we would start to see alerts for updates such as that. Am I misunderstanding the wish?

Radaghast · March 28, 2013, 1:16am

I’m not sure if there’s a misunderstanding and if there is, by whom. I’m just pointing out that, unlike some products, CIS doesn’t always notify on application change - hash.

In the case above, I install firefox 21 (unsigned) launch that application and get firewall alerts, which I allow. I replace the version 21 binaries with binaries from version 22 (unsigned) and with CIS I get nothing. You can see what happens under OA.

Unfortunately, this is an old old topic, which may or may not be an issue. Personally, I’d like an alert, when a binary changes, without needing recourse to paranoid mode in HIPS.