Hi & thank you for providing such an interesting protection for free.
However I have some gripe with how the anti-virus handle software with unknown trust status.
Here’s an example scenario in which Comoros asked me to take an action yet
- No useful information is given to help me choose action (beside some oversimplified risk evaluation)
- None of the action are really useful to help me get information.
Suppose I try to run some application from internet.
I also know the application have limited distribution (not popular / mainstream )
Given the context I have got the file and my experience, file is probably legit.
However I do not have 100% confidence and would like to use CIS as a safety net.
I run the application and have a CIS popup:
UnclassifiedMalware@123456789
Risk - High
Ignore - Clean
So now how do I take a decision ?
- Is it a heuristic or confirmed detection ?
- If heuristic what rules have triggered it ? Is is simply a packed application ?
- If confirmed on what criteria ? What does “high risk” mean ?
-
High level of damage or high probability of doing something … what ?
More importantly at this time i want to know
- Does it do anything (change on system) far from it’s apparent functionality ?
- Does it do automatic change on system upon execution ?
- If left unprotected what change would stay - say after two reboot ?
- Does it transmit any information over the net ? Safe server destination ?
- Is it classified as a “malware” because of what it actually do ? - or what it can be used to do in some case ?
IE “Hacktool”, security or homemade administration software
The last point is especially important for me because It look like I do not always agree with the antivirus about the definition of what is a malware. Having more details on the classification than “Unclassified” would greatly help me… even if I have to click on “detail” ->“even more detail” in order to keep the simplified user interface.
I will now see the choice I have:
- Clean
- Not an option, I identified the file as being probably legit
- Ignore Once
- Probably the best option, provided I have D+ to observe the unknown file.
- Unfortunately it’s useless here, I keep having the same popup again and again.
- Add to my own safe file
- I cannot tag the file as safe for now, until I actually manage to run it.
- Report as false alert
- Unfortunately the only way to close that detection dialog.
Some actions I’d like to have
- Ignore Once (one that actually really ignore the file for this execution !! )
- Get a second opinion: using jotti.org or other service
- Access risk: Run this particular file in maximum security sandbox & log denied events
- Step by step: Run this particular file in paranoid mode
- Adjust heuristic settings
especially useful for Heur.DualExtension & maybe packer detection.
One last thing: 36 threats detected so far
That statistic is missleading.
In my case it’s more like 36 anti-virus events that are logged about the same threats due to the inability of the antivitus to actually ignore a file when told so.
For those interested … in the end the file was harmless (by my definition) as it’s usually the case
I understand that I am “far” from the take no risk & clean scenario
but I’d like the ability to judge things from an objective standpoint if I doubt of the detection
maybe just a rigth clik option > “paranoid mode for this particular file and descendant” would be best for me.
a kind of reversed installation mode with more prompt.