Behavior Analisis

Comodo Internet Security should have a behavior gaurd to help it detect malicious programs and add them to the malware definitions.

… Behavious Guard? You mean like Threatfire or Mamutu? ???

CIS already has a HIPS (Defense+) which does everything a behavious blocker does and more… :wink:

For the 99% of users who are not PC experts, HIPS (Defense+) is useful for alerting the first time a program is run, since the user knows if he/she installed this or not based on its folder and file name. But non-PC experts can’t decide what actions a program should be allowed to do, other than maybe connect to the internet. Non-PC experts need help to detect whether a program they mistakenly trust is behaving malevolently. Behavior analysis would give them one type of such help.

Check this out :wink:

Beanie :slight_smile:

I noticed that 75.8% of voters on that post indicated that behavior analysis would prove useful to CIS.

I summarize the negative posts in that thread as being from PC experts stating that they get better protection with a HIPS popup for each action of an unknown new program than with a behavior blocker. I agree that this is true for PC experts. But, in the hands of non-PC experts, who click “Allow” on every popup because they don’t have the knowledge and confidence to say no (and are irritated by all the popups), then I believe that HIPS provides worse protection than a behavior blocker. This assumes that a behavior blocker produces few false positives. So I vote to keep the current HIPS behavior available for PC experts and also support behavior analysis to make CIS more usable by average users.

So far, we have been comparing HIPS prevention to behavior blocking detection. But maybe behavior blocking could be turned into a prevention mechanism by giving the user the ability to undo the changes made by an unknown/unsafe program.

Just a couple of points to hopefully clarify everything :slight_smile:

  1. A BB would never replace D+, as any BB is inferior to a HIPS.

  2. Adding a BB would only be for the purpose of usability, since, realistically, it would be of no benefit in terms of security.

Hope this helps :slight_smile:

Exactly. :slight_smile:

I can’t agree with that. HIPS is inferior against BB when talking about unexperienced users.
With expeerienced users, HIPS is probably better (if you don’t mind the popups).

Correct :slight_smile:

That is why Comodo is building on usability for v4.

- Brand New Graphical User Interface (GUI). This is a complete GUI Usability overhaul! A huge thank you goes to the Usability Study Group members who helped with this new GUI.
- Loads and loads and loads of usability, Making it easy for ANYONE to use CIS while still maintaining Prevention as your first line of defense.

Don’t know the details, though.

Also RejZoR, your dream may come true, since Melih has shown interest in BB integration (from a usability perspective) :wink:


Beanie :slight_smile:

I think that use a classical HIPS is the price that the user have to pay to use CIS.

I believe that COMODO has take many actions in favor of a more userfriendly program, and to me CIS, Defense+ exactly, has lose some strength, and I don’t like that!

Completely change the concepts that we users support for years would betray us.

Hey Joker :slight_smile:

In what way (s) do you think that D+ has lost strength? I personally feel that it’s one of, if not the, strongest, most thorough Classical HIPS product out there :wink:


Beanie :slight_smile:

I guess Defense+ too permissive! When I installed CIS and restart pc, Defense+ allowed almost everything without any prompt! That’s not good!

See the topic below:

Other thing is that, with the huge whitelist, the safe apps can do almost everything.

Finally, if I put Defense+ in training mode for a while it allows almost all, including permissions that the program doesn’t required.

Ah fair enough. I wouldn’t really consider this a security risk though, since only actions from safe files are remembered (in Computer Security Policy). Any ‘new’ (i.e. malicious) actions are alerted for. Also, you get alerted when a file tries to ‘use’ another file for something (eg malware disguising itself).

Or am I mistaken?


Beanie :slight_smile:

Maybe not a security risk, but some of us wanna control everything! ;D

In previous releases (CFP 3.0 or first CIS releases, I don’t remember), Defense+ ask about every startup process that initialize with it (lets say: Avira, Spyware Terminator, a-Squared, inCD etc).

I really dislike this one! Putting Defense+ in training mode allow almost all to an app. Well, if an app doesn’t request DNS, for example, why should Defense+ allow it?

Well then, I guess Comodo is catering for the masses, which happen to be non-techie folk, unlike you and I :wink:

Bear in mind however, than CIS v4 will (apparently) feature an Advanced and a Beginner GUI, which may feature some of the things that you’re looking for. I don’t know the details though…

Beanie :slight_smile:

And that’s why a behavior blocker should be implemented to CIS, as a complement to Defense+, which is set to be more friendly, by having by default maximum settings disabled.

And, when I talk about behavior blocker, I talk about something like SANA’s product, now part of AVG. Not Mamutu or ThreatFire.

A behavior blocker would increase the security for the non-expert users, which represent more than 90%.

Disagree, but I’m a little lazy to discuss anything tonight!

See the following topics:

If you have anything new, ask a mod. to re-open them!

What do you disagree with? I don’t understand.

I’m talking here as a casual user. I’m not an expert. That’s why I say a smart behavior blocker, along side Defense+ in default mode, offers a better protection than Defense+ alone, in default mode, which has maximum settings disabled.

Maybe you’re talking in the perspective of an experienced user. I’m talking from the perspective of a casual user concerned with security. I’m aware that I’m not an expert, and that’s why I leave Defense+ as it is - default mode. That’s why I also make use of intelligent behavior blocker, with a huge database of well-known and digitally signed applications, and when an alert is given, it only means one thing, considering all my applications are from trusted sources and I know them - it means trouble.

So, such behavior blocker, makes all the difference in the hands of someone like me.

Behaviour blocking is on Melih’s mind he said recently… so who knows in v4.x…?

What I don’t understand is how adding BB is meant to improve usability while still keeping the default deny.