Behavior Analysis

Here goes my 2 cents on this feature.

It seems most of the Firewall vendors these days are incorporating this sort of thing in their product. I suppose something new in the world of Firewalls was needed to garner new customers.

What I have found using BA is that a lot of legitimate programs will fail the BA test and produce a popup. It seems that the sort of things that BA looks at within a program is not only indicative of what an ‘evil’ program will do. Lots of ‘good’ programs do these sort of programming tricks too.

So what we have here is ‘The boy who cried wolf’ phenomena. I get so many popups for good programs that I will surely become blind to a bad program if one ever comes my way.

I think BA is too ambitious. If only ‘evil’ programs used these tactics then BA would be nice. But since so many ‘good’ programs seem to use these tactics too, BA’s effectiveness is somewhat tarnished.

As for me I have it turned off completely. It would be nice to use but I can’t be bothered with all the popups. I was a Kerio user before I found your program and I also had to turn off their BA type of feature. Though I must admit I didn’t get as nearly as many popups with Kerio as I do with CPF. I suppose Kerio’s BA was not as intense as yours.

Your comments are encouraged.

My thoughts… BA is very useful as even safe programs can be compromised. Thankfully, Comodo has a large database of “Safe Programs” of which rules can automatically be set. Once you’ve done all the the pop ups and tick Remember my decision for each one. This admittedly takes time but CPF is just getting used to how your system works.

Besides, if a program is behaving strangely then I’d want to know. I could be that the program is working incorrectly or that it has become compromised. I see BA as a very valid and important addition to any FW.


Appreciate the comments.

Don’t you think that with all the information that popups using BA (and also without it to some extent) it is bound to confuse alot of people?

I think what most folks expect in a FW is that when you get a message it means DANGER WILL ROBINSON. Not maybe a danger which means the user has to investigate things which might be way beyond his/her ability.

Then there is the user that will deny everything thus causing perfectly safe programs not to work.

Admittedly I don’t know where to draw the line. Too much info can be bad. Then again not enough could be bad too.

I came to CPF by way of Kerio PF. When I set a rule for KPF that was the last I heard from it for the most part. Set it and forget it. Not so with CPF in many cases. It seems to get it’s hands into things everytime I run some things.

And who is to say that injections, modifications, etc are bad??? Just because a few ‘bad’ programs use this is it right to question all the ‘good’ programs that use the same techniques. And more importantly can the average user know the difference between good and bad when he gets a popup?