CFP versus malware- interesting lacking features in Defence Plus?

I tried three malware samples.

1- Aliz worm
2- Sober worm

Both these worm spread themselves by sending their copies by e-mail. They get the e-mail addresses from windows address book and Sober worm also scans many files( like text files) on the PC and finds e-mail addresses.

3- GPcode trojan- A malware that encrpts many files on infected PC( say text files for example) causing data loss.

NG gave pop ups for all these actions though it was not fully successful to stop the damage( like it did not stopped the encrption of text files by malware) but it,s interesting to see such a functionality.

I did not get any such popups from CFP Defence Plus( let me admit that I have not yet fully tested Defence plus aginst these malware samples). I wish if the developers can add such a functionality to mitigate the damage caused by such malware if their execution is allowed. See such features of Neoava Guard in the screenshots.

What are your thoughts? Thanks

[attachment deleted by admin]

I guess that adding some control and differentiation over file delete, create and move could be useful.

As for Windows addressbook protection there is an easy way to get that adding *.wab to My protected files.

Maybe some programmer could suggest some specific approach using registry keys and COM interfaces too…

You can set comodo not to just let cmd.exe run automatically.

Really tho Neova looks good here for specific actions right down to the last fatal. I’d think you would get some prompt from Comodo after running for windows messages or something.

I strongly endorse aigle’s suggestion to increase CFP’s functionality so as to protect against the threats illustrated by his tests.

I don’t think default settings would protect (or those who install things with too loose rules) but you can add things to be proteted against in the blocked files setting under D+ adv. cp policy for cmd.exe. I have cmd.exe set custom policy.

Yep. I agree on this… :-TU

Josh

V3’s FD isn’t global.
If you don’t add files to my protected files, they won’t get protection.

Wish new features will be added to improve the situation.

Hmm… I think CFP3 don’t have reading protection capability, please correct me if I’m wrong.
So there is nothing from above recognition, there will be only warning for modification and write for default configuration file types or for extensions manually added, unless of course somebody find “around” way which gibran suggested…

IIRC CFP trap file accesses but it will not make any difference for reading/writing/moving/deleting.

At the same time CFP doesn’t account for file access frequency.
Monitor frequency behaviour could prove useful but those alerts will only be displayed after a number of such activities already occurred.

In theory it would be still possible to use CFP to tailor a tight ruleset to limit such scenarios but the efforts required will not make it feasible from most user and I guess it require to use D+ Safe mode.

I mean each end user-app has a specific behaviour. It is associated with specific file types, needs to access specific folders, needs specific DLLs to work and so on.
Expecially on XP admin account each app has the right to do pretty much everithing anyway most apps don’t require such many rights.

IMHO enforcing a strict behavior on existing apps is akward for two reasons:

There is no easy way to guess an application behavior before it runs other than applying a strict policy and looking at D+ logs or guessing at the program purpose to apply some additional restiction (eg: limiting access only to specific filetypes) or relying on alerts (which protect the system according to CFP “my protected something” settings)

CFP GUI ruleset editing features and ruleset language current status will not make this an easy task (eg single application policies cannot be exported, jolly chars are limited to ? or *, there are only few special path like %windir%)

I guess that CFP engine true potential cannot be fully exploited as of now but I’m confident that future version will overcome current limitations.
Even so CFP is still a powerful product. (R)

It seems Comodo crew added itself pretty heavy job on other projects…
So I can only guess how much time will pass for next CFPv.>major build<
Also, it is a shame to applications sophisticated as NG, “fading away”, abandoned… (:SAD)

actually there are more people working on CFP now than last month and will continue pooring resources to extend.
We have over 200 developers (yep just developers) working on our projects and we continually increase this number as we find good devs. All the projects we do have “their own teams” and each team is growing in number each month. I would like to challange anyone if they can show me another Research and Development facility who has generated such a breadth of Security related products such short time! (don’t confuse marketing companies buying products and bundling them with R&D) Just stop for a minute and take a look, we mean business!!

As to adding more rules etc into CFP. well, for us to know what rules to add, we must know what the malware does. If we know what malware does, then we can add
1)malware signature
2)some heuristic
into our AV product to catch it.

So I think its more sensible to create the sigs and some heuristics for our AV rather than try to put some heuristic rules into CFP.

thanks
Melih

CFP engine as is it is powerful indeed but IMHO it has some unexploited potential, though.
I’ll wait whatever time it takes to see that potential fulfilled.

For example D+ engine can be used not only as a malware shield but also as a system gatekeeper.
Using custom ruleset it could be possible to enforce specific safe behaviours.
For example even if the save as dialog of an application permit to rewrite any type of file it is possible to prevent users to overwrite executable applications.
The same goes with the firewall as users can chose to limit even legit behaviours (eg call-home connections)

I came to like CFP more as a behavioural enforcer than a malware shield.
Improving CFP GUI ability to edit rules and configurations, improving the ruleset language will make CFP even more powerful without even adding new features to CFP core engine.

A strict D+ policy could even defeat a 0-day BO exploit if the malicious code attempt something different from the rules enforced for that app.

Improving CFP rule import export capabilities and ruleset language could make possible to share single application policies and make them cross-compatible with different machines.

Improving Digital Signature support to warn about invalid digital certificates of to optionally add them to trusted vendors will even reduce the need of scanning some files.

CFP engine can do many things already and most of the things I could say are merely tiny details.

I’m waiting forward to CFP sandboxing technology as IMHO it could be a good way to peek in those software blackboxes.
It would be great if such sandboxing technology could be used to automatically create an application policy for file/registry accesses the user can later refine. (:LOV)

CPF isn’t AV right.
Plz enhance D+ features rather than add malware signature and some heuristic.

No it’s not a Traditional AV that uses Signatures. CFP 3 uses Heuristics & HIPS to prevent known and unknown malware.

Off course D+ will continue to improve.

Josh

That is good for an AV not a HIPS. Real Power of CFP is in Dfence Plus HIPS, not the AV signatures and heuristics.

It will be really nice to add some filters like:

Detection of a process rapidly reading many files in a short time
Detection of a process rapidly deleting many files in a short time
Detection of a process rapidly modifyiong many files in a short time

With these features such a malware can be detected, though the behavior will be detected when the malware will already had done some damge but atleast the damage will be minimal rather tahn loosing all ur data.

Thanks

I do like to see V3’s Fd and Rd become global,So those things won’t happen completely.

Interesting features.

Another ransomware bypassing CFP Defence Plus, seems so interesting.

I will try to test some more.

Prevention please, AV should be back up solution only…
I think HIPS should be developed further by adding more advanced behavior detection technique, do not abandon prevention please, CFP can do much, much more …

P.S. leave “FPs” to CFP HIPS, please be careful with CAVS heuristic (FPs are unwanted here)

The mentioned trojan can’t do nothing if the cared files are in protected folder.

As far as I can see the only feature that is needed to easily counter worm’s attacks is reading protection. I’m I right?! If it is appended no worm will be able to do it’s nasty work.

I know, the user must shake his a** a little to secure what he deems important but hey - you can’t expect to have unbreakable defense against the most sophisticated new threats by install&forget.

It will be really nice to add some filters like:

Detection of a process rapidly reading many files in a short time
Detection of a process rapidly deleting many files in a short time
Detection of a process rapidly modifyiong many files in a short time

Imho, this could add unnecessary complexity to CFP that will likely be paid with other problems and lost devs’s time.