Checksum for all applications

It would be great, to have a checksum for every application.

I have seen the example in Leaktest section of this forum.

For example: If you download leaktest.exe and overwrite firefox.exe with it, comodo didn’t block this, instead it should do that. So i think, there’s no checksum for this.
I think it’s a major problem, if the firewall could be bypassed in that easy way.

Tried this with newest CIS.

CIS compares checksums with its white list. The white list is growing everyday and there are currently over a million apps on it, but D+ should alert you if any unknown file (e.g. leaktest.exe) tries to modify another file (e.g. firefox.exe). You should have gotten an alert. What are your settings?

That’s a long going discussion here, Egemen Lead engineer on CIS told us that if you (the user) use explorer and you “replace” a file that it “marks that replacement as trusted” if a malware should replace a know exe you should receive an alert for it.

So there are tricks to detect “replacement” it’s just that it does not alert you for it as often as let’s say Kerio Firewall does.

Makes sense. :slight_smile:

CIS is smart! =) Thats only logical to me…

Nice to have a smart CIS, but what about paranoid users?
I would like to have alerts for all executable file replacements, even if i do the file replace with windows explorer (and i’m sure about it ;D).

I think that an unchecked-by-default option should exist

:-TU I wish for this optional feature also ;D

+1!

Have found an easy way, to manage this problem. Therefor you have just to change the option for Explorer, but then you get many alerts, 'cause every action Explorer.exe do, will be alerted to the user, what is really annoying.
I have changed it, but as default, i think it’s better, that Explorer.exe may do everything with a file. If malware want to change/overwrite/access an app about the explorer.exe, you have to first allow that this malware may access the Explorer.exe. So you wouldn’t be at any risk, with this default settings.

The Avira AV on-access scanner gives the user the option of scanning on read, on write or both read and write. I propose that CIS offers these same options, plus the option of none, on checksum testing for Defense+. I suspect that CIS developers are concerned about a significant performance hit on checking during reads. Checking only during writes would have a small performance hit during installs and updates only. I support giving the user control and choice in this matter.

I propose the following for checksum checking on writes. If the user has selected “Safe Mode”, and a safe file is written/replaced, an alert is only generated if the new file does not have a safe checksum. Otherwise, alerts are generated when an unsafe/unknown file is first executed, and when a trusted file (checksum remembered after first execution) is replaced. If the user has selected “Paranoid Mode”, alerts are generated when an unknown file is first executed, and when a trusted file (checksum remembered after first execution) is replaced.

The options I propose make CIS more intelligent at malware detection. Such intelligence gives better protection to persons who are not PC experts – persons who allow every behavior by programs, that are not on the safe list, that they mistakenly trust. My non-technical spouse falls into this category. Even though I am a professional embedded SW developer, I fall into this category too!

Note that Norton, ZoneAlarm and the old Kerio don’t have this same vulnerability as CIS. More info here:
https://forums.comodo.com/leak_testingattacksvulnerability_research/cpf_fails_grc_leaktestexe-t35718.0.html