Comodo Firewall Pro 3.0 HIPS and other HIPS applications conflicts question.

So the new version of Comodo Firewall Pro will have HIPS. How will other HIPS programs such as Prevx and Spyware Terminator react to this? I have Prevx on my computer will it have any conflicts with the new firewall version when it comes out?

There’s probably not a hard and fast rule on that, unfortunately. General rule of thumb is that you don’t want multiple applications working in the same way, because of conflicts.

However, every system is different. For example, without any other HIPS, I couldn’t run Prevx; it froze my system completely. I think it was reacting to CFP’s ABA, but I can’t quantify that, and I didn’t keep it long enough to find out more. Cyberhawk worked for a while, then it started having conflict issues.

At the moment I have CAVS (w/HIPS), Spyware Terminator (w/ActiveShield & HIPS), and ProcessGuard, all running simultaneously. They each work a bit differently, and I really only see popups after I’ve installed or updated new software, as far as every-day usage goes.

I’m guessing that once CFP (w/full HIPS) comes out, I’ll have to disable the others, given what I’ve heard about it from Melih. At least at first, anyway. If I remember correctly, it has been stated that CFP’s HIPS will give the option to use it or not; from Melih’s comments, I think I would want to use it. :wink:

LM

Aside from detection & removal capabilities of CAVS, why would one need its HIPS when CFP 3 will have one?

My understanding (if I remember correctly) is that when/if the user installs CFP’s HIPS, a prompt/notice will be given to disable CAVS’ HIPS. Certainly, that aspect of it wouldn’t seem to be needed.

LM

Well I have 187 days left for my Prevx subscription and thats a lot. But I also don’t want to not install the new versions since it looks awesome. I’m in a pickle.

cheater87, why not try CFP’s HIPS once it’s out. If you’re not satisfied then try out your new prevx version.

If I choose to have it off when I install can I turn it on after Prevx expires?

No idea. Good question though. If I exclude HIPS in the future CPF 3 installation, will I have to uninstall it and then install the version with HIPS in order to acquire HIPS, or will there be a separate CFP setup.exe just for HIPS alone? (too many HIPS word in this one hehehe)

The reason why I ask this way is because even if HIPS is included in the installation, the related driver(s) may still conflict with other HIPS software even when disabled.

Rats now I’m even in more of a pickle.

cheater87,

I cannot imagine a scenario where you wouldn’t have the option to turn off CFP’s HIPS. You can turn off the CAVS’ HIPS, you can turn off CFP’s ABA; I’m sure that even if you don’t have an option to install/not install, you will have the POWER to turn it off.

Here’s what I think…

Keep your Prevx now; it’s a good program and working for you. Get any updates available while the license is active. Surely you don’t have to pay now to get more updates (that would be the part I’d avoid, if possible).

I’m not sure when CFP w/HIPS will come out; obviously from Melih’s comments they already have the HIPS developed, and are lab-testing it. Thus, I would anticipate its arrival with the Beta release of 3.0, which I think is planned loosely for April. Given the average cycle of these things, I could easily anticipate a stable final release by the time your Prevx license expires 6 months from now.

Then you could transition over…

LM

Thanks I’ll wait till Prevx expires then use the CFP HIPS.

LM, Prevx1 doesn’t conflict with CPF. If you had Cyberhawk at the same time, there’s your conflict.
Future CPF’s HIPS can’t be a Prevx1 substitute, nor the other way around. They could conflict nonetheless.

Unless there’s something i’m missing about CPF’s HIPS, these two programs are not the same.
Prevx1: Whitelist, Blacklist, Heuristics, a bit of HIPS, and comunity database. Anything unknown that you execute, prompt- yes/no, if you answer yes, Prevx1 analyses the execution. Even if heuristics doesn’t flag anything, Prevx1 reported the program’s behaviour to the database, for review. If turns out bad- update- clean, and update to everyone using the same program. If good, added to our local database and everyone else’s that runs the same program.
The more users, the better the product.

To me, you either want automated malware research, or classic HIPS with a big whitelist, and freeware. They are not the same.

But a good question would be: are there specifics on CPF’s HIPS that i’m not aware of, that goes against what i just said?

Someone, as I said, I couldn’t quantify the conflict w/Prevx1. All I could quantify was that with it installed, my system was frozen. My thought was that there was possibly a conflict there, but who knows. Might not, might have. Even if it works fine on someone else’s system, it might conflict on another; that’s the nature of software and computers. Look at all the user problems with CFP (CPU consumption, constant initializing, monitors not working), and I for one don’t experience those.

And no, CyberHawk was not installed when I tried Prevx1. That came later, and it worked fine for a while. Then it updated/upgraded versions (they came out with some new stuff) and it started saying everything was a keylogger. Can’t have that, now can I? lol

I think CFP v3 will not be the same as Prevx1. For one, no blacklist. That’s a definitions-based approach in a sense, which is what Melih is trying to avoid; the “bad” list grows too fast, and has to be updated in order to continue catching it. Rather, he wants the largest-ever whitelist of cryptographically-signed applications so that the user doesn’t have to decide on everything whether it’s safe or not. No heuristics; more definitions-based approach that he seems to detest; it’s too far behind the curve… Then after that comes behavior analysis which he says will go far above and beyond that which ProcessGuard (full version) supplies http://www.diamondcs.com.au/processguard/. I’ve used the free version, and based on the info available, the full version does a lot; no lists, it’s all behavior-based, and fully-controllable.

Melih’s statements make me think they’re trying to create not only the strongest HIPS, but also one that’s user-friendly. At present, the strongest ones give a lot of popups, because they’re analyzing behavior in a very thorough fashion. Secure, but if you don’t know what it’s telling you, how do you know to respond? So they’re trying to overcome that limitation.

LM

About the system freezing, i agree. Software is wacky sometimes. I never saw 1/3 of the problems reported about CPF.

Then it updated/upgraded versions (they came out with some new stuff) and it started saying everything was a keylogger.
:BNC keyloggers, keyloggers!

As for CPF, then my expectations are correct. I agree with you on most things. CPF is a FW, Prevx1 is not. A FW with or without HIPS can’t have blacklist, i agree too. The whitelist will be most useful to reduce the noise of the HIPS.

But what Melih says about the blacklist,

“bad” list grows too fast
, that’s what i like about Prevx1, really. It has both approaches, and to signal the bad and clean it, the comunity database is supperb. The unknown tends to be rare. When i run an unknown, i even think twice, given that it really is rare.
How can you beat 10000 users, 50000 (just examples of what it can achieve), all downloading programs, and Prevx1 reporting? Give the researchers a medal ;D

Rather, he wants the largest-ever whitelist of cryptographically-signed applications so that the user doesn't have to decide on everything whether it's safe or not.

So they are competiting with prevx1 in this AREA.

Well depends on what you mean by heuristics, I presume here you mean heuristics in the classic AV sense of scanning for variations in the code.

Then after that comes behavior analysis which he says will go far above and beyond that which ProcessGuard (full version) supplies http://www.diamondcs.com.au/processguard/.

Well I don’t quite get this.

ProcessGuard pretty much prompts on any behavior leaving the decision to the user, SSM and prosecurity are even worse watching even more behavior/entry points. Yet they want it to be usable for the common man so clearly it would involve some kind of automated decision making system.

So their “behaviorial analysis” would be in the broad sense “heuristics” that make the decision for the user. Except instead of clasic AV heuristic of analysing code (or rarely behavior within emulated environments), they analyse actual behavior…

Kind of like KAV’s PDM.

Lusher: the way i understood, it’s not like KAV’s PDM, Melih even said as much. Think PG, but with a whitelist of all the most common applications, so you won’t receive pop-ups.
Given this, i don’t think it’s going to compete with Prevx1, not directly, it’s another and simpler approach.
The database can’t possibily get as large as Prevx1’s. It will be there so you give the most attention to the pop-ups you do receive.

Well whitelists are nothing special. Safensec has it, Online Armor has it, and Prevx1 of course. I guess the only wrinkle is that he wants the vendors to sign them all using strong crypto (as opposed to the guy inputting hash values into the database), but that only helps with MS and some of the major players. Pretty much everyone else doesn’t sign code.

The difference is:

There is only one Certification Authority in the world that has the ability to analyse files and create a huge safelist.

The other safelist you are talking about are either community created or a small one. There hasn’t been a safelist, that has been vetted that is huge enough. So far our safelist is just above 300,000 executables and growing around 3000 files a day. These safelist is kind of safelist businesses can rely upon, not community ones that they can’t.

Melih

Melih, even though i trust Prevx1’s database, your arguement seems to make a point.
One question: is CRC32 being dropped for MD5 or SHA-type hashes? I’ve read that these are better, and that crc32 isn’t that good.
I’m curious on you opinion and the future checksum approach for CPF 3.

TIA

well we use different hashes depending on the speed requirements. i don’t have the list of the ones we use handy i am afraid, but they are all cryptographically sound ones.

Melih