I had some “Q’s” for which I was hoping you could provide “A’s”
Q #1
Previously, Comodo Memory Firewall blocked the following types of attacks:
Detection of Buffer Overflows which occur in the STACK memory
Detection of Buffer Overflows which occur in the HEAP memory
Detection of ret2libc attacks
Is this same protection incorporated into CIS, or were there any additions/changes to the protection?
Q #2
Why is it called “Image Execution Control” when the execution control applies to much more than images. The help file does not provide the answer. If this protection applies to any executable in the “files to check” list, then it may be more clear to name this window “File Execution Control.” That seems more intuitive to me. This would also make it clear why the “buffer overflow” protection is placed in this window (since it applies to the execution of files, not just images). Maybe there is a good explanation for the current format, if so, maybe someone can explain it to me (because it ain’t obvious).
Q #3
Which of the following does the buffer overflow protection apply to?
1)All executables not on the exclusion list?
2)Only executables not on the exclusion list and present on the “files to check” list? (see 1st pic)
Having an “exclusion” list and a “files to check” list in the same window may be very confusing because they seem to be mutually exclusive (i.e. check these but don’t check these!). Perhaps these should be seperated to avoid confusion (See 2nd pic for a way of doing this).
I dropped the processing priority for the initial system scanner (cfpconfg.exe) to Below Normal, and system responsiveness seems to be significantly improved while scanning with little apparent impact on scanning. Please consider making this change. Also for the regular on-demand scanner.
Thanks for listening and for CIS,
John
I removed the release version of CIS before installing the beta.
Install went smoothly, and the initial scan found only one false positive (no true positives).
A desktop shortcut was created without asking. This should be optional.
After reboot two additional false positives were immediately reported.
I then manually scanned the directory with the first false positive.
It was found again, and I Ignored it.
However, that false positive did not appear in Anti-Virus Events, a bug.
(Separate bug report posted.)
Q1: It will protect everything you mentioned and like the full Comodo Memory Firewall.
Q2: Help File is not updated in a beta. As for Image Execution, IMO it’s just better integration work and “Execution” of a BO attack is the key here.
Q3: Exclusions on Memory Firewall will not monitor for, As I said it will prevent a BOAttack in every way… If you’re worried about the protection you can try the BOTester in the Memory Firewall board.
Just FYI… A few months ago, Memory Firewall wasn’t ready for integration - It’s a very sophisticated piece of code and unless Comodo was 110% sure to integrate it, then left it in devlopment beta for a while (Memory Firewall) so there are improvements in this one.
Cheers,
Josh
It will be incorporated after this beta (Eg after final release).
Josh, thanks for the info regarding my previous post. I have some follow up comments/questions.
Okay, the help file will be updated. But, I am not sure if your response competely addresses my question or the issues that were raised. Can you expand on this: Why is it called “Image Execution Control” when the execution control applies to much more than images? Wouldn’t it be more clear to name this window “File Execution Control.”
Maybe I am missing something?
I am not worried about the protection, I just think the interface is confusing: “exclusions” and “files to check” could apply to either/both BO protection and control level. It is like posting a “left turn only” and a “no left turn” sign next to eachother. Most users will be able to correctly guess that the “files to check” refers to the control level and that the “exclusions” refer to BO protection, but users should not have to guess…the GUI should not be ambiguous.
Thanks in advance,
Whoop
P.S. For you wise guys, “BO protection” does not stand for “body odor protection” and does not refer to deodorant!
Really impressed no slow first boot, no false positive all set to high. :BNC
First sig update from 1 to 301 did not take long no reboot required. (:CLP)
Thank you to the team.
D.
Still no comment why SafeSurf is included with the installer, despite that CMF is integrated in the Image Execution Settings? Those of you who installed SS, did you get it in the tray like expected?
Melih!!! Pls can you answer this?? Is this a test DB?? I thought you said something like that. Detection rate dropped A LOT!!!
Heuristics module is detecting LOTS of samples!! This is good!!
