Hello Everyone,
Since we released CIS 8, more and more fellow testers are testing it against malware. It is always great to see results, from testing organizations as well as independent reviewers.
It is a new product with some new features so i wanted to post a few tips here for anyone who would like to understand the security architecture and design the test methodology accordingly.
CIS 8 has multiple layer of security and while combating with malware each has its own purpose:
1 - URL filtering: Block a malicious URL during browsing and stop malware before entering the PC.
2 - Antivirus: Detect a malicious file before being executed on the PC
3 - Viruscope: Detect a malicious file after being executed on the PC
4 - Auto-Sandbox: Block unknown files from damaging the PC white it is being executed
Fellow testers already know about these layers from previous versions as well. However with CIS 8, we have introduced a few improvements:
Auto-sandboxing is now more intelligent. By default, CIS 8 sandbox automatically sandboxes unknown files that are coming from the Internet or run from removable, network drives. Realistically almost all consumer infections are now because of the files coming from the Internet. You can download an infected file or receive it as an email attachment etc. This behavior can easily be changed by making a simple change as explained in
https://forums.comodo.com/news-announcements-feedback-cis/how-to-automatically-sandbox-all-unknown-files-in-cis-8-like-cis-7-and-cis-6-t108576.0.html
The test setup should consider these facts and be realistic. For example:
1 - Are you testing CIS for protecting a clean PC? IF so, having a folder full of malware before installing CIS is not a realistic case because the PC is not clean. Or copying files from a host computer to a test virtual machine. In such cases, you should configure CIS accordingly so that it automatically sandboxes all unknown files including existing unknown files. See link above on how to do this.
2- Are you setting up a consumer PC and testing real life scenarios such as infection from a web site, through email attachments, USB drives etc? Default configuration is enough. Go for it. Torture CIS with all such scenarios such as downloading active malware, opening an attachment, downloading a zip file, extracting malware and running it etc.
Let us know if we can help you understand the scenarios better.
Thanks,
Egemen