I have seen this post so interesting (thanks Kees1958) that I’m going to copy paste it here ;D
I hope that comodo devs could take some ideas.
I have seen some good initiatives like NovaGuard, Primary Response Safe Connect, Buster's Sandbox analyser, Online Armour, SpyShelter, ThreatFire, PrevX and HitmanPro, each with smart ideas to assess risk and impact, but never seen an application which made it simple for the security enthousiast to determine whether to allow or deny actions of a 'new' program.
When I may cherry pick the goodies of some security applications, I would like to know:
a) whether the program is signed and/or from a trusted vendor (e.g. Online Armor), and what the origin is of the program like Internet, USB (PrevX heuristics adjustments)
b) whether the program showed some intrusion characteristics (e.g. Buster’s Sandbox Analyser explained in terms Primary Safe Response used to have) like
- collects data (keyboard, print screen etc)
- connects to internet
- changes process flow (debugging, dll-injection, process manipulaton)
- messes with the Windows rights/policies/autority system
- changes system configuration (registry keys/loading driver/starting service/registring a dll)
- survives reboot (driver/service installation, autorun registry manipulation)
c) Smart forensics (HMP, PrevX) explain whether this sequence of events matched the typical behaviour of say a key-logger, trojan, rootkit, etc. and like NovaGuard these intrusions had accumulated a malware-risk score (before development stopped, NovaGuard had the option to add specific ‘malware’ points to intrusion categories listed at b).
Is this so hard (PrevX and TF allready track file, registry and process changes) to realise or is the potential market that small (only me )