Defense+ file integrity detection

gpnx.

I STRONGLY suggest you search the forums and read up a little. We already mentioned this before:
Comodo already had this “integrity check” !
Comodo already had this “integrity check” !
Comodo already had this “integrity check” !

Josh

Ok, lets straighten things out:

When i run an installation (and plz dont argue how i should run it in sandbox) that installation have enough rights to modify existing files, right? (even more the comodo intselfs switchs to install mode, i guess less security, monitoring) (1)

When i run a process , which is trusted (iexplorer, explorer.exe, cmd.exe, etc…) it has enought rights to modify stuff notifying me, right? (2)

How comodo associates policies with executables, is it just by the file patch( seems like that in my test) ? (3)

So, i believe the developers kind of answered (1) as true, (2) as true and for (3) i am not sure.
So, if 1 and 2 are true then a possible malware executable can obtain the policies associated with the original executable w/o the user consent.

And again, if you check the Microsoft security bulletins, then you will know that hacking into some of the system processes and using them is not unheard… This is one way for the hackers to “break in”. This is the reason for the memory protection.

Anyway, my post was intended to help (i think) improve CFP, because i like it.

Can you please explain me then, how to enable it (for my scenarion)? Or linke me a post explaining? I did search a lot on the forums before i posted.

gpnx May be you started in a wrong tone and half of the opposition came from that (:WIN) A nice lesson for you.

As far as my previous experience of these matters I agree with you fully. Integrity check is necessary for the protection we strive. I’m interested to learn about the new type that egemen speaks but of what I read till now it’ll be not enough.

My understanding is that internet consists from about 10% absolutely secure sources, 30% - proved malicious ones and the vast majority lurking in the unknown. For people that use PCs exclusively for business and sensitive matters there is not any doubt - no installation of any unknown or not so important software, IP blocks to everything else except the necessary connections and so forth. But the majority of the internet users and Comodo users are people who want to experience the phenomenon internet, to try new stuff, connect with others, experiment creative ideas. Which in most cases are not guaranteed in any way. Some genius made nice free program with just 3 versions and you want to try it, etc. I’m not gonna expand on this but that’s the idea in nutshell.

So probably for everyone it’ll come a moment to install something not 100% trusted. And hardly anyone will do it without “install mode”. And then the problem could occur.

The two apps that I used before Comodo - Kerio 2.1.5 and SSM had integrity check and were very light on resources.

But again I’ll monitor here to see more of what egemen says :slight_smile:

Comodo doesn’t switch to install mode unless you tell it to. It is not an automatic feature.

Yea, I use Comodo already.

So are you agreeing with me delerio?

ALL security applications have their failures. Defense+ (part of CFP) is no exception. Defense+ does provide a great security. As mentioned before we can set Defense+ to installation mode and that way it won’t alert us or won’t alert us as much. But we only do that if we trust the application we are installing. I do believe that we do not install anything we never heard of and never saw a review on sites such as cnet, softpedia, etc. If some people do try apps without knowing more about them, then is their problem, to try them and set Defense+ to installation mode.

If that’s the case, then why not use a behavior blocker? I have already suggested such a tool for Comodo to develop for such users. Those users who make wrong choices when it comes to judging an application/process. But you have plenty tools like that, some free, some paid: threatfire, norton antibot, emsisoft mamutu, and many others.

So, taking this scenario into account, those users can add this layer of security to work aside with Defense+.

Hell, I even think that people should use Behavior Blockers anyway. There is no such thing as too much security. Why? As I said before no security tool protects 100%, nor does all we got on the system. So why not use layered security to protect ourselves the best way possible?

Of course there are things that should be improved in Defense+. I already alert for some weaknesses of it on the leaks thread. Why? Because I use Comodo Firewall Pro with Defense+ and I want it to protect me the best way possible, and I can only have that if I tell Comodo what needs to be improved, and not say it a joke.

All the best

I meant in my first posting that people will use manually “install mode” for convenience :wink:

I still Don’t understand what the problem is, You can Modify a program because “explorer.exe” usually has those permissions, But for malware to modify a trusted program, you have to allow “Malware.exe” to modify “Notepad.exe”

In “install mode” is possible I think.

No. Install mode is for installing things. Have you ever used install mode? If I am installing something the first thing I do is put D+ into install mode by click on “switch to install mode” via the main GUI.Then I go back into Comodo and click " switch to previous mode". Then I launch the program I just installed and as all of us know what happens…You get a D+ alert about Explorer.exe trying to allow program ".

Instead of questioning Comodo’s D+ and calling it a joke why don’t you look hard at yourself. If your installing something you have no idea what it is then you deserve to be infected.

Because this is the root of the issue. You modifying it or a virus modifying it are 2 different and detectable things. Why bother user with this again? Ofcourse if you dont want, and if you belive you are a HIPS expert, you can delete the default policy of CFP and create your own. You will see it is going to ask you more than you want. You are trying to think the previous approaches like keeping hashes for applications etc. is the smartest way. We were doing this in CPF 2.4 because we did not have a full file system inspection. CFP 3.0 has “Stateful File Inspection”. This means it knows everything modified in the system and acts accordingly.

It PREVENTS unauthorized modification instead of detecting it and letting you know. Stateful File Inspection is a very well thought out algorithm and more powerful than so called signature cheking software. There are many viruses in the wild, which can change some files and none of those so called SHA1 hash checking software can detect.

Let see this scenario: Some system component got hacked (there is incident with this all the time - just check the MS security bulletin). Sooo, a hacker gains access and changes stuff.... HERE is where HIPS should help - notifying me that a piece of a trusted before exe/file got modified.

Lets see this scenario:
I run install program, i put it “threat as isntall bla bal” it has all rights etc…so it does modify stuff that i don’t know. THERE I NEED HIPS to tell me what/if something gets modified that should not. And, its a plan logic to not threat as same the app which has changed…

Oh in this case, you should worry about more things than file modification. You are running a virus with maximum acess rights (Installer or not, if it is modifying something you dont want.), and expecting HIPS to help you by listing the modified files. If your only aim is to get the list of modified files, set CFP to clean PC mode, and cfp will again intelligently list you the files modified and NOT SAFE.

But you are already doomed at first place. Plus if you are technically qualified enough to differentiate between legitimate changes and illegitimate changes, why arent you just let CFP to ask you each and every file modification requests and approve/disapprove it instead of checking the changes after the fact?

Windows update updates your files almost everyday. So everytime a file is updated, the integrity of the system should be assumed broken? This is ofcourse not a case. The keyword for you to searh more is “Stateful File Inspection”.

E

Yep. He needs to play more and understand the D+ operations deeply. HE is assuming D+ is incapable rather than it is smarter than his previous HIPS.

The only thing I can think of to relate to this is awhile back I tried Online Armor for a bit. A patch came out for one of my games (WOW) so I applied the patch. WOW was already a trusted program in Online Armor. After the patch was done I launched WOW. Online Armor gave me an alert about a trusted program has changed and if I want to allow this change so I clicked allow. I did the same thing with Comodo and I was never alerted of the change.

Very Good Egemen!

Google= Stateful File Inspection :-TU

  1. There seems to be more talks for statefull PACKET inspection, not file. The only reference of stateful file inspection i found is at comodo formums.

https://forums.comodo.com/feedbackcommentsannouncementsnews/application_control_checksum_hash_control_and_gui_redesign_v3013268-t15702.0.html

Which actualy brings the same issue i brought.

In that post some one mentions that if i have a FIREWALL, not just defence policy for my executable, i will get notified if it changes. I tried that and did not get notified :frowning:

Anyway, the point i am trying to make here and it seems the developers don’t agree with me for some reason is that there are ways to get around that “state full inspectiosn” of yours - namely - installations and hacked trusted apps. Both of these are very common and the only thing i am asking for is - being notified when a executable for which i have firewall/defence policies is modified , i should get notified .

There are no ways to get around it. You are just making legitimate changes and assuming you are getting around it. If you install simple firewall and NOT defense+, CFP will still prompt you before the change happens. CFP has patent pending algortihms. So it is ok you are surprised it works differently from other software. For example Sateful File Inpection is a term only we use in the house to describe CFP file modification logic.

If I were you, I would install CFP into a virtual machine. Find some viruses. And run them against it. Afterall, all viruses infect other executables and hence cause those so called changes in the trusted applications. See the alerts, gain some confidence. This is the right direction.

1)For the installation i mean any installation. For example you download a piece of shareware to try. Then suddenly it has some hidden “features”… It changes for example some apps for wich i alredy have rules. I just want to be notified about that. And I understand I RAN this install, but hey…i have to install stuff.

2)Just check what is the latest Microsoft security patches and you will get the idea what i am talking about.

I just tried the again The clean pc mode and i get notifications about changed exe’s (in the pending files). Now, can we get these notifications in Safe/Paranoid mode and can we also automaticaly mark the policies of these modified exe as needed for review or something?

Agian, my point is, if an exe i have policy for gets modified i want this policy to require my review. Lets forget for hash checksume etc… just this plain requirement. If there is a feature currently that i can enable to have this i will be so happy.