FAIL FAIL FAIL FAIL comodo.. (long post..) =)

https://forums.comodo.com/feedbackcommentsannouncementsnews_cis/how_will_behaviour_analysis_prove_useful_for_cis_closed-t36853.0.html

That thread, Is now locked unfortunately… :-
Anyway a new similar thread is made due to I felt the topic was not dead just yet…

I would like to know why comodo feels the need to even consider a BB in CIS? 88)

Comodo is well aware that a BB will mean no added protection to CIS, also Melih knows this, so does most on the forum too… :-TU

Testing?

It could mean better result on some virus tests, as most seems to refuse the testing of HIPS… Still if that is a reason then its something that goes against Comodos stance on tests, that it won’t add unnecessary bloat just to pass some tests… A BB would be just BLOAT, We are protected to the extent of any BB’s COMBINED and BEYOND thanks to D+… 88)

WHY BB’s DON*T WORK::
A BB puts FP’s over security, eg the writing to registry, a HIPS would alarm or the adding to startup, HIPS alarm… A BB, is adding parametrars to not give FP’s, Those doing BB’s knows that some malwares adds themselves to startup, but a lot of legitimate applications does that too… so there must be more parametrars to say hey its bad or it would be just as poppy as a HIPS, eg adding to startup won’t mean an alert (too many FP’s), but adding to startup + more bad stuff eg writing to protected registry parts will due to not many legitimate progs does that, but many malwares do…

This is totally fail against new viruses 88) that could behave enough normal not to trigger an alert. And a lot of them can, due to so many legitimate applications do those stuff malwares does too, a bb tries to avoid detecting those good apps, and in the same attempt to not detecting those doing it on a legitimate basis will mean malwares acting similar will avoid detection…

This is why PrevX and probably all BB’s relay on signatures also… So they can catch the “few” (20%)? ;D that gets undetected after they mostlikley already infected a lot of people left without warnings…

ADDING a BB will not mean any more protection if someone claim something else, then HOW will this enchant CIS?? BB IS WEAKER BY DESIGNE, ITS DOOMED TO NOT HAVE AS GOOD DETECTION AS A HIPS, NEVER EVER… What in the world does a BB detect that a HIPS can’t??? ??? And if a BB “happen” to detect something a HIPS fails to then just add more interception… :-TU

Also a HIPS and a BB CAN run together BUT will provide LESS security, or more popups with no added security… :-\

The options to implant this are:

1. You leave the task mostly to the BB, to defend you then you have weaker protection.
2. You leave both on, then D+ will catch everything anyway, but you might get extra warnings from the BB’s on the few occasions it detects something D+ already detected… making a BB pure BLOAT… that increases the number of popups, for nothing.

D+ is comodos BIG GUN, It Shoots every piece of baddie… Its what makes comodos PREVENTION AS FIRST LAYER approach, the thing that Melih spoke so well about in his blog would not be there any more. A BB is NOT a PREVENTION as FIRST LAYER… Its called catching up, one more “detection” layer, (the layer that failed user since day one, and still is).

My experience:

I was very happy and always has been with CFP, CIS and similar… I also liked the attitude presented on the forum after reading a few of melihs and various members posts… Security goes first, no bloat just to pass tests and look a bit better on paper… Also it was a happy surprise when CIS 3.8 was released, both INCREASED security and a good job to LOWER the number of popups was presented, all without decreasing security… ! Comodo proved that it won’t back off to hard challenges and instead take the hard, but right way to secure users to 100%… I think in the future, the goal should still be catching 100% of malwares, and don’t fall down to others vendors low standard where catching 40-60% of new threats is an acceptable or even seen as a good level “after all we catch what we know…”… CIS catches what it knows, and what it don’t know, thanks to DENY system approach…

Conclusion:
Improving the Default DENY approach (D+) and white list is the way to GO… :a0 As a BB is the same as a HIPS with a TWIST, making it weaker… there are no arguments whatsoever showing that a BB would improve security, usability should be a focus on current D+ instead of putting a huge team to develop junk.

Or while we are doing a less powerful HIPS, why not make a less powerful firewall too? TCP filtering should be sufficient for most people… UDP is just overkill… Instead of tweaking CFP lets make a new product that is doing the same, filter packages, just less good, due to it being sufficient to most people… and of a bit less disturbance… =S And a new CSC, without all the clean history, registry should do it! making it easy to use.

Default Deny is our approach…nothing changed… we are improving usability…

@ Monkey_Boy=)

What behavior blockers are you having in mind, to make such comparison?

@ Melih

How will a behavior blocker (What do you also have in mind as a behavior blocker?) provide useful in usability?

Thanks

Thanks for your reply Melih, I had a feeling naming the thread “FAIL FAIL FAIL FAIL comodo” would catch your attention! ;D

Sounds like a missunderstanding from my side then… the plan is not to switch D+ excellent prevention in favour for a “smart” BB? The default deny everything will still be CIS approach?!

Still I don’t get it too add up…
If I get this correctly it sounds like the plan is to run them along side somehow, just a bit smarter for the popups, less alerting or something?? The most important thing to me is that CIS still maintains security, whatever changes it does… Intelligent programs are not the best always.

Correct me if Iam wrong but BB’s can not come in class of a HIPS in prevention due to its design…
ISN’t THAT TRUE?

Still I can see why you want it for ordinary people… They could benefit from more precise alerts I guess… even if they won’t be as fully covered… :-\

COMODO plans to keep the HIPS module it has maintained for so long and keep adding detection if new tests are presented proving to bypass D+'s interception abilities…? not dropping it for the BB?

I have a bad feeling about this one… =/

A BB is weaker by design… I just proved that in my long post I think… If you want a BB as strong as a HIPS, then you most make it act like a HIPS, alerting for everything, but then its not a BB anymore.

BB’s ignores some baddies in favour for less FP’s… its “intelligent” and catches less “good” programs, but malwares acting similar to “good” programs will not be caught either…

While the HIPS just alerts for everything…

=) No need to worry about whats good and bad… and no chance for a bad program to act good enought to avoid detection… =)

Is it not possible to implement a BA/BB to run alongside Defense+, such that if the BA/BB detects something it will be flagged (a popup), and Defense+ runs as always (anything unknown will be flagged)? The two never stepping on each other’s toes so to speak?
This, to me, sounds like an ideal approach, giving the best of both worlds.

Maby so, but wouldn’t that INCREASE the number of popups?
I mean, first D+ alerts a lot… then if its bad or at least the BB thinks so, BAM new alert?

Better would be that D+ get’s more intelligent I think… It already alerts of “malware behaviour” from time to time… Maby more of those kinds of alerts would be good… and making them STAND OUT more!

EDIT:: I see your point… A BB analysis on top WOuld BE GOOD!!
Especially for “noobs” pressing “yES YES”… =) but this alert has to stand out… a LOT

And Hips has to be there to preserve security… =)

Using startup section is so 2002. Today, most of properly written stuff patches system files or infects them.
And when explorer.exe starts, ■■■■ starts too. Besides, BB aren’t that dumb to be fooled just by startup item lol.

  Hello.I feel obliged as a non advanced user to give my opinion regarding this.With a few l exceptions(autorun via usb,adobe exploit now patched but from what i read can be trigered by simply preview of the file) malware is installed by user by clicking on something

DEfense + give warnings in 99%,100% cases.But is the user that makes the decision to stop or not the file.So i’m not sure if anyone understands me but i think that another layer even if will not detect all malware is needed.A smart BB with no FP’s.DEtect less but what it warns is malware.
I’m not sure how installationmode works but i think that and usb malware are weak points if the AV doesn’t recognize the threat.Everybody wants to install something , they’ll choose installation mode but the exe doesn’t install only the program that i thought.I think you can agree that simple signature is not enough so who will stop the malware?
I use only the firewall + another av but if you can integrate without using many system resources another layer i think it would be great.

The BB would never be a replacement for D+ (that would be stupid!). The reason for a BB being integrated is for the purpose of usability, and if the added resource usage would be nothing more than negligible, then I support it

Guess a BB can’t hurt if added in the right way. :SMLR :SMLR
I mostly made this thread out of fear that it would be replacing D+ to some extent…

Something I would not be happy about… =/

I don’t think anyone would be happy about that apart from RejZoR

But I agree, add a BB in the right way could be a big improvement from a usability perspective

Comodo needs to tell us how this is going to work and how this will improve usability. I can only see this resulting in more pop-ups.

For the average user, I believe that a default configuration that reduces the number of alerts and also uses a BB will provide better protection and less irritation. Recall from the previous thread that a Microsoft study shows that the threshold for UAC alerts in a given session is two - any more than that and the average user becomes irritated. Also, here is what an official representative of Prevx said about a previous Prevx version that featured a HIPS, based upon data they collected: (Introducing, The New Prevx Edge. | Page 2 | Wilders Security Forums)

We needed to retool our product set because an extreme vast majority of users outside of Wilders/other security forums have no idea whatsoever of how to configure an antivirus product to work properly and when to answer Allow or Block to a prompt. Behavior blockers in the conventional sense for the conventional user are not a good match - as famously depicted by Vista's UAC.

Rather than relying on the user who unfortunately makes the incorrect decision more often than not, we have automated the entire process from behavioral gathering to program determination and are now providing HIPS/behavior monitoring/blacklist/whitelist protection to all users regardless of their computer savvy.

By the way, the rep meant ‘HIPS’ where the word ‘antivirus’ was used.

It would be interesting to see the ThreatCast data for users’ choices for malicious behavior…

Defense+ could be tuned by default to mostly prevention of malware execution in the first place. This would provide many fewer popups.

very much so!

How irritated seems to be the question. If an end user is so irritated he is willing to be less protected, I suppose that is his choice, and no protection is worse than none. Is this valid reason to have a choice?

I wonder if those folks really understand the risks. Expected value of an action is the probability of each possible outcome multiplied in each case by the harm of that outcome. (EV= sum of (Pr*harm) for each outcome.) If even one outcome of the possibilities is really large the EV pf harm can be quite large even if the probability is small that it occurs.

Humans regularly underestimate the danger of low probability events, where often the consequences are so great as to be catastrophic. Hey it was VERY unlikely that on any given flight a terrorist could hijack a plane, but that one in a million chance was not safe to ignore… If a user realizes that a vulnerability is VERY great he puts up with more irritation.

Unfortunately when the popup comes up, we are not always able to understand the consequences of ignoring a threat. We focus on the low probability than anything serious is wrong! “Oh, I ignored the last popup and nothing bad happened!”

For low risk machines where no passwords, no important personal data, no serious risk that an infection will propogate from it later to other high value machines (for example we use a very good antivrus and BB AND do so in a VM), well then maybe it’s OK to live dangerously. The danger is not so great and not so likely! But that is not the case for many users.

The other issue is that when we ignore our own safety we endanger others, for example by hosting a bot that “only” harms others and not the owner of a machine.

So, OK, I understand why people might say less protection is their choice, but I bet they aren’t thinking about both those factors.

The best argument here is that for some users, they will be so irritated to give up on the security efforts or and choose less security. The better educated and aware people are the fewer of these folks are likely to do so. If Comodo wants to allow people to engage in more risky behaviour that might be defensible, but the best course is to clearly warn people about the risks when they choose such a configuration and to educate users about the risks. The current CIS walks a line by making compromises already from totally safe computing. Even the max settings are of course not completely secure, and there is no totally secure product anyway. Do users understand the risks and are they able to deal properly with popups? There is the more important design question. Comodo can make the software more usable, but that may not be enough.

From Engineering Windows 7 | Microsoft Learn

In making our choice for the default setting for the Windows 7 beta we monitored the behavior of two groups of regular people running the M3 build. Half were set to “Notify me only when…” and half to “Always Notify.” We analyzed the results and attitudes of these people to inform our choice. This study, along with our data from the Customer Experience Improvement Program, Windows Feedback Panel, user surveys, and in house usability testing, informed our choice for the beta, and informed the way we want to use telemetry from the beta to validate our final choice for the setting.

A key metric that came out of the study was the threshold of two prompts during a session. (A session is the time from power up to power down, or a day, whichever is shorter.) If people see more than two prompts in a session they feel that the prompts are irritating and interfering with their use of the computer. In comparing the two groups we found that the group with the “Always Notify” setting was nearly four times as likely to have sessions with more than two prompts (a 1 in 6.7 chance vs a 1 in 24 chance). We gathered the statistic for how many people in the sample had malware make it onto their machine (as measured by defender cleaning) and found there was no meaningful difference in malware infestation rates between the two groups. We will continue to collect data during the beta to see if these results hold true in a much broader study.

The more chatty UAC setting provided more irritation, yet no real difference in malware infection rates amongst regular people.

The problem of most people.
They are too LAZY.
They always value convenience.
Let me tell those people one thing:
Move your bodies, use your brains, don’t let it rust.

That is a really Bizarre reply!

UAC sorta nags people to look before they leap. May be in time this type of nagging will make people accept a few pop ups more. These processes, fi they happen, are by its nature slow I am afraid as people are creatures of habit for starters… (:NRD)