Misleading statement, you make it sounds like antiviruses can’t detect unknown malware. True they are not even close to 100% against it, but the best ones are indeed at 60% and above…
The standard and conventional way to test against “unknown” malware is the retrospective test (go read up on it) and the best antiviruses are indeed at 60% and above. They can detect 60% + of malware that they have no signatures for, so they are at your level and higher.
As for the whole thing about A-VSMART being a lot better than the basic heuristic part (which can detect 60% of unknown malware), I will see it when i believe it.
I would point out also that it is trival to score high detection rates, if you are able to tolerate high FPs. In the extreme case, if i detect everything has malware I score 100%, but i detect every safe file as infected too…
Detection is Prevention ONLY if it recognises and detects! I would again refer you to virustotal ( http://www.virustotal.com/estadisticas.html ) to see exactly how many that current AVs are missing. Hence your point that Detection is Prevention in the context of AVs is flawed, I am afraid.
I put a “~” for a reason! Thats the user and unforseen circumstances! However the probability of user getting BOd thru a Drive by download and their current AV missing it (cos it doesn’t have the signature) is much higher than them making a mistake and allowing a malware imo.
Correct mi if I am wrong, but I think you are misunderstanding the topic. Comodo’s firewall as far as I know is not about ‘detection’ instead its about prevention. It is maybe my lack of information but what the heck are you understanding on "cpf detecting x% of known and y% of unknown malware? I do not agree with the statement “40% of even the mostcommon known malware can slip through…”
What slips through is what you let through…
So IMHO the only excellent point here is “HIPS cannot prevent ~100% of known and unknown malware because that assumes that the user always make perfect decisions.” as cfp does not use any black list.
“detection is prevention”
I agree, it is a sort of prevention. But if we compare a hips to an av, and assume that a malware, which is not yet detected by the av (not even its heuristics) is being executed probably it will do its job without you even knowing about is. But a HIPS would alert you about its execution and probably its further actions. This is also not a 100% protection method, that simply does not exist. (ok if you dont even turn on your computer it wont be infected lol)
But using a hips you will receive an alert about the possible malware trying to execute and doing stuff. Ok, from there it will be up to you what you choose but at least you will have the possibility of avoiding the malware. Mathematically this is 50% chance of not being infected (:NRD) (hitting allow is 0%, hitting block is ~100%) but if we put knowledge/experience/common sense into the equation this percentage will be much higher.
Still I do not suggest only relying on a HIPS, but the only reason an AV has a place next to a HIPS (as a second/backup layer of security) is when we are talking about known malware. Because in this case if a user makes the wrong decision the av can still save the day. But regarding unknown malware it doesn’t really matters if I have the av or not. If it gets through the HIPS (first line of defense) there will be nothing stopping it.
Its quite misleading indeed. So please somebody shed some light into the darkness where I am regarding this cfp detection stuff.
Do you mean under detection the popup warning about virus-like activity using ‘heuristics’ instead of just informing about z.exe doing something with y.exe? I hope not, as its more of a joke then serious detection. It may sounds the other way round, but Im trying to protect cfp from further attacks with the above sentence. Its a nice and useful feature but lets not call it detection. Besides the possible false positives (if we are talking about identifying malware and cfp than we can consider almost all popups a false positive) IMHO it is not a reliable way of making malware from legit files. Anyway as far as I know cfp is not at all about marking things as malware. But the definition these days about detection is identifying something as malicious. Which brings cfp to the av’s field as most of them is about detecting rather then preventing (ok , one way they are also preventing but only things that they detect…so in this context I wouldn’t use prevention for av’s). And in the classical sense of detection I think most av’s will beat the hell out of cfp. But hey, its not the porpoise of cfp. And you know…dont argue with idiots as they will pull you down to their level and beat you with experience. I think detection is not the level of cfp. Correct me if Im wrong.
So if this 60% thing is an official statement I suggest to remove it ASAP as it can be misleading.
1)HIPS Engine that gives you alerts and reports (Red alert, orange alert etc). you will be hard pushed to find any malware that can inflitrate that kernel protection engine that CFP V3 has.
2)60% applies to another small piece of heuristic engine we have added (this is additional to the HIPS (kernel protection)), whereby we detected 60% of unknown malware that we get submitted for a period of time (pls bear in mind thats a lot of malware as we get huge amount of feeds from third parties and our own users). Of course as i mentioned, the problem with these kind of stats is that you can only measure what is in your possession, you don’t know what you don’t know. That is the basic problem with AVs, they can’t detect what they don’t know! so bottom line is that 60% does not relate to our HIPS engine… it relates to a small piece of heuristic code that our guys have written that is in addition to our HIPS engine.
One more question: what do we understand as unknown when speaking about malware in terms of cfp? The ones unknown to some av’s?
So this 60% means that based on your experience with newly discovered malware, cfp will mark 60% of them as possible malware? And of course the additional 40% will fire a normal alert? Thus protecting you from virtually 100% of them but additionally identifying 60% of them as malware? If this is the case, which I were also thinking of, it is a really nice addition. It can help the user when they have to make a decision. But then this 60% does not specifie the protection capabilities. So maybe it would sound better that cfp can protect you from ~100% of unknown malware and additionally detect (mark as possible malware) 60% them.
I just wanted to point out, that it can be missleading. For me its clearer then ever ;), thanks Melih.
USB devices and CDs are an attack vector not involving a network connection and thus I would think are outside the scope of a firewall. I read recently about a case where it looks like one of those “picture frame” devices had a “hidden” autorun file. The way USB flash drives get passed around you can see how bad things can spread. Isn’t this the way the “Sony DRM” software got loaded without the user knowing about it?
Google “windows secrets autorun” for a registry change that is supposed to shut off autorun.
The later is very very secure, if you respond correctly of course. But that’s a big IF.
Why? Because a lot of innocent programs cause the same “doing something” message.
Of course AVs could do something similar and start detecting everything as possible malware…
I hope not, as its more of a joke then serious detection. It may sounds the other way round, but Im trying to protect cfp from further attacks with the above sentence. Its a nice and useful feature but lets not call it detection. Besides the possible false positives (if we are talking about identifying malware and cfp than we can consider almost all popups a false positive)
So you think prevention means there can’t be FP?
IMHO it is not a reliable way of making malware from legit files.
Really? Melieh thinks otherwise. Wasn’t he boasting of the “smart” thing?
Anyway as far as I know cfp is not at all about marking things as malware.
Me too. It is classic hips like system safety monitor etc. I mentioned “smart” behavior blockers like threatfire, but suddenly i was told that CPF had the most advanced intelligence , which would indeed put it in the business of marking things as malware (based on guessing about behavior), as opposed to simply, reporting x did y, and letting the user decide.
But the definition these days about detection is identifying something as malicious. Which brings cfp to the av's field as most of them is about detecting rather then preventing (ok , one way they are also preventing but only things that they detect..so in this context I wouldn't use prevention for av's). And in the classical sense of detection I think most av's will beat the hell out of cfp. But hey, its not the porpoise of cfp.
This must be the least clear piece of writing i have seen recently. There are differences between prevention and detection, but I think you don’t quite understand the relation between the concepts, except that you think prevention must be better.
And you know...dont argue with idiots as they will pull you down to their level and beat you with experience.
If most of us followed this advise, we wouldn’t be responding to you…
No. The other way round. If we look cfp from a malware identifying point, most alerts are false positives. But since then I have learned that under cfp detecting something I should understand those heuristic analyze based alerts, not the normal yellow, orange, red HIPS alerts. But I have no experience with the heuristic type alerts so I can not say anything about its FP ratio. I assume it may be higher than signature based detection.
This must be the least clear piece of writing i have seen recently. There are differences between prevention and detection, but I think you don't quite understand the relation between the concepts, except that you think prevention must be better.
Sorry for making you a hard time understanding my post. English is not my mother tongue.
There I meant that in the av’s field AFAIK detection is usually marking *.exe as malware. CFP can only alert you about malware-like activity of *.exe so actually not marking the file as malware, which may lead to more FP’s as legit files can also have malware like activities. So if we compare cfp with an av and throw 1000 legit files and 1000 malware to them and then evaluating the results considering the number of FP’s too, the av may be the winner. But when I wrote that “least clear piece of writing” I didn’t know that detection of cfp means solely those heuristic based alerts. Actually that 60% is much better then the actual av’s heuristics. If we look at those retro perspective tests they are not just based on heuristics, they also use signatures. Most new viruses are reincarnations of old ones thus containing ‘known’ code strings which have a signature, so I think this is why they are scoring so well in those tests.
Anyway, as you are so intelligent and Im an idiot, would you be so kind and show me the relation between detection and prevention? Yes your right, I think prevention is better than detection in my understanding of the concepts. (which could be wrong though…)
Quote
And you know...dont argue with idiots as they will pull you down to their level and beat you with experience.
If most of us followed this advise, we wouldn’t be responding to you… Cheesy
Ok Im sorry again if you felt offended. This wasn’t aimed at persons. I meant with it that we should not compare detection capabilities of cfp with av’s, as they are not about the same thing. AV’s detection is their only way of protection, however, in cfp it is “only” a nice additional feature to help users be more protected. So cfp’s protection capabilities are not strictly based on its detection capabilities. With the term “idiots” I was referring to the mediocre approach of signature based security solutions and with “argue” I meant cfp competing with them in the field of detection. But thanks for pointing out that it can be easily misunderstood and took as an offense. I’ll edit it out.
err goodbrazer, could you explain a lil bit more about this?
i’ve set Defense+ to “paranoid mode”
i have %windir%\system32\svchost.exe under windows updater applications group
(installer or updater), i can’t edit it.
there’s a pop up window said " you need to use “my file groups” window to edit this item.
???
i have this C:\WINDOWS\system32\rundll32.exe set to custom policy. isn’t that enough if i set this
item to ask on run an axecutable ?
maybe i should add this “dll” thingie to be checked on D+ image executioncontrol setting?
ok, so anybody has a workaround?solution for this issue ??? i’m scared
You’re right, goodbrazer, this will prevent rundll32.exe from executing unnoticed. But running D+ in Paranoid Mode is a different story altogether. While I’m OK with it personally (I’m a control freak :)), I don’t consider it very practical for an “average” user.
Two general problems with rundll32 and wscript:
Comodo trusts these applications (they’re in the Safe list) without really knowing their behaviour, since their behaviour is defined by the dll’s and scripts they launch, and that could be anything. In my book, this breaks the concept of Clean PC / Train with Safe modes (most widely used), making them unsafe. The only mode that is really safe is Paranoid, which is not too practical, IMHO.
Comodo has only one ruleset for these executables. Which means that you can either create a single policy that would apply to any dll’s or scripts run by them (this is no good, because some functions could be required by both “good” dll’s/scripts and the “bad” ones, and you can’t differentiate between them), or have Comodo alert you every single time some dll/script is launched. The latter option is weak, too, since you won’t be presented with information on what dll/script is being launched, all you would see is an alert that the rundll32/wscipt is executed. Not practical at all.
This is the area where any on-access anti-virus/anti-malware scanner will do a better job.
As for me, i deleted windows updater applications group, because i don’t install any windows updates (waiting for stable SP3 for XP) and added svchost.exe to security policy as single app.
I became intersted since I have read Marat’s example:
Here is what i discovered for myself: Image execution control settings dialog. Switch to “aggressive”, replace “*.exe” by group “executables”.
Next time rundll32.exe (or any other app) will try to execute virus.dll (or any other dll) there will be alert from D+. Again we need D+ in “paranoid mode”.
On the other hand we’ll receive a huge amount of alerts for any app not listed in computer security policy (or app in custom mode with “ask” options).
Marat (or anybody else), would you like to check/confirm/disprove something i have in mind concerning wscript?
Conditions:
D+ is in “paranoid mode”. Image execution control level is “aggressive”. “Files to check” section contains *.exe and *.vbs entries.
In this case there should be alert from D+ like “wscript.exe tries to execute Virus.vbs”.
(:WAV) thx for the reply goodbrazer,
*i’m not sure, but i think switching to aggresive mode makes CFP block an app from my
server (my comp is one of the client comps), i need to re-allow this “already trusted” app.
well, i still can live with that.
*using “executable group” makes enormous pop up :o maybe about 10-15 pop up
window to run winzip
*i’ll add *.bat & *.vbs to Image Execution Control Setting, but i think we definitely can’t put
*.dll on the list.
ehm, and one quick question, how do i do that? ;D there’s no option to add the files
manually.
i really hope there’s another way to prevent this kind of problem :THNK
