Hi, I’ve got some ideas for how to protect the end-user from malware that, for whatever reason, is trusted by Comodo. Now, I’m not concerned with the checks that Comodo staff make before the signature is entered into the TVL. That’s on their end. I’m concerned with the changes that could be made to CIS. They’ve already included a check to see if the certificate has been revoked, which is good, but here’s my other ideas.
1) Any new executable on the system, which is trusted for whatever reason, should be automatically uploaded to Comodo. They could then perform an initial check with CIMA and then scan it everyday for the next month using DACS. All of this could be automated on their end. If it is flagged as malware or suspicious, then the file should get reviewed and scrutinized to see if should be trusted.
After the file has not been flagged after one month of this evaluation, then the file will be moved into a different type of safe files (by hash) that will not be uploaded anymore. I would say that after a month it’s quite likely that at least one vendor would detect it if it was malicious. I believe this would greatly decrease the danger of trusted malware. Better still, the user would notice no loss in usability or possible increase of false positives.
2) Using checks, like the ones I suggest in this wish, Comodo could produce an algorithm that could predict whether the file is probably safe (or on the other hand possibly dangerous). Thus in order for the file to be allowed total access to your computer, not only would it would have to be signed by a vendor in the TVL, but also be rated probably safe. In this way almost all signed malware will be stopped and, as long as the algorithm is sufficiently reliable, very little will be lost in terms of usability.
What do you guys think? As always I’m very open to suggestions (or criticism :'(), and will alter the wish to meet either.
Also, I’ve added a poll and enabled the option to let you change your vote in the future. Thus if I change the ideas in this post, you always have the ability to change your vote. (Hopefully the changes will be positive for most people ;D)
I agree, there needs to be many ways to check a file.
For your #1 suggestion above, an adjunct may be a system by which any file that is new to Comodo and which Comodo has trusted (for whatever reason), gets sent to Comodo where it is scanned with CIMA initially, and by DACS everyday for the next month. If it is detected on any of these tests as suspicious or malware, then the file gets reviewed and scrutinized to see if should be trusted.
I think using DACS to scan a file each time a file is launched may slow down the computer.
Perhaps a good way to do it then would be for any new executable on the system, and trusted for whatever reason, to be uploaded to Comodo. They could then perform the initial check with CIMA and scan it everyday for the next month. (Essentially as you suggested)
After this month long evaluation, if the file has not been flagged as suspicious or dangerous, the file will be moved into a different type of safe files (by hash) that will not be uploaded. I would say that after a month it’s quite likely that at least one vendor would detect it.
this is a great way to use DACs and help reduce problems of trusted malware. i read in a few places on this forum that comodo is developing something i think using DACs to help reduce false positives. any info on that development?
DACS will certainly help reduce false positives. But, I am not sure how DACS will be implemented. Perhaps it will be used in the cloud? Perhaps it will be integrated into CIS? I am not sure that the developers are ready to release the details.
doesnt it seem kinda long for someone to wait a month at most to see if a file is safe to run on their system? it seems like this would create a lot of unhappy people that dont want to wait for the file to be analyzed
No, it will be trusted during this time. It’s really an extra check, that’s done in the background, to ensure that malware in the TVL will be caught much more quickly.
Here’s an example. Let’s say one of the companies in the TVL was checked out and they were perfectly legitimate. Now, let’s say in a year they start to produce adware. With the way it is right now this wouldn’t get noted until a user reports it in the forum. Thus the adware program would be trusted during that entire time. With my suggestion the very first person to download the adware program to their computer would have that automatically uploaded to Comodo. Comodo would check it, realize the company is producing adware, and remove them from the TVL.
The user doesn’t even need to know it’s going on, but they will have even greater protection.
sorry about all the questions but im sure other people have some of the same questions as me.
you say that once the company starts producing adaware it will be uploaded to comodo for analysis but how will CIS know what to upload and when something malicious is installed on the computer? so it can upload it
What I meant was that the first time a signed executable shows up on anyone’s computer, it will be uploaded to Comodo. It doesn’t have to be adware, in fact in this case CIS wouldn’t know it was. Also, only one user would have to upload it. Comodo would then check it using the methods I discussed.