How will Behaviour Analysis prove useful for CIS? [CLOSED]

Hey Everybody !

I saw Melih’s post:

Let’s stop and think for a minute guys. :slight_smile: Let’s look at CIS 4.0’s current planned security architecture.

Firewall (Will stop malicious network attempts)


Time Machine.

How can a behavior analysis or a behavior blocker prove useful to this setup? Am I talking about Security? No. I am talking about usability, Meaning a behavior analysis or a behavior blocker, implemented into Defense+ will give ANOTHER great level of usability! (Yes, Still keeping HIPS! It’s important because no Behavior blocker can match Defense+, period.) - Let’s not start a war about this pls.

But really… It’s just an instinct I think a behavior analysis will prove very useful for CIS. So you have Defense+/Firewall being prevention, BOClean/CAV/Heuristics and ALSO Behaviour Analysis being detection, And cure is time Machine.

That HUGE detection layer, IMO - Will make Defense+ also ALOT more usable. It will give Defense+ some breathing space with a very good detection layer, While still keeping Defense+. I’m not saying it wont give extra security! But again your views count. :slight_smile:

I would love to hear what you guys think… :slight_smile:

Will a behaviour blocker in CIS prove useful for CIS? What is the best way for Comodo to implement such a thing? In Defense+? In the AV?

Please vote and post!


Hello Josh

IMHO I believe it will be better in Defense+

(Edit: I reverted my changes from last edit)

- Jacob Kilgore
C-O-M-O-D-O Forum Moderator

i think its actually best suited into the D+ and i think behavior analysis to reduce alerts is a great idea. eg. the app will be analyzed first, then give the user its suggestion or many other ways it can be implemented to make D+ less intimidating to the user.

IMO, looking the issue from a programming point of view, it can be up hill to implement BA on CIS. Why? D+ is already monitoring vectors in order to provide security, you have the AV scanning files and later emulation heuristics also, plus BoClean. Dont you think it will be a huge impact to resources??

Yes I know, who cares about resources these days, but still, I dont want my Dual Core CPU to be at 99% just because of CIS. Yes I know, COMODO dev team has proved to be the best at resource management, still they are human.

My Real point: Having all that security on it, will it be really necessary to add BA to CIS?? I mean, can anyone point me to a direction where I can find techs specs of each so we can compare and get to a conclusion?
If we agree there is no BA that can match D+ on security, why think of usability at this point?? Usability can bring down security if it is not handled correctly.
Instead of a BA why not add something like this:

Use the D+ module on a emulation environment (some kind of Virtualization like the CIMA heur). record all the popups of the “malware” and give a result to the user. FPs can be high, but Heuristics can fire FPs also.

Just my 2 cents. Anyway I will have to say No, no BA. I love to see pop ups. I like to see what will happen next with a file. I like to see something is watching and will ASK ME to make the decision.

Usability? With worms like the Confiker out there I rather have my HIPS well balanced…hahaha

Best Regards,

What are the Behaviour Blockers out there? why do u like them?


For the sake of usability, I would recommend that future versions of CIS Defense+ policy by default emphasize mainly the prevention of malware execution. Remove the parent/child execution alerts by default, and replace them with execution alerts that don’t mention the parent, with the resulting execution rules placed in the ‘All Applications’ policy. Remove from the defaults of D+ all areas of monitoring that are not involved in the prevention of the execution of malware, with the exception of device driver monitoring (to prevent malware from installing a rootkit), network rules (to prevent malware from sending out sensitive data), and file protection (to protect mainly against malware tampering of My Documents and other data areas). If malware cannot execute, then it cannot harm your machine! In a nutshell, IMHO D+ should be mainly about malware execution prevention.

D+ should not, by default, be prompting for process termination, windows messages, interprocess memory access, hooks, COM interfaces, monitor, keyboard, or registry changes - these are about detection of malware that is already running. I see a behavioral blocker as a core of malware detection, in case malware got by the D+ malware execution prevention efforts.

CAVS can play the role of prevention, detection, and cure.

I’ve outlined the areas that D+, IMHO, should be monitoring by default at

I think that a BA/BB should be implemented into D+ so that users are not bombarded with cryptic D+ alerts. As it stands right now, D+ will alert on registry changes, COM changes, file changes, etc., but give no inkling of whether the process is characteristic of spyware, adware, rootkit, or other malware. With a BA/BB, D+ can analyze a set of instructions and then come to a conclusion whether the process is spyware, adware, rootkit, or other malware.

More than Defense+ HIPS for sure.

In my opinion D+ is an optimal hips, and the suite (CIS) is good balanced right now…

a behaviour blocker will only limit defence+ control, that is very deep and accurate. If we add a behaviour blocker module it will be more easy-to-use, but it will reduce the control.

For me it wouldn’t be added in the suite. :-TD :wink:

Sorry for my bad english,

It does not have to be a specific blocker, More like analysis… Like this plan. Behavior Analysis will be built into Defense+.

COMODO Internet Security 4.0 Security Architecture (ONLY A PLAN BY 3XIST).

Memory Firewall (Built into Defense+)

Heuristics (Built in to CAV) - CIMA like heuristics will come in CIS v3.9.
BOClean Memory Scanner (Built into Defense+) - This will be in CIS v3.9 anyway.
Behavior Analysis (Built into Defense+) - Will act as another layer of heuristics (behavior like).

Time Machine

So the Behavior Analysis will act as another heuristics in Defense+ with the AV Heuristics.


All vectors you mention here are fundamental for malware attacks PREVENTION. These are the main features malware uses to attack a PC. Take a look at the confliker worm details and you’ll see that one of the bigest thing it does is create a thread to check every second for processes with specifics names like norton, etc, to terminate them. Also it HOOKS into the dnsdll.dll to prevent navigation using a browser to specific websites which domain name contains a word similar to:

Registry changes: Come on!!! How are you going to take out that from D+. With a simple reg change you can hide all files you want!! (ROOTKITS) or disable task manager, regedit, folder navigation…by changing a simple reg key you can make a user go nuts and format the harddrive.

HIPS is the way to go. D+ has the perfect architecture to prevent from malware infecting your computer. BA/BB…well I’ have to compare DriveSentry, ThreatFire against D+ to see why you want this so much and why will it better for D+ to have this integrated.

You dont need more proof than D+ catches confliker on standard configuration. Adding BA/BB will be just making CIS bloatware, as it will be more monitoring, more resources. :-\

As a simple bit of behaviour analysis I would like more detailed information in pop-ups as to why a program might be accessing this particular registry entry/com interface. It obviously can’t do this in all cases but if something is protected in the default configuration then it must be possible to explain what it is used for.

I vote to pretty much leave it the way it is.

Been using for quite awhile and I haven’t had any problems.

I would rather the tool told me what’s going on than to have it on “automatic”.

I believe the pop-up’s provide plenty of info, enough so I can easily research what’s going on, quickly too.

Education is the way out of this problem (security) and comodo helps educate by being the way it is. IMHO.

84.1% voted “yes” to the question "Will behaviour analysis in CIS prove useful for CIS? "
Do I dare to ask why? Security won’t increase, thats for sure.

Any BB is too weak compared to D+ to add anything, and they operate in a much similar way, usually BB’s even relay on simple malware signatures due to its weak nature and inability to recognize threats. Adding a BB to CIS won’t mean more protection. 88) A HIPS catches everything a BB catch and more. :-TU :-TU HIPS technology are stronger by nature. :slight_smile: :slight_smile:

A good HIPS catches all malicious behavior, a BB catches malicious behavior when its malicious enough… And things slip by BB’s when its not “malicious enough”… 88) But they have a much tougher job bypassing a HIPS. :slight_smile:

Now when comodo probably got the best HIPS on the security market I don’t think that is something we should drop and take the easy way. If D+ only get the ease of use (and I know it can, new gui and stuff are whats needed) then BB’s will be a dying tech, as its only advantage over a HIPS is less FP’s, in security HIPS wins big. :-TU Also focus should be on improving D+ so it passes ALL tests important to pass…

A side note: D+ already do some “BB” analysis, sometimes popping warnings for “malware behavior” and similar, giving somewhat precise alerts to the user! =) ofc this analysis could be improved some…


Totally agree with you!! I’m posting two videos of CIS and ThreatFIre to youtube so you can see the difference between HIPS and BA/BB. You will be amazed!!

If you want CIS to be very successful it will need to have a totally silent mode and in that silent setting it will need to catch most malware without too many FPs.

Look at Norton Sonar: It’s totally quiet, doesn’t make FPs for 99% of users and got good detection capabilities.
Comodo should have something (very) similar with version 4.0.

I voted No.

Behaviour blockers sound cool…
If your relying on behaviour blocker (Detection). Then where has comodo’s 3 golden rules gone?

I think it should stay with Defense+ default Deny.
Don’t add a behaviour blocker - Just increase the whitelist :slight_smile:

At the end of the day - Comodo should decide what methods to employ in protecting us… You know far more than us.

Looking forward to those videos… :slight_smile:
What would amaze me would be if the BB had better prevention… :slight_smile: hehe

As for BO attacks if I remembered correctly you proved at least one Behavioral Blocker cheat on their prevention technique, building it on some weak signature instead of real detection of BO behavior like CIS! =)

I really believes most BB’s sucks in reality, its more in class of a Antivirus than a HIPS…
BB’s are bypassed daily by new stuff, and so are antiviruses, HIPS is not…

BB companies try to present their stuff as something to catch all zero day threats, but thats not true A HIPS does that. but the actual behavior analysis technique in BB’s is no way solid enough… And if it was so good, then cheating and adding separate malware signatures to PrevX, ThreatFIre and such would not be needed. They add those because they FAIL to detect those baddies else, they are catching up with malwares, just like AV’s does… Adding definition after definition once they have already infected some people who was left totally defenseless without any alert whatsoever… With a HIPS at least “some” kind of alerts are presented, leaving no one totally defenseless… :-TU :-TU

GO CIS for daring to use a HIPS!! :comodorocks: (V)

I hope D+ stays as a HIPS forever and they keep improving it… :slight_smile: As I heard they done in 3.9 8) Dropping it for the weaker BB technology would be a huge mistake and a BIG backslash in security for CIS…

If you wanna be my norton then you have to deal with my PIFTS! ;D :wink:


It is a great pleasure to me to finally meet someone who just like me, is not just a fan of CIS, but can defend and give prove of a good software.

Video 2 will speak for itself as I put ThreatFire to the test against D+. Video 1 is CIS blocking every single move. Video 2 is ThreatFire missing BO attacks and crashing. I had to turn on D+ to stop a malware and treat it as Isolated because ThreatFire kept popping up that a malware was found and it could not stop it.

I’m loading the videos right now I hope I get them ready in a couple of hours.

3xist → this was an excellent topic as we can throw out differences between two technologies and analyze whether is good idea or not adding BA/BB to CIS. :-TU

You’re dang right - HIPS is SUPERIOR to BB :-TU. But consider one thing: you knew that a given file was a piece of malware, that’s why you blocked it. However, not everyone possesses the knowledge to determine whether a file is malicious or not and will probably allow it to run. BBs, as far as I know, require hardly any attention on the part of the user, that’s why they’re better for non-experienced people. I also don’t think that they have ever been meant to run on their own, but alongside AV products.

Please don’t get me wrong, I’m a big fan of D+ but it has to be made more user-friendly, especially for novice computer users.
I think that COMODO could add a list of applications that D+ would block by default, without user intervention (yeah, I know AV software works in a similar way, but not everyone has an AV product installed). It would also be another layer of defense if, let’s say, a user accidentally allowed a piece of malware to run (which was caught by an AV product).

Just my two cents :).
I hope I didn’t fumble much ;D and everything is clear as day ;).