How will Behaviour Analysis prove useful for CIS? [CLOSED]

:■■■■ :■■■■

Of course does a HIPS detect much more than any BB. But don’t succumb to the illusion that there can be ~100% for everyone, absolutely impossible because most users either don’t like pop-ups or don’t understand them correctly.

We all know that D+ detects almost every malware sample but that’s totally !ot!
Who cares if a BB detects just ~80%? Together with good heuristics and signature detection it can provide a sufficient protection for most users.

Comodo needs also a solution for the average Jow and therefore a BB.

You are right on this one, however when youtube finish uploading the darn video…hehe you will see the difference on D+ popups. Colors read and yellow and orange. and the message are explicit. Something wrong is going on. A message like getting control or calling CPanel or something like that is orange. A msg for creating a file in %sysdir%\UYTFCVBN.dll is in red. Creating a malicious reg key is red. So you can see the diff.


Then why bloat CIS with a BB/BA module which is very complex to achieve and will take lots more of resources.

Ok, I’ll ask COMODO to add email scanning and HTTP scanning also. BLOATWARE!! We’ll end up with an AVAST kinda like. Lots of stuff, lame security.

Why should CIS be bloated if it had a BB?
A BB is nothing more than a HIPS with certain rules, it shouldn’t took too much ressources (to program it).

U didn’t get the point that the BB would offer much security for a huge amount of people (the ones who can’t get along with a HIPS), so it’s not useless in contrast to HTTP / e-mail scanning which don’t make anything more safe in most cases.

I would rather have something like a BB in the HIPS alerts: kinda how it is now. Give a rating of how dangerous the action and the program itself could be.

haha you say it like if it is a walk in the park. ;D

Why add a huge module like BB/BA just for usability, not security, as the topic says. Why not improve white listing? Why not tune up D+ instead of investing months developing a new module. You want less pop ups and better security? Do not add BB/BA as it will take way more time than just tweaking D+ for a more silent mode.

As I wrote in my previous post BBs are designed to work in conjunction with AV software to complement one another. What one misses, the other will (probably) catch. But, as you know for sure, there is no product which can catch 100% of the malware out there, CIS isn’t an exception here.
I agree that BBs just like any other piece of software have their weak points, however, the thing is that they might be an invaluable help to those who are not really computer-savvy.
I realize that it’s getting more and more !ot!, but I have to make one thing clear: I don’t think that D+ (in CIS 3.8 ) is completely useless and overwhelming for an average Joe, FAR FROM THAT - it has become much more user-friendly than it used to be and, I wholeheartedly hope that I will be able to install it one day on my dad’s puter (he has only just started using computers).

Please, don’t flame me 88) hehe

You’ve hit the nail on the head, darcjrt (:CLP).
I think this is the path D+ should follow.

People sometime ask me why I follow so badly COMODO.

My sister in law is a Pharmacist. She is still studying for a PhD now. She needed a laptop for collage.
So, I bought a laptop for her and equipped it with CIS. A couple of days later she called me because she wanted to know what AV had her computer because she read something on the Net about a virus. I said COMODO CIS. She ask me about the company so I referred her to

I talked to her a couple of weeks ago and I asked her about the laptop and she said she love COMODO because she knows what is happening on her PC. But most important she uses the small link on the pop ups of the file name to research about the msg and the file accessing the PC. Notice that she never called me once to ask me about a pop up from COMODO!! She learned about malware, a little bit and how important is to know what’s on your PC. Now she bought a Acer Aspire One and when she showed it to me, it had CIS installed!!! I asked her and she told me:

“I read about some file from norton sending out info from computers. I read about Kaspersky taking to much memory resources and Avast is like a fisher price Antivirus”

I was so proud of her!!
She had no computer literacy. She was a regular user. She used comodo on her laptop and she downloaded, installed and setup comodo to paranoid mode all by herself!!!

Good for her, then :slight_smile:

No, you can get me word by word: Comodo doesn’t need to code something from the scratch, D+ is a great base (at least the 32 bit one) to build something BB like.
Of course it would need time but that shouldn’t be crucial.

Why don’t u pick up my arguments? As I’ve already said: It mustn’t be big…
Of course adding BB should mainly be for the sake of usability cos D+ can already catch ~everything.

U can’t tweak a HIPS to be very silent while expecting it to catch most malware. Look at the KIS HIPS: It’s the most comfortable until now (didn’t try out Defense Wall, I admit) but in interactive mode it’s still too noisy for most users and the auto mode is sometimes noisy too but IMO not as good as Norton Sonar.

And plz don’t fill up this thread with any relative stories, I know enough expirienced people (also programmers) who would go crazy at any kind of HIPS alert, such comparisons won’t ever be representative.

Great discussion guys… Keep it going. :slight_smile:


Sorry Guys, I’m totally in agreement with Kyle on this one, just factor in Comodo DiskShield (Now Comodo Time Machine) into the picture somehow and voila! Super protection! :-TU
Cheers all
Xman (:KWL)

Behavior Heuristics added to Defense+ - To be more specific… This will act as another heuristics compared to the AV one without sacrificing security.

What do you guys think? And if yes, it’s a good idea… what is the best way for Comodo to implement in? How will Defense+ then act? Think about how Memory Firewall is integrated and stops BO from a D+ Alert… Beneficial usability without sacrificing security, Can Comodo do it?

Alot of questions. :slight_smile:


If we nudge them enough. :stuck_out_tongue:

I am wondering if BA would actually prove more useful when installing new software and running software for the first time rather than normal everyday use?

I agree, but I think you missed my point: these are actions that happen after malware is already running. I would like to see the default settings of D+ tuned mostly for prevention of malware execution in the first place - mostly alerts upon first time execution of code. Malware that does not execute cannot hurt you. Notice also that I used the word “default.” I would hope that CIS retains a ‘Maximum Protection’ configuration, and retains the ability to configure D+ just as we can today, with all of its current monitoring options. The user should be able to turn off the behavioral analysis functionality if desired. Future versions of CIS should allow the user to use CIS in the same manner as we can today, for those that wish to. My comments reflected only on what I think the defaults for new users should be - far fewer popups in D+, tuned to mostly malware execution prevention, with behavioral analysis and CAVS alerting about malware activities.

I would like to present some evidence about the psychology of the average user. From IT news, careers, business technology, reviews | Computerworld

Microsoft Corp. changed the default settings of one of its most important security features for Windows 7 because users balked at clicking more than two prompts a day, a company executive said today.

According to Jon DeVaan, the senior vice president responsible for Windows’ architecture and core components, the company changed User Account Control (UAC) in Windows 7 because data showed that users got ticked off when they were asked to deal with more than two UAC prompts in a day.

Responding to mounting criticism of the changes Microsoft has made to UAC for its still-in-development Windows 7, DeVaan said that the company studied how people reacted to the security feature, which debuted in 2007 with Windows Vista.

“In making our choice for the default setting for the Windows 7 beta, we monitored the behavior of two groups of regular people,” said DeVaan in a long entry to a company blog. “Half were set to ‘Notify me only when …’ and half to ‘Always Notify.’ We analyzed the results and attitudes of these people to inform our choice.”

The pain threshold, it turned out, was just two prompts in a session, which DeVaan defined as the time from turning the PC on to turning it off, or a day, whichever is shorter. “If people see more than two prompts in a session they feel that the prompts are irritating and interfering with their use of the computer,” DeVaan said.

Given this data, does anyone really think that the average user wants to be subjected to numerous D+ prompts? Show the average compuer user more than 2 alerts in a session, and irritation results!

Yes malware is already running, however it is not doing anything so at the end is prevention. BEFORE it perform the action.

Heuristics, no. No more signatures please…hehe. BA/BB…well…what if the file is revised before execution using the same D+ structure and at the end give a summary of all the popups. Lets say the malware creates a dll on system32, modify the startup registry and modifies a registry for disable task manager. As of today, you will receive three pop up. With my proposal you will receive 1 pop up with a summary of the three messages. This will look more convincing, reduce pop up messages by far!!

Whats the difference between this and BA/BB? the user will still make the decision. If you want, you can add like a rate to each process using points. At the end SUM the points and if is > than malware behaivor points, then suggest to block it or block it auto.

Lets say:
Create a file on system32 – 10 points
Modify startup reg – 10 points
Modify Taskmanager Reg – 8 points

Malware is 30, results are 28: Suggest to the user to block the file

Interesting… :slight_smile:

So darc! :wink: you don’t like the idea of another Behavior Heuristics? It will increase detection, Prevention will still be the same (Defense+)…

At the same time, Things being detected by behavior, those things can be sent to AV labs to be actually added to the AV Database (More samples), And off course if nothing is caught by Behavior Analysis then you will get another Alert by D+… (HIPS Covers what BA will miss, And off course what AV misses, Heuristics misses). So technically CIS will have modules: AV, Firewall, D+, BB/BA, BOClean, and TM.

I think it’s quite possible… With MrBrian’s ideas, etc… Anyway keep the discussion going, I’m new to BA/BB my self to be honest… HIPS ftw!! :slight_smile: