Idea To Prevent Trusted Malware From Remaining In Trusted Vendors List

This is an updated version of an older wish. The original can be found here.

I’ve got some ideas for how to protect the end-user from malware that, for whatever reason, becomes trusted by Comodo. Now, I’m not concerned with the checks that Comodo staff make before the digital signature is entered into the TVL. That’s on their end. I’m concerned with the changes that could be made to CIS.

When CIS Should Automatically Upload A File
I believe that any new executable on the system, which is trusted because of its digital signature, should be automatically uploaded to Comodo the first time that it is seen on anyone’s computer. It should not be uploaded again, even if seen again on someone else’s computer. That way it only needs to be uploaded once. Also, during this entire process the file should remain trusted. This way it won’t hurt the usability of CIS at all.

Check File With Valkyrie And CAV
Comodo could then perform an initial check with Valkyrie and then scan it everyday for the next month using Comodo Antivirus. All of this could be automated on their end. If it gets flagged at any time as malware or suspicious by Comodo Antivirus then the file should get reviewed and scrutinized to see if should remain trusted. If it is found anything other than “Normal” by Valkyrie then it should also be manually analyzed. After 30 days if it isn’t found unsafe then I think it can safely be ignored on Comodo’s end. Essentially those files should be treated the same as most of the files submitted by CIS. They can be analyzed in time, but not given high priority.

How Comodo Should Check Suspicious Files
During this analysis the file should be checked just like any other file which is submitted to the thread to Submit Applications Here To Be Whitelisted - 2012. If the file is found safe then it should be added to the whitelist by file hash, and if not then the digital signature should be removed from the TVL.

How To Manually Submit Whitelisted Malware You Encounter
Of course for that malware that somehow slips through that net, which I think would be very unlikely, we still have this topic for users to report any suspicious trusted files.

Also, wasgij6 came up with an idea in his reply here to further protect end-users from malware. I’ve taken the flow chart, which was made by wasfij6, and attached it to this post. I think it would be too talkative for ordinary users, but perhaps it could be implemented as an opt-in option. This way users who are fine with a few more popups can be protected in this way.

What do you guys think? As always I’m very open to suggestions and am perfectly willing to alter the wish.

Thanks.

[attachment deleted by admin]

there definitely needs to be something done about trusted/signed malware. i like your idea chiron but im just brainstorming here and seeing what we can come up with.

i have been thinking about different ways comodo can use existing/upcoming technologies to help prevent malware from bypassing CIS. i have been also thinking about ways CIS can become more automated (less alerts without losing security). Here is what i came up with. i made a flow chart on how it would work. the red boxes are alerts and the 2 blue boxes im still unsure of. I was going to wait for v6 beta to come out to see how the bahvior blocker worked first but o well.

i honestly dont think a piece of malware can go through all these layers without being detected
tell me what you guys think.

[attachment deleted by admin]

I like the idea, in general, but I don’t like the fact that it will very likely create popups for applications that are trusted by certificate. I think that this will become much too talkative, much too quickly. Therefore I think that using a methodology like what I describe in the first post would be better for most users.

That said, I also really like your idea, and would personally like to be able to run it on my machine. Thus, I think perhaps what should be done is that by default a methodology such as mine should be used, but, for more advanced users, what you described should be available as an option. That way the users who are better able to interpret, and understand, what the alerts mean, would have the ability to defend their computer against all malware, even ones such as Stuxnet.

What do you think?

but if you look at the chart for files that are legit and safe there are no alerts. for files that are not detected by valkyrie/dacs they are allowed to run with no alerts. only time alerts come in is when suspicious activity starts happening. a safe undected file will go straight across the top of the chart

remember the alerts are in red boxes and the flow starts at the top left. at most the user will see 2 alerts and those would be if valkyrie or dacs find the file is malware. the user gets the alert that says “file.exe” might be malicious, analyzing now… i would like these popups to be like the current sandbox alerts. just informative not interactive. if the analysis find malicious acitivity the user is told the file is malicious and their computer is protected.

if you think 2 alerts is to many the first alert could be removed but i think its necessary since cis would be analyzing a file and we wouldnt want the user to not be informed since it would take a minute or so to analyze the file. then the second file tells the user that the file was found to be malicious

i had one question about your idea. would all files with valid sig. and files in the whitelist be checked like this? if so would it create a big load on the computer

But what about those safe files that are found to be suspicious by Valkyrie?

Won’t those throw up a flag as well? Therefore some safe malware that would be allowed under the current system will be flagged under the one you propose.

Am I missing something or are you just proposing that adding a few more alerts is well worth the price? (Which I do admit is definitely debatable)

TBH valkyrie does not give many FP. actually in my testing iv only ever found 1 or 2 but even if it does give one the user will get one alert. Personally i think just one informative alert is ok if this system can fight against lots of signed/whitelist malware. the user would get the one alert example.exe might be malicious, analyzing now… the file will be found as safe and it will be allowed to run. no more alerts. or maybe the initial check can use a combined result from DACS/valkyrie like if 0 detected by DACS and a low rating from valkyrie (like suspicious) the file can be allowed to run

Looks very promising

I would go with this concept instead of the original post. My votes for this

thanks we just need some innovative engine/mechanism that can help fight against signed/trusted malware. maybe comodo came up with their own idea for v6. only time will tell

I stand with my previous post. I think it would be too talkative for most users.

However, perhaps wasgij6’s idea could be implemented as an opt-in option. That way users who are fine with a few more popups can be protected in this way.

Also, I’ve altered the wish to include wasgij6’s suggestion.

What do you think?

Okay, I’ve made some small changes to my initial post.

What do you guys think?

I think this idea needs to be revisited there are many good points in here and tbh i’m so sick of newly installing programs getting auto-sandboxed so i have to forcibly add them to safelist several times and or disable sandbox entirely. Having it check it in sandbox first, then install directly to hd after passing a check would make things much easier. It would also make me more willing to just go get a coffee while the 3.5 GB installer.exe file forces comodo to use 8+ gb of ram on a 4gb ram system :stuck_out_tongue:
Especially since it took me 15 minutes to unfreeze the system the first time it happened


http://i1151.photobucket.com/albums/o631/madstempaccount/th_comodobug.jpg


http://i1151.photobucket.com/albums/o631/madstempaccount/th_comodobug1.jpg

Bump.

I think this idea needs to be revisited.

It is not enough to treat file as trusted because of its trusted signature (from the past).
If the specific file checksum was validated to be trusted it is ok but the signature itself is not enough.
CAV/CIS should in my opinion, add some other protection against such things.
To give the file verdict of 100%-trusted is really silly. I would at list give the D+ to monitor its activity (if not sandboxing it).

My position is that even one alert for something that is safe is one too many. I’m opposed to anything that would make CIS more talkative. I like the original idea but wonder about the load this would put on the servers.