I would like a list of applications that do not learn in training mode/clean pc mode etc. They would affectively be in paranoid mode but other programs would learn. This could include web browsers, media players, adobe reader or any application that is in contact with material downloaded from the internet and could be compromised by some vulnerability. Games would then run fine and there would be much less pop-ups than there would be if everything was in paranoid mode. The list could be call “my dangerous files”.
I don’t really think this is needed - If an application is safe you can just use “Trusted Application” and no more pop-ups, if it’s not fully trusted then just manually click allow\deny to set up custom rules.
as for cleanpc mode\training… Well, things like Adobe\IE\WMP are safe however things like IE are often exploited to download something which is fine, youd be alerted to the new exe.
I personally have My web browser setup as a Trusted application in defense+ and that should be fine, if a malacious *.executable gets downloaded through the browser ( Drive by download - Ehem… CMF anyone? ) you will still be asked whether or not you want it to run.
Don’t worry! there are much better ways for usability, and it will be improved in the future - We are studying usability right now.
This is a nice idea. Something like this could prove useful to use D+ safe mode and yet have a some way to disable withelisting for specific apps :-TU
I hope Comodo will add this feature. I wish I was a
to confirm it already ;D
Is it possible to have an attack with no new exe. The downloaded executable code all resides in memory? Defence+ would then think it is part of a safe application. Will DEP stop this? Can an exploit overwrite the executable code in adobe reader so it is now malware?
This technique is the most advanced and difficult to detect. In fact, may personal firewalls still fail to detect and prevent process injection although it is used by Trojans in the wild. Process injection attacks work by having the attacker program injects its code into the process space of a trusted application and become a part of it. No DLL or similar component is loaded."[/i]
You would receive a D+ alert that the malware executable is trying to access inter process memory of the adobe reader executable.
Can this happen if there is no malware executable? Could an exploit make adobe reader write to its own executable memory and turn itself into malware?
I’m not sure if it could happen without an executable. I would think not, but I’m sure you would get some type of alert. Maybe someone else has an answer?
So we’re using adobe as an example…
If malware tried to modify adobe then you’d be alerted about it. Just like if you perform an update to Firefox etc… then you will be alerted about the update has taken place and if you want to allow the new instance to run
I do not know if this is possible but this is the scenario I am talking about:
Adobe reader gets a pdf from the internet containing malware. Via a bug in adobe reader the reader copies the malware code into its own executable memory. Adobe reader is now the malware in memory. and nothing has been written to disk. Defence+ thinks it is still a safe application and it can do whatever it wants.
Can an application write to its own executable memory and will this give a pop-up in defence+?
The documentation I have read on DEP is about preventing execution of data and does not mention modification of executable memory.
I guess it’s a matter of Whitelisting vs Blacklisting. Just FYI Whitelisting is getting some big $$ into it and it’s going to be expanded further by hopefully end of year release.
Tcarrbrion, If malware changes - exploits etc programs tried process ininjection blah blah blah… You will be alerted.
D+ act as a system gatekeeper checking access on privileged resources while blacklisting is carried by the AV.
D+ safelist and Trusted vendors are meant to suppress alerts if the application was not meant to carry malicius actions.
Safelisted apps in D+ safe mode don’t behave exactly like Treat as Trusted apps (eg. usually protected File/Folder access alerts are displayed).
AFAIK Treat as Trusted apps will also be able to carry process injection, hooks etc. and they will generally trigger alerts only if a new unsafelisted executable is run.
BO that could be triggered by specially crafted documents should be identified by Comodo Memory firewall or Comdo Safesurf engine which provide an additional layer of protection over a fully functional Ms DEP (eg ret2libc attacks).
IMHO a way to selectively disable the autolearning in D+ Safe mode will allow a far greater control over the resulting policies regardless if no beforehand way to exploit the default security is known or it is unlikely to be encountered.
Even if an application is safe I guess some users could benefit an easy way to restrict possibly unwanted privileges (expecially if some privileges are not needed for the applictation features an user plan to use).
In fact although it is possible to achieve full control using D+ paranoid mode, autolearning of safelisted apps is useful to get a policy that could be finetuned later.
Safe mode can overtake existing incompletely learned policies regardless if the user meant them to be that way. In D+ safemode the only way to lock an incomplete policy for a safelisted app is to switch the access rights to block and this will also suppress eventual ask alerts in paranoid mode.
As ATM there is no viable mixed approach IMHO the choice is actually between full safemode or full paranoid mode whereas a mixed approach could make CIS even more adaptable.
There is another side of this problem. Safe mode is designed to reduce alerts quantity for common computer usage. And putting browsers, players ans readers to an unsafe list will spoil the very concept of the Safe Mode. As applications which can suffer from exploits are in the same time most commonly used applications. User will still get tons of alerts.
Also as different applications have different vulnerabilities ans exploits we’ll have either ask about all actions performed by them or make separate predefined policy for each.
The problem for me is I have to use clean PC mode with parental control as other people which limited computer knowledge use my computer. As an advanced user I would like increased control of what is allowed or not. CIS is designed to only give increased control in paranoid mode which I cannot use.
Can you tell me the final idea of what feature does this topic request?
Have a database of applications which potentially could have exploits?
Have an ability to apply “paranoid” settings (ask everything) for a single application even in safe mode? something like “Suspicious application” predefined policy?
BTW there is no build-in safe lists except “My own safe files” and “Trusted vendors” list in CIS now.
I want more along the lines of:
but for general applications, not suspicious ones.
I have just added another wish list item that would help me do what I want:
The problem is lack of user control in clean PC mode. It looks like clean PC mode is designed for novice users but some advanced users have to use it with parental control.
Does “My own safe files” keep a hash of the executable to know if it changed?
In Safe mode If some of safe files were changed they will be moved to pending files list and alerts will be asked again about them.
On the other hand if the application is assumed safe due to digital signature - it will remain safe after changing if signature of the new file is the same and valid.
This is a big change to how it works. I never saw any announcement of this. My pending files was just for clean PC mode.
Are you talking about V4?