Local Behavior Blocker

wasgij6 · January 24, 2011, 1:58am

Is comodo still planning on adding a local bahvior blocker to cis? i remember them saying during the v5 beta that they were going to add one in a later release. does anyone have any info on this?

Citizen_K · January 24, 2011, 8:15pm

No information as of now.

wj32 · January 24, 2011, 8:59pm

What’s a local behavior blocker and how is it different from D+?

wasgij6 · January 24, 2011, 9:10pm

its basically CIMA (comodo instance malware analysis) but on your system not online

wj32 · January 24, 2011, 9:54pm

So how is that different from what D+ does?

languy99 · January 24, 2011, 9:59pm

D+ is HIPS, a CIMA is a behavior blocker.

clocks · January 24, 2011, 10:14pm

A behavior blocker is like a smart HIPS, making the decisions rather than pushing them on the user.

wj32 · January 24, 2011, 10:24pm

OK, thanks for the explanation. Wouldn’t this rely on signatures though, and defeat the purpose of having HIPS? Instead of having byte signatures, this would have “action” signatures. Malware could try to disguise their actions…

languy99 · January 24, 2011, 10:30pm

a behavior blocker is different from hips. the comodo sandbox is basically automated hips, basically is has rules for ever application that is run it in. it just allows some actions and stops some. A behavior blocker runs the file in a virtualized environment, it then watches what it tires to do. It then compares what actions the program is taking against a set of known bad actions. If the program ticks enough actions it alerts the user that the program might be bad.

gee3x · January 24, 2011, 11:34pm

Good explanation

DiSP · January 24, 2011, 11:43pm

But this feature will still be implemented?

cheater87 · January 25, 2011, 12:08am

I don’t know some things can easily slip by behavior blockers.

wasgij6 · January 25, 2011, 1:13am

which is why there are other layers of protection such as the sandbox and defense +. if they do add a BB then it will be just another layer of defense. if a piece of adaware or malware gets by defense + because of the TVL or something then the BB will be able to stop it

sbear2000 · January 25, 2011, 1:27am

it would be nice to have another layer of protection in CIS :-TU

languy99 · January 25, 2011, 1:33am

the main problem with behavior blockers is that it is easy to make it way to sensitive and it blocks almost everything or you don’t make it sensitive enough and it does not block much.

I think with time the comodo sandbox and D+ will add a intelligent component were when something gets put in sandbox there will be a component watching the file in sandbox. As the sandbox/D+ is protecting the computer the behavior component will watch that blocks the file hits in D+ and if it hits a certain number it will alert the user that it is malicious. This will stop the files running in memory all of the time and processes take up too much cpu usage while in the sandbox. Like when a process spawns a cmd window and it sits there take up your cpu.

wasgij6 · January 25, 2011, 1:53am

ya i agree with you. i just remember comodo saying they were going to add a local BB and was wondering if they still had plans on doing so. i would rather them just develop the sandbox and defense + more to keep cis light and fast. i wonder if comodo has any plans on doing something like you suggested

languy99 · January 25, 2011, 2:59am

who knows. I know they are working on things. The idea I had is just something I have been thinking about. Someway to add more security to CIS while make it more user friendly at the same time. By having this automatic component they could add more blocks to D+ while actually reducing pop ups to basically zero.

wasgij6 · January 25, 2011, 3:14am

well you should really push this cuz it can really help the security of comodo and boost its popularity. you should try and make a detailed wish and post it so people are aware of your idea and maybe try pushing it to the devs and melih. this would help so files cant be dropped from the sandbox and traces dont stay running in ram

SiberLynx · January 25, 2011, 5:25am

Greetings all

Hi langu99,

... D+ is HIPS, a CIMA is a behavior blocker

Sorry, I have to disagree

The similar topics were discussed many times here … “and there”

Well, pure HIPS (like D+) basically, understood by many users here as far as I am concerned, except of one thing that I was reading repeatedly here in the forum.
Below is not a precise quote (I can find a few), which stated:

…if you have Alerts from Defense+ that is a sign of malware activities

That’s wrong

Pure HIPS will alert you about any and every given activity by any “currently unknown” Application whether it’s legit one or malware.

That is considered as disadvantage, but that is how it works.

On the contrary, the Behavioral Blocker (BB) analyzes the code sequence (no signatures involved but some heuristics) and trying to determine the actions that can be performed and the outcomes of such actions
If the above are identified , rather can be interpreted as a potential danger – you are alerted.

BB will fire up considerably less alerts than any pure HIPS.
Not really “a smart HIPS” as clocks said, but such definition is pretty much close to reality.

Sure, there are different modes. Paranoid Mode will produce more alerts.
Anyways, there are FPs (always!)… and in both cases (HIPS or BB) user has to be able to think “a little bit” :), softly speaking - no other way around.

But again, since the number of Alerts are reduced due to the higher intelligence employed when using BB - that is better for less experienced users.

As for the:

... A behavior blocker runs the file in a virtualized environment, it then watches what it tires to do

and

...with time the Comodo sandbox and D+ will add a intelligent component were when something gets put in sandbox there will be a component watching the file in sandbox.

Well - that is a model you built, and maybe that's the way Comodo will go, but it is not workable one for my taste (knowledge?)

the local BB has nothing to do neither with any sandboxing in the 1st place nor it’s observing (“watching”) the actions during the execution.
On the contrary

the execution is interrupted upon an executable being loaded into the memory;
the code is analyzed and then the conclusion is made:
the execution is allowed silently or the user is notified about potentially dangerous actions that may occur

The above is not a “classical” description made by me ;), but that’s how, classical local/or standalone BBs are implemented as far as I know

Cheers!

IAO · January 25, 2011, 10:11pm

HIPS and bb are similar since behavior analysis plays some role in HIPS. HIPS is more focused on protecting important system areas and monitors every exe file activity in relation to them while bb observes (yes, AFAIK it does) process actions and alerts the user when any malware behavior pattern is detected.

Description languy99 gave is more accurate for online behavior blockers. Threatfire, for instance, works in a completely different way. It won’t detect any threat until some suspicious behavior occurs, f.e. file deletes itself. After that it will look locally for matching signatures (yes, it uses signatures) to determine whether this is a known threat. It’s not interested in files as much as in their behavior and won’t take any action until process ‘behaves’ in a certain way. It won’t even use signatures before that.