So if we get hit by a certificated malware that rips through your system! Do we take solace in the knowledge that it wouldn’t have got that far without the certificate?
That would be interesting to see how CIS stops Stuxnet.
D+ should help to stop him, even without the whitelist?
Rules list and various other properties. If the file is packed, it requires admin rights, if it tries to create startup entry, if it tries to access certain other system settings, then it’s considered bad and warned to the user.
Then you can have another legit file that tries to do the same but is not packed, doesn’t try to make startup entry but still wants to change certain system settings. This one won’t be marke a s bad.
See the pattern? And behavior blockers aren’t limited just to this, they can have many more “sensors” against which the files are checked. If they trigger enough rules or enough specific rules, the file is reported and or blocked. Simple and effective.
i like not BB on my host (for example treatfire): lot of FP, big resources usage, etc :-\
IMO cloud whitelisting (but not based on digital signature cause too easy to bypass)+default deny architecture is a very good thing to avoid infection :-TU
In v5 Comodo removed ability to NOT trust digital signatures in the list? At least i do not see checkmark like in previous versions like “trust files signed by trusted vendors”.
And list of trusted signatures is bound to Cloud. Maybe alas. Because in case we want to disable automatic filling of the list of trusted vendors, we are forced to refuse from Cloud with all its other (useful) features :-\
one simple way to prevent problems with stolen signatures is instead of the using a trusted vendors listed based on signatures comodo should include a list of safe files based on SHA. For windows files comodo should use sha256 and it should include a list of all known windows files in the original download. Then it should cache all the files so they are not scanned over and over, only when they change. In the cloud look up it should use sha1 becasue it is faster then sha256 and still secure. This will make the white list much more secure and we will not have to worry about stolen certificates.
But… Even cached, won’t be the file need to be checked by sha256 to compare it with the cached information? Won’t it be time consuming and prohibitive? ???
Generally agree :-TU. Ability to use whitelist based on hash sum(s) only.
Can Comodo control all such cases (control that all definite certificates are revoked in time) ?
If not, pls return the ability to switch off trusting digital signatures under Defense+ settings, including without affecting other useful features of the Cloud (e.g. trusting files by hash sum(s)).
How abaut update progs? And analysts will go crazy. Get rid of completely from the digital signature will not work with this architecture. Need to remove the weak point - if there was a web shield, then could track from were the signed file came.
ADD In the future can be improved into such a scheme: the signed file came from assigned to him a range of addresses, or domain, some dude, Melih called hem Lord DACS :D, for safety check this file again and after all this checksum is sent into the cloud - part of the white list will be created automatically.
Alex
U R right.
But ability is not the same as the only choice. Ability to refuse trust files by digital signature. In v3/v4 there was such ability iirc (Defense+ option which could disable trusted digital signatures).
Sounds like something to wish for in the Wish list board. I would be in favour of having choice.
I would also favour to be able to uncheck individual vendors (not remove them).
+1
that’s what i mean
It is still not clear to me if CIS checks the validity of certificates ant it can detect a revoked certificate as soon as possible or it just checks that the file is digitally signed by a trusted vendor.
+1 on this
By what I saw on the videos it just checks if file is digitally signed.
Correct me if im wrong.
Any comments from Devs on the issue?
IMO, the best solutions are the suggested below
We all want the option to trust the trusted vendors locally, and with an option to check/uncheck each vendors. This is the best solution to the users!
Note.
The files which can be seen in the video were not digitally signed. I think.
I did not see “Digital signatures” tab at properties of malware files.
How this is the best solution may help protect against infections, disable all certificates and drown in the alert? How much you personally leave them activated if this option would integrate?
Alex