Query about new D+ Behaviour[EXPLAINED]

Using XP Pro Sp3. (Been using comodo since 2.4 (:WAV)) Currently 3.8 Proactive security.

  1. Installed CIS 3.8 with AV,D+ & Firewall.
  2. Set PC to Clean PC Mode.
  3. Start IE. No popups (cause i believe it auto-learns which is fine).
  4. Checked D+ ‘Computer Security Policy’ and i saw what you see in the screenshot, that is ALL setting are set to allow except protected registry and files/folders.

Now my query is, previously, i.e. up to 3.5 this wasn’t what happened. Till 3.5 all options would not be auto ticked, it would be selective learning or explicit user approval. The current behavior makes me wonder what would happen in a scenario where i went to a malicious site (using IE) and someone exploited IE to execute a remote code. (NOT a drive by download - no executable no exe or com etc), but a JavaScript / Active X single line instruction which ran a .sys (ie system driver file). OR the code terminated some other process (coz thats allowed by default too now).

Would / Could D+ Prevent that with this setting which is allowed??? And what kind of popup would receive.

Of course this is pre-contingent on IE having a particular vulnerability which allows remote code execution. AFAIK this is true for firefox also - Security Advisories for Firefox 3.0 — Mozilla check for 3.0.2 Crash and remote code execution via proto tampering grin)
(i dont wanna go into browsers and all that , i am just worried about D+ Settings)

I find this new behavior(setting all to allow) alarming.

Of course, if i did something wrong PLEASE correct me so i can happily stop worrying about this!!! (:TNG)

ps. to the producers - i cant believe this a product like cis is free… seriously. its criminal. :slight_smile:

[attachment deleted by admin]

I don’t like this either. I hope they make it optional ASAP. I think they are trying to reduce pop-ups but I would rather be more in control.

Yeah. Glad i got someone else on board. :slight_smile:

You know i never got any pops with any CIS Version. Why? I used to put it on Training for 2 days. grin. It would learn whatever I did and not make up its own rules. But this is kinda scary. Unless i am doing something wrong.

I can run any process in the system a/c using a single command line. Can you imagine if firefox/IE has a bug which is exploited to load a .sys into memory or a .vxd or a process terminated through IE … (:NRD)

And you didn’t find putting it in training for two days a little scary?? :o

That means anything and everything that tried to run in those two days was allowed to do anything it wanted…

You would get alerts about IE (or similar) trying to run (execute) the sys or if it somehow tries to terminate something there is no way to do that without calling some dll files, witch you would be alerted about and you would be alerted about the termination attempt and if you want to allow it. Iam not completely sure exactly the alerts but JAVA script or Active X AFAIK is not able to do those stuff you describe at its own usually they tries to BO the browser or such to trick you into downloading and running some application that is more powerful as JAVASCRIPT in particular is a very weak programming language and not something supported by anything except the browser. They usually need to install something to harm you, since after you close the browser the “threat” will be gone unless they leave something… And if they tries to install anything, CIS will pop…


security’s not about apps its about being sensible.

i use the same apps all the time, excel, metastock, firefox so d+ learns and then its over. i dont install/uninstall programs all the time.

ps. two days might have been an exageration. a day is probably good enough. D+ is a quick learner grin

To Monkey_Boy=
“You would get alerts about IE (or similar) trying to run (execute) the sys o…” now we are talking.

if the code tries to run the sys then of course it’ll popup but if tries a 'device driver installaton" it wouldnt right coz the check box is ticked. this is what i am worried about, what will the remote code be treated as. ??

i dont wanna go into details but activex can absolutely mess up your pc is the website so decides. for javscript(yes its weak) the browser itself needs to have a vulnerability. i dont wanna go into this… its not the browsers behaviour i am worried about but d+ response.

eg. you goto a website. remote code execuation in simple terms body onload=malware.sys … what then… is it treated as device driver installation or a run app. thats my query.

thanks for answering.

about process termination, i think you are right. on its own without an executable its probably impossible.

What? If I put Defense+ into training mode does it change process access rights to allow all? That’s not sound as training mode, but as allow all mode. :THNK

at [slangen] :

I never seen or heard about a malware of some sort that can bypass D+ without “any” alert what so ever.
And I think if you are in proactive and has D+ to safe mode or custom you will receive popups as fast as this tries to do any of the stuff D+ checks, like opening a file, starting a file, edit the memory, write anything to your disk… And so on, you will receive a popup, Iam not to into sys files, but D+ should intercept this.

D+ pretty much covers all ways for a malware to install itself or do harm and AFAIK nothing bad passes it in safe or custom with proactive on…

Malware.sys will be treated as a new independent file from IE, and as fast as it does anything that D+ checks for you get popups. Body on load would save the file to your comp and you will absolutely be alerted and this is a driveby download thing. If you are in training mode, Iam not sure it will be intercepted… And advice you to go with safe mode!



thanks. thumbs up

ps. D+ is one crazy souped up engine. I could never understand why people wanna pay for stuff when this is available free… grin

not necessarily on training but in clean-pc mode too WHEN it trusts the app (ie either through trusted publisher or through its whitelist. Most of my apps got setup like this in either of those mode. only in safe/paranoid does it popup (like mad). … but this is ok. i always wanted something like this. when its trusted its trusted.I dont wanna be poped that excel was doing something, of course it is… ‘wth’… was only worried about IE, Firerfox … Internet Facing Apps coz crazy stuff can happen to them(assuming they have an exploit. which most of the time they dont). smile.

but the explanation given seems satisfactory so i’ll go with that. of course the real test is live malware (which, sadly i’ll never encounter…) and no i dont believe in d/l malware and testing it. its like your biggest defense (common sensibility-no app can protect you without it) is not working, plus its a waste of time. . grin.

thanks again.

Then perhaps I misunderstand. What is training mode for?

Doesn’t it basically allow anything on the safe list free reign of your system? Anything that wants access gets a policy created for it and it gets to do what it wants. Isn’t this what it does?

I don’t know about you, but I have some applications that are on the safe list that I prefer to allow them access when I want them to have access. I would much prefer them to ask me in the first place, then to have them given access automatically while in training, that I then have to go through my security policies to retract said access…

Have I misunderstood what training actually does?

Well till v.3.5 it would create policies based on specific actions. For Eg. Metastock Loaded stocks.sys . so it you would see that rule being created and present in the device driver installation. Itwould still be ASK but in more it would name this sys file as allowed.

But Now, with 3.8 the minute metastock loads stocks.sys or access explorer through inter-process memory d+ puts a ALLOW ALL on all items except protected registry/files folders. (this is fine for most of my apps)

so training mode along with some other stuff becomes redundant. d+ wont ask you about a lot of things once you allow something (in clean-pc/training mode). This is NOT true for safe, where it pops-up.

They’ve changed the way d+ operates to integrate it more with their anti-virus. problem is d+ is their killerapp but everyone knows that users want some ‘anti-virus’ on their machines, HIPS, IDS, IPS they dont understand… hence the new company direction. so d+ will take a slight backseat to anti-virus dev. - these are my thoughts. i am clueless about corporate policy etc etc… take this like a rant. grin.

ps. ive been posting a lot… but i think this is a tricky issue…and i am sure a lot of users havent paid attention this change. i know a few have.

Training mode should be a learning with application mode, not ALLOW ALMOST EVERYTHING MODE based on the whitelist. Even in Safe mode my apps can do almost everything. I don’t want my apps doing recursive DNS, but now they do, without my consentiment. That’s frustrating!

Yes, I agree… That’s why I was surprised that the poster I was commenting to left it in training mode for two days!

Most people are experienced user here, so you know what to do with those pop-ups from CIS.
However, I’m helping some casual computer users install firewalls. They just do not know how to deal with those pop-ups. Besides, I’m not comfortable to use “Clean PC” mode except for a new computer. It is helpful that trusted programs or softwares from trusted vendor are allowed to do most of the things in D+. It really help me PRE-CONFIGURE CIS for those casual users.

I think the current D+ approach for trusted programs and white list is quite reasonable and suitable for most users.

If you think a program should be monitored and CIS should ask a user before a program proceed to do anything, the program should not be trusted or put in the white list.