Usually I browse the forums here without posting, reading through the threads, but finally I decided to post a question.
I want to how how does the proactive defense module work.
Let us say i run an exe in the computer. It is first in in the emulator in Comodo to check its behavior. Depending on the outcome of the monitoring in the emulator, if it is not seen to do anything suspicious, it is allowed to run in the system. Once the exe is allowed to run in the system after its successful stint in the emulator, it not monitored further.
Does the proactive defense module work this way?
Or when I run an exe, is it monitored REAL TIME while it is running in the system and the moment it tries to do anything suspicious (e.g deleting a system file), its execution is halted and the user alerted.
Please share your knowledge to clear up my confusion.
Seems like what you mentioned is Behavior Blocker’s (BB) operation. BB will be only available in CIS v4. Seems like Defense+ of CIS v3 never behave like BB.
Almost right, except Defense+ does not care if executable’s behavior is suspicious or not. D+ fires up alert when executable tries to access protected unit of operating system (which is guarded by D+). Such “unit” can be: access to disk for direct I/O, definite registry keys, executable files (to prevent their unauthorized modification) etc.
It is so called whitelist approach: if executable is unknown, then whatever it attempts to do with protected unit won’t be ever allowed by D+ based on its independent analysis (whether executable or activity is suspicious or not), only by user (by answering “allow” to alerts). So it is always user who makes decisions, and never D+.
So no matter what application it is, any attempt to do stuff to the crucial components of the OS would be halted and prompted against, unless it is in the “whitelist”
So how is this whitelist created? Is it ONLY based on the database or is the exe run inside an emulator on its first execution and depending on the behavior noticed in the emulator, it is placed in the whitelist if all goes well?
This trusts any file which is signed by one of these signatures.
CIS is based on “default deny”. That means it will automatically block unless you allow.
Some important rules/permissions are default, and the rest come from alerts and when D+ is training.
Hmm…I wasn’t sure about that. I suppose that is in the the AV part of CIS because usually the firewall and D+ components let you customize everything…but, of course, you can’t edit the AV blacklist/whitelist. You can only exclude and send requests to Comodo.
[b]Application Recognition Database (Extensive and proprietary application safe list)[/b]
The Firewall includes an extensive white-list of safe executables called the 'Comodo Safe-List Database'. This database checks the integrity of every executable and the Firewall will alert you of potentially damaging applications before they are installed. This level of protection is new because traditionally firewalls only detect harmful applications from a blacklist of known malware - often-missing new forms of malware as might be launched in day zero attacks.
The Firewall is continually updated and currently over 1,000,000 applications are in Comodo Safe list, representing virtually one of the largest safe lists within the security industry.
I run CIS without AV (which is not installed). “My own safe files” list does not contain “services.exe” from \system32 folder, services.exe is not signed (by Microsoft or whatever else).
When alert for services.exe is triggered it reads “services.exe is safe”. Or alert is not triggered and activity for services.exe is autolearnt by Defense+. I don’t have any explanation for this except there is “global” whitelist which is not customizable by user and is not tied up to Comodo’s AV only.
But the most interesting: seems like global safelist (or
Application Recognition Database - whatever) is remote (Comodo’s servers) OR being downloaded/updated from Comodo’s servers from time-to-time:
(Chernyakov is one of CIS programmers if i’m right)
Interesting. In reading the help file (what I do in my spare time :P) I found this:
[b]Image Execution Control Settings[/b]
Image Execution Control is an integral part of the Defense+ engine. If your Defense+ Security Level is set to ‘Train with Safe Mode’ or ‘Clean PC Mode’, then it is responsible for authenticating every executable image that is loaded into the memory.
Comodo Internet Security calculates the hash of an executable at the point it attempts to load into memory. It then compares this hash with the list of known/recognized applications that are on the Comodo safe list. If the hash matches the one on record for the executable, then the application is safe. If no matching hash is found on the safelist, then the executable is ‘unrecognized’ and you will receive an alert.
This area allows you to quickly determine how proactive the monitor should be and which types of files it should check.