Security Posture - Which ideal security posture you would like for protection?

So this is really a ‘third way’…

Default Deny means everything must be permitted, nothing is allowed by default
Default Allow means misbehaving programs must be blacklisted, everything is allowed by default
Auto Sandboxing means everything is allowed but misbehaving programs (whether known or unknown) can’t do any harm.

This Third Way is what makes CIS the perfect solution…

That sounds really great… except, depending on execution, it may not be much better than what we have now. I mean it would certainly be great to get the good \ bad result in 45 second - 2 hours time instead of (currently) half a year or longer, but what will CIS do after that?

Consider those scenarios:

  1. User launches an unknown game from D:\games folder… since the executable is unknown to CIS, it is launched in the sandbox. After let’s say… 10 minutes, CIS decides that the game executable is safe. Meanwhile, user plays the games for an hour, saving periodically, then exits the game. On the next day, user starts the game (now considered safe \ trusted) again.
    Question 1: Will the user loose his saves?
    Question 1b: Will the user loose his saves is sandbox was reset sometime before he started the game the second time?
    I know Game saves may not be much of the deal to some of you, but what about saved documents, photos, etc in the same scenario?

  2. User launches an unknown unsigned installer. Default action (as suggested by CIS) would be install in sandbox. User does so, installing to C:\Program files (from the installer’s point of view). Program does not create a desktop icon (or user chooses not to create it), but creates an entry in programs menu (start - all programs).
    Question 1: How does the user finds and launches an installed in the sandbox program?
    Question 2: Will CIS \ Valkyrie analyze setup file, or files resulted from installation, or both?
    Question 3: What will happen (if anything) when CIS \ Valkyrie detects file(s) as safe?

In other words, the user must re-install the program 45 seconds - 2 hours after the first install (when CIS \ Valkyrie detects it as safe), otherwise he’ll loose it on the next sandbox reset, is that correct?

And if users approve even things that are malicious, but not detected by Comodo, because lets face it, majority of people have no clue what most of stuff even means or what malware is and how it behaves. Or what to be suspected of. In the end you get default allow, just with more annoying popups and potentially even allowing things that would be blocked by a regular AV.

Independence is a good thing. Why would you wish to allow a file supposed to be good, only to find it did something unexpected, like crash your OS the next time you boot up?
Independence is what gives us our multiple layers, each separate and capable of protecting our systems, irregardless of what someone might allow at one point in time.

Hi John,

Great signature :-TU …

Bah! Ban 'em all! The only good member is a banned member And a member is just a policy violator who hasn't been caught yet. >:-D


Does 1 person posting 10,000 times count? ;D

Hi Sheepolina,
If it is unknown a regular AV will allow the malicious activity to run, where as default deny will not unless approved by the user.
If it is known to be malicious a regular AV will block it, but so will a default deny system.
I much prefer the idea of giving the user the option to allow/block an unknown, rather than allowing security software to decide the systems fate.
Even inexperienced users are capable of researching a suspicious activity before allowing it.

Kind regards.

Each system has its own application instances and are in them that failures lie (suites allow everything, or almost everything);
Each system process accesses services and other third-party applications;
Say any software saves documents we write, we edit images … use the application itself rather than using direct access to the explorer (file explorer, display windows).
The erceiros application able to save all documents, since it did not pass or not directly accessed the Explorer system file;
security software for practicality, allow accesso indiscriminate application of the system or trusted applications the entire system … so, for example, can allow the use of unknown applications and malware perform actions that all suites protection modules have not able to block, although it has the security policy “deny by default”;

The first image shows what happens to access an application through the system himself;
The following images should be the default behavior for safe application, unknown unknown malicious or system attempts to access other software which is there for the extension.

I know you’re light years ahead of what I know. Excuse my ignorance

[attachment deleted by admin]

Default pop up?

Default Deny, nothing beats lockdown mode.

So, what about this kind of lock down?

I heard that AppGuard in combo with ReHips should be better, although I use CIS Pro with stricter rules than what the warranty needs.
Downside with it is that strict settings require more maintenance, so not recommended for the masses and besides that, CIS needs better self-protection, their are some exploitable flaws with it’s sand-boxing method.

On a site-note regarding my statement about to much maintenance:
I recently setup a kids computer, couldn’t use Comodo their since it either would lead to many phone calls or clicks to bad stuff going trough regardless.
So had to chose something else to have some sort of descent protection without to much hassle for the kid and me.

Gentlemen, shall we stop the off topic although it’s interesting?

Sorry, you are right, the best place for this kind of talk is the “other security products” section.
I wrote about VooDooShield here because it works according to “Default Deny” policy, which is the topic of this post.

Default Deny platform is sometimes confused with “application control/whitelisting”.
In order to create a default deny posture you would need more than a simple application control system. Application control is only one small part of a Default Deny posture. On its own application control cannot be considered a default deny platform.

Malware can make changes by adding scheduled jobs at startup. Examples of software that do the same procedure uninstallers are trusted or unknown third parties …

Another aspect to deny or allow by default (I believe the correct thing restriction), can be used as an example, it would be the very operating system. At startup (on the PC in energy and …) it works in a way, on reboot (installation programs, for example) works the other …

What I said above is an observation and perhaps erroneous to a layman.

That is why a platform default deny is suggested, since it blocks more than just an unknown application, malware will have a hard time bypassing it, unless there is left a weakness that can be exploited.

Scheduled tasks are protected by the default HIPS protection settings.

Another aspect to deny or allow by default (I believe the correct thing restriction), can be used as an example, it would be the very operating system. At startup (on the PC in energy and ...) it works in a way, on reboot (installation programs, for example) works the other ...

What I said above is an observation and perhaps erroneous to a layman.

The HIPS prevents during normal operation that unknown programs programs can create autostarts. So during reboot or on cold start or when returning from low energy states nothing unknown will start.

Unfortunately there are a lot of people that don’t understand just that and keep paying for security suites that let things slip trough.
Even CIS Premium (FREE as in free beers) set up right slams the door at once, chance that someone runs into a piece of malware that bypasses it’s sandbox is pretty slim, with that in mind I think it’s pretty good spend money to purchase a license with an up to $500 warranty that covers repairs if a Comodo tech doesn’t manage to remove the threat.
Having the whole platform on default deny is of course even more secure but might be a negative thing for new users, since they either won’t understand the concept or be to much into a rush learning about it.

not up certain aspects (not excluisividade CIS).

CIS is as good as the two main competitors paid. Competitors and paid software that has by default deny malware actions and unknown fail to exploit these secure applications. >:-D