yes and that is a weakness in KIS, it will never make the right decision 100% of time. It is better to keep something from working totally and having the person ask for help from someone who knows how to do it, then allow it and infect the computer.
So johnny’s little game he downloaded infected with a keylogger won’t work, so be it, at least the computer daddy pays bills on is still infection free and his identity is safe. See where I’m coming from?
buddy: “so, are you ready to use your pc after you installed the operating system?”
user: “no, …one thing is left to do… i have to install GOD.”
buddy: “why not set a few things, keep your eyes open and just install a security mechanism?”
Languy99,
Yes, I agree KIS does not make right decisions 100% of time,
Now, please understand that at least KIS knows about computer security lot more than what an average/novice user does.
If a novice user is left to take decisions in the same case, he would not take right decisions even 50% of time.
This is what all I was talking about…
If, as EricJH said, we stop all the alerts and keep it to Deny All, say Paranoid, then you may say that we are protected by CIS more than KIS, but this comes at the cost of losing so many legitimate/genuine programs (being stopped by CIS).
AutoSandbox is a great initiative towards simplifying this and filling the gap. Still, I am waiting for it to mature before I suggest anybody to keep it enabled. (It also brings tons of problems along with it.
Many programs become either half functioning, or malfunctioning , and most users do not notice that the odd behaviour is because the program is running in Sandbox. They simply complain that their systems is corrupt and not functioning properly…(As I always mention, I am talking on behalf of Novice users, who do not understand what sandbox is and how it works…)
So, presently it is only further complicating the situations, that is why I do not encourage most of my friends to enable sandbox at all, especially those who can not follow on screen instructions.
You know, most people here who use photoshop, they just know how to use photoshop, they do not know single bit extra. If photoshop does not work, or system gives some other error message for any reason, they simply complain that the system is corrupted.
I know, they have to learn a lot and mature, but my experience in life always instructs me, if I want to change 100 people, I am not supposed to ask/command all those 100 people to come to me, instead I go to them, meet them right where they are. If I can reach them first, impress them and influence them, then they will surely follow me where ever I take them.
some people are too afraid of listening and learning, because they are afraid of realizing that they dont know some things. but they think in the same moment they would know, “its too much for a normal person!”
mostly its self suggestion.
its the same illusion which follows then: “the computer runs fine until now, so its fine…”
I would most certainly not use Paranoid mode with parental controls set like I described but Safe Mode.
With CIS unknown programs would run the in the sandbox. Most programs would work but not all. Like with KIS people will then go to a technician for help when one of the programs is not working.
[at] EricJH,
I do agree with you regarding using “Safe Mode” in D+.
Reg the requirement for Technician, If it comes for 10 out of 100 programs with KIS, it comes for 50 out of 100 for CIS.
Since, presently, as far as I’ve tested, if I use 100 legit programs which are non certified (local software/portable apps) CIS sandbox/D+ combo presently stops all of them if Sandbox disabled; with auto-sandboxing it runs all of them, but only 10 out of 100 will work. The rest simply malfunction.
[at] clockwork,
You can start trying to help and fix problems for some of your neighbours and friends, you will then have a chance to understand things from other’s perspective too. Never be so sure that everybody is like you.
For a user, it does not matter if a PC is infected or not, it only matters if it working or not and doing what it is expected to do or not.
Learn to differentiate between a user and administrator.
Besides, I am tired of advocating the same issue again and again in many different posts throughout this forum, many a times. For me, it is simply an attitude difference. You have your view, and I have mine. I would not want to argue any further, unless we have some constructive idea. (Pure argument leads no where, if we are not ready to share ideas, and not ready to improve ourselves with them)
Reg, KIS I just used it as an example, so I do not want to advocate for KIS here as well.
Looking forward to a new version, which would probably be more user friendly and which gains more users…
Whether CIS or KIS or any, as they say nothing is 100%, so the user is bound to get infected at some time, by default allow software allowing the things & default deny software users allowing the things. So infection using both the methodology is possible but atleast with default allow (default allow here I mean automated HIPS with some kind of heuristics/advanced heuristics/reputation service or whatever analyzer) legit apps will run fine.
And as I believe Malware are there in infinite numbers but infection is a rare thing. So I think CIS should either have modes like Easy Mode (automated) & Expert Mode (popup) or Default (automated) & experts can always change the option in the settings. But I think the first option would be good. In this way both average & experts will get what they want. And come on an automated thing will not decrease CIS security from 100% to 0. Yes a little security will be reduced but I would say with all the layers CIS would still be not good but excellent security for average users.
Thanxx
Naren
what i wrote have been feed by experiences with others 
.
for example, saying, hey theres an update, and then see on the forehead of another person a “skinfold” of being annoyed. and then you hear: let it like it is.
if i had thought, people are like me, i wouldnt have written like i did 
and when there is no administrator for a computer, the user is the “administrator”.
for a user its important that the pc is not infected. even if he is not aware of it.
Thank you for your findings. That is interesting. If you have some spare time left please submit them to the Submit Applications Here To Be Whitelisted - 2011.
You can start trying to help and fix problems for some of your neighbours and friends, you will then have a chance to understand things from other's perspective too. Never be so sure that everybody is like you.For a user, it does not matter if a PC is infected or not, it only matters if it working or not and doing what it is expected to do or not.I like your clear description of how deployment of CIS works in practice. It is clear that the white list needs to grow.Learn to differentiate between a user and administrator.
Besides, I am tired of advocating the same issue again and again in many different posts throughout this forum, many a times. For me, it is simply an attitude difference. You have your view, and I have mine. I would not want to argue any further, unless we have some constructive idea. (Pure argument leads no where, if we are not ready to share ideas, and not ready to improve ourselves with them)
Reg, KIS I just used it as an example, so I do not want to advocate for KIS here as well.
Looking forward to a new version, which would probably be more user friendly and which gains more users...Expect virtualisation for the automatic sandboxing for v6.
Thanks Eric.
Looking forward to v6.
I have a habit of submitting samples that I encournter immediately (both malware and false positives), so I already submitted almost all of them.
The problem with most of the Portable Appliactons and Open Source applications is that they are not always digitally signed. With every update, again the program changes, therefore, it will not there be in Whitelist. Mozilla Firefox Nightly builds for example, every week we have a new Nightly release, and it gets sandboxed. (I have put the D+ to restricted, so it won’t connect to internet), I have to make it trusted to make it work.
This is a minor problem with the architecture of CIS (I call it a problem, because it reduces functionality, I call it minor because we can always fix it by some workaround). I do not say that just because of these little glitches CIS as a whole is a failure. I find CIS as an ultimate security suite in most ways. What I am trying to say is that if we can overcome such minor irritating issues, we can reach many more people than we currently do.
I know, there is no immediate solution, I am also thinking of possible solutions, and posted some of my ideas in different relevant Forum Topics.
Again Thanks for the concern and I hope a lot from CIS6.
Expect exciting things in ver 6
And again…CIS bypassed?? It’s very easy if you turn off AV, Sandbox and you dont follow D+ suggestions…
;D
AV was disabled to show how CIS would handle this file when it would be very new and undetected.
About sandbox… It seems that you don;t know something.
Defense + has the same blocking capabilities as sandbox on untrusted level. It was disabled to show alerts.
I allowed files to run (wow, shall I blocked them??It wouldn’t be any test) and then I blocked every alert which pop-uped.
Now I’m working on fixes, and I have few proposals.
So are you Morphiusz?? ;D
Sorry, but in my opinion if you test an IS suite, you should test the complete suite…if you turn off some security layers then you are not testing CIS, but only D+…and it’s ok for me…so, maybe I’m wrong but, if you use sandbox, run the infected file, and the reboot…the infection should be not active yet…right??
Ok, maybe I should change the tittle, bacuase you’re right, It’s HIPS test only.
Comodo has 2 sandboxes:
I saw this video too. When the user allows an infection to run (as the person in this video did), then it is not a bypass of CIS. I do not understand the point of the video.
However, I have to say, that the alert he received was rather benign appearing, and it may have been allowed by a novice or newbie. This was the point I was making with this post - some CIS alerts should be more forceful and clear in their warning to the user.
Actually there was a little misunderstanding…
Ok…so the main aim is to have automatic sandbox working like sandboxie (my favorite virtualization software)…I don’t think is so difficult to do for devs…and it should be available in V6 as far as I know
[qoute] I do not understand the point of the video.
[/quote]
To show that D+ is vulnerable to gpcode attack (blackday as well).
So, I should block alert, when I run this file?
When I would block that it wouldn’t even run.
What is the point of this? The best way is to set sandbox as “blocked”.
It would be the same, I couldn’t test anything.
See my full screening malware test as well. Is the same. Even you mentioned it in your CIS 5.8 test.
The I ask: why do you even run this sample? I could test it with auto sandbox but results would be exactly the same. I want to show how Defense reacts (or rather doesn’t react).
Yes…
Isn’t that kind of the point?
So, If I would block all these kind of alerts as you see below, I couldn’t run many, many legit software (according to your tips).
For HIPS I’m expecting when I run unknown file it will control all the sensitive areas…As i Showed Comodo doesn’t in some cases.
Come on, what is a point of testing HIPS when it asks me about opening a file and i block it? When i would block it it would be rather anti-exe test.
This is the same sort of test: Gpcode trojan versus HIPS | Wilders Security Forums
You won’t say it’s stupid. I did the same.
[attachment deleted by admin]