Threatcast - Option or Permanent Addition to Comodo Firewall

Opus_Dei · March 24, 2008, 4:58am

Melih,
Is this planed to stay a free option or is this yet to be decided

OD

Melih · March 24, 2008, 1:15pm

so far… free…

the way that we decide what should be free and what we shoudl charge for is by simply seeing if its a

service
or a
product

eg: we don’t mind doing software dev for free
but running a service where we need to setup teams of people to look after the service etc etc we need to cover the costs for (even though some services we still run for free like whitelisting and av labs creating sigs for AV)…

bottom line is: we want it as much free stuff as possible within limits…

Melih

Dennis2 · March 24, 2008, 2:44pm

I presume this will be decided on how much the users input towards Threatcast, and how much Comodo has to input for it to run well.
Dennis

Opus_Dei · March 24, 2008, 6:24pm

Thanks just curious

OD

PS

I have not tried it yet, as the only reason I would/will (I am sure I will load the beta eventually) is to help out and just to have some expeiance with it, So I can answer question without being in the complete dark. I am a little busy for the next couple weeks. It might be interesting also to what others are selecting. I personally prefer to decide for myself on wether or not something is premted access in/out. I will usually block something the 2 or 3 times and see what negative results I get. If I dont notice any bad effects I will block and remember.

one of the main reasons for this is at one point in time with 2.4,after disableing the fire wall CPF 2.4 for less than 1 minute I allowed access to rtvscan.exe from some exterior IP and all of the sudden my pc started trying to connect to 100s of IPs about 20/second for 30 seconds or so then I unpluged the cable. I did a Vscan and foud a trojan and a bot had gotten in (there was a vulnerability for NAVcorp 10.0 that i had not plugged) now I only permit comunication between the NAV server an the client PCs. I thought RTVScan was a trusted App. It even checked out as the correct signed Symantec version with nothing bound to it y no ADSs attached. You can bind two EXEs. with out messing up a signiture using ADS not 100%sure if it will kill the signature using a binding program like YAB

So now I always ask myself do I really need this to access the web most of the time the answer is no. Sometimes this will cause problems in the future but so far I have been ableto work them all out

searchlight4759 · March 25, 2008, 3:02pm

After reading all the postings, I think it comes down to this: that maybe TC should really be used by Comodo Security experts in terms of determining a recommendation as to whether one should accept or reject a program.

I personally do not like convoluted pop-up alerts that rather than help me make the right decision make me more confused, and what I would not want is bloatware or features that take additional resources unless that feature provides another beneficial layer.

Like many have said, community based security is as good as the community.

Another suggestion. Rather than go the way of c.b.s. TC should compile info from other trusted security sources i.e. like Secunia or Matousec. I only use these as examples but if it would be too cumbersome and/or too costly to maintain the database compiling info from other known security sources might be more helpful to the user. I certainly would trust a source like these more easily than a community.

Finally, maybe a tab that one could click on that would take the user to a database that would give the user more info about the program he or she was unsure about. So instead of just accept or deny permission, one could click on a Threatcast button that would direct me to a database that would provide more realtime info to help me with my decision.

Again these are only ideas but I just want to see Comodo PFW continue be a cut above the rest, and not become like everybody else’s firewall.

gibran · March 25, 2008, 3:27pm

Threatcast is way off my preferred featureset but I guess it would pose an alternative security layer to the official comodo safelist db.
Guessing a normat usage pattern behaviour Threatcast should handle the time-frame between a new app is released and it gets analyzed by Comodo.

A community driven safelist is still used in many other product and there are very good derivatives where the community ruleset are evaluated by specialized personnel and certified for security.

A common implementation would be an anonymized submission where only the aggregated data is stored. This way privacy issues are nearly non-existant but the flexibility will be minimal.
If the results are going to be grouped by reliability then at least an installation id has to be stored. This provide much more meaningful results but it has strong privacy implications.

There was another alternative I’ve never seen around. Maybe there are some logical flaws I wasn’t able to see, or it will be simply difficult to implement or the chance it will be widely supported are low.

gibran post:61:

…snip…

Did I say that softwares are like a bloack box? ;D Are you fine with this? BTW that’s why we need alerts As of now if an executable is signed we can add it to trusted vendors and V3 will automatically learn it.
But what about unsigned executables? What abut developers that cannot afford a SSL certificate?

You know, developers could be the only ones that have no issues when it comes to create rulesets for their softwares. What gives? also hackers could create rulesets for their malwares but I wonder if they are really motivated to make it clear what their malwares will do ;D Anyway rulesets are not really suited for this task but a metalanguage to define an app behaviour will do. An interoperable standard could be created and we ssolve part of the issues.

If it is possible to outline an app behaviour before an app will run then a software could analyze such outline and output a security score, anyway it would be possible to read such behaviour in a human readable language and gain a better insight. So what we have there? A way to know in advance how an app will behave. We can block certain behaviours in advance. We can know if something that will occur was not declared in the outlined behaviour( an exploit?).

Then we have another chance. There are many security experts and advisories DB. A safe app could be vulnerable to exploits. So a way to learn about new vunerabilities and automatically tune the security software behaviour and take appropriate measures will further enhance the user experience.

This is somewhat a community isn’t it? ;D

Speaking of this Secunia already released a software that checks if the existing apps are exploitable (Secunia Personal Software Inspector).
IMHO as we move forward we’ll definitely see these many different approaches to merge in an holistic framework

As such sercurity requre a transversal approach where now we see many different individual approaches I wonder what ind the end will be.
Will it be one company to carry such humongous task by itself or will it a cooperative framework solution will be developed where many companies are going to strive for end-user security?
If the latter will be what company will develop the basis for such foundation?

system · April 1, 2008, 10:00am

Melih:

As to whether this should be free or not… Will Comodo Security Experts be monitoring the alerts made by users (Through TC)? Will TC have its own “server” for the database of user alerts?.

Also, Do you have ideas so when people accidentally click the wrong button on an alert, or there are idoits out there doing stupid things, would you guys know how to handle this situation, and make sure novice users get the right choice?

Will this make TC a “service”, therefore, charging for it?

This should be strongly thought through, IMO.

Josh.

Melih · April 1, 2008, 1:04pm

we will have people monitoring it (comodo experts) and we are building further protection against database poisioning (accidental or malicious). As to the fee, i hope it will be free! We’ll see.

Melih

gibran · April 1, 2008, 3:06pm

What about Comodo safelist? Will it be going to be updated less often letting many new executable be handled through Threatcast?
If file submission and file analisys will be left in place TC is only going to address executables before they’ll get analyzed by Comodo.
I still prefer that method over TC.
Also TC require an active internet connection while a safelist update require less frequent conections.
The only thing I miss in the current safelist implementation is an option to block training on a per application basis. Once a ruleset for a trusted app is considere finalized there would be no way for an application exploit to cause that app ruleset modification.

MrBrian · April 2, 2008, 3:08am

Perhaps in the future Comodo could use the ThreatCast information collected about a program (by its hash, not name) to make an automatic determination that a program is good or bad, ala what Prevx does. In an alert, if a given app is not in the Comodo whitelist, CFP could contact Comodo servers and retrieve and display the results of the automated analysis, if enough info has been collected to do an automated analysis. In other words, I’m suggesting to not just display ThreatCast stats about a particular interaction, but also display information about whether the app itself has been determined to be good or bad. I realize that the information currently being sent to Comodo via ThreatCast may not be enough to make such a determination, but perhaps more info about an app’s behavior could be sent to Comodo for analysis in future versions. This info could also assist Comodo staff in the development of the Comodo whitelist, and perhaps a blacklist too. Development of a blacklist could help make Comodo AntiVirusSpyware better too. Prevx currently does this type of analysis.

system · April 3, 2008, 12:42pm

If it evolves into Prevx’s concept, it seems nice and useful. Prevx and ThreatFire are among the new security programs for the masses imo. Pop-ups only if potentially dangerous, and cleaning capability.
Though i would ask for a standalone Firewall.

One would also go back to the earlier discussion, probably a year old: HIPS as standalone? Or in CAVS.

andyman35 · April 11, 2008, 1:29am

The principle behind Threatcast is solid,as stated the Prevx community based approach has a lot going for it.Malware only has to be encountered on one pc in the community,for it to be added to the database.

Having said that Prevx operates with a huge database making ‘unknown file’ pop-ups a rarity and it’ll be some time before Threatcast can boast a similarly extensive list.My concern would be that until a comprehensive database is available inexperienced users might well allow stuff they shouldn’t.Just because 5 or 10 other people have allowed an event doesn’t mean that those people haven’t allowed a malicious action.

It needs to be clearly shown to the end user that the statistics are merely one point of reference and not in any way proof that the action is safe,until of course it has been expertly verified.

panic · April 11, 2008, 3:10am

Hey guys,

Bear in mind that Ciomodo already have a DB of over one millions apps, that have been generated by the CAVS HIPS, the CFP file submission and their private collections. One million’s a pretty good starting point. The Threatcast CFP beta was exactly that - a beta with no links to existing data sources.

Maybe Comodo are looking for Threatcast to generate its own data source, but, as has been pointed out, that will take time. Maybe it will link to other, pre-existing sources.

Time will tell.

Ewen

MrBrian · April 11, 2008, 4:08am

IMHO Threatcast is a good interim solution, but farther down the line a different approach should be taken. For those who are power users and want control, the current CFP is fine already as is. I’m not sure how many power users would actually use Threatcast much; most power users would probably prefer their own judgement over a Threatcast recommendation in most cases. Having Threatcast wouldn’t hurt though, as long as the power user has the final say on what choice to make in an alert. On the other hand, for the masses, I believe the best solution is to adopt the antivirus paradigm - keep quiet unless it’s reasonably certain that malware is present. This could be achieved by having a local pattern recognition system for malicious behavior, similar to that of ThreatFire. The masses, IMHO, do not want to be bothered by alerts at all, unless malware really is present. This system could be made even better than ThreatFire’s system by sending to Comodo, when and if enough data has been collected, a determination that a program has been classified by the local pattern recognition system as good or bad. CFP would contact this database when executing an unknown program, and thus spare the user from running a program that has been determined to be bad on other users’ machines. CFP would also have the ability to rollback changes made by malware, much as ThreatFire apparently can. Some changes though, such as sending of sensitive data to hackers, cannot be rolled back; that’s why I recommended that Comodo’s servers be contacted before an unknown program is executed, to prevent execution of the malware in the first place. To sum up, IMHO CFP should have a setting to allow for fine-grained control to satisfy power users, and also a setting to operate in a very quiet mode for the average user.

Melih · April 11, 2008, 1:33pm

Time: We will sync the whitelist and (surprise surprise) the blacklist we have with TC very soon guys…

Melih

system · April 11, 2008, 2:29pm

MrBrian, you are describing Prevx.
And i don’t know how much of that is TF also (i used Prevx1 extensively, while CyberHawk/ThreatFire not so much).

MrBrian · April 11, 2008, 9:55pm

I used to use PrevX also. PrevX collects behavior data and sends it to PrevX servers. The analysis is done on PrevX servers. (Correct?) What I suggested in my last post, however, is that CFP do the analysis on the client, as ThreatFire does - but with the addition of sending the determination of good or bad to Comodo servers. Kind of like combining the best of PrevX and ThreatFire :).

andyman35 · April 11, 2008, 11:07pm

Yes that is how Prevx works,much of the actual anti-malware work is done at the central server,while the clients offer a cut down behavioural/signature protection.

andyman35 · April 11, 2008, 11:19pm

Comodo’s database will undoubtedly grow much bigger,but at present it’s small in comparison to Prevx.I run Prevx alongside defence+ (very smoothly) and get 20 ‘unknown file’ notifications from D+ to every 1 from Prevx.Obviously Comodo will increase it’s database exponentially given time to a similar level,I just hope that Threatcast isn’t released generally until that stage or it may well put off many users faced with a barrage of pop ups.It’d be a shame if that happened because,in principle Threatcast is a very good idea. :■■■■

andyman35 · April 11, 2008, 11:25pm

Hi Melih.

Are you able to elaborate on that without giving away any trade secrets?