Threatcast - Option or Permanent Addition to Comodo Firewall

Melih · March 23, 2008, 2:24pm

noted. we have a solution that will address this in the upcoming versions.

melih

Info-Sec · March 23, 2008, 4:30pm

Other thoughts. As always a community driven security program, has its faults. For example, if a series of people just hit ‘allow’ ‘allow’ for everything, even if the files aren’t safe, how do you suppose you can secure other people?

Is this community protection based on majority, or COMODO certified definitions?

Melih · March 23, 2008, 5:09pm

We will add a layer protection so that community decisions are good.

Melih

skylights · March 23, 2008, 9:03pm

Adding human expert analysis is fine, but the database would contain millions of programs. How many employees does Comodo have? That can be only part of the solution. I wish that only knowledgeable experts from the Comodo community had been invited to participate in the beta, which would’ve provided a solid foundation for ThreatCast. Maybe the DB could be reset, and future betas could be for invited experts only?

What I really hope Melih has in mind, though, is to implement Prevx-like features. Comodo should study Prevx closely, it’s pretty amazing.

system · March 23, 2008, 9:11pm

Send for analysis- trusted then- safelist / malware then - AV.
Why do i need TC…

I certainly want the option not to install it. That’s one more option…

Melih · March 23, 2008, 9:34pm

give us some time and watch we do…

What we will do is way beyond anything else
TC currently is the most basic form to start with. I don’t want to reveal too much at this stage but I like whats coming down the line…

Melih

skylights · March 24, 2008, 1:25am

Wow, I can’t wait. This could shape up to be the ultimate free security app. (I know, some will say it is already.)

Opus_Dei · March 24, 2008, 4:58am

Melih,
Is this planed to stay a free option or is this yet to be decided

OD

Melih · March 24, 2008, 1:15pm

so far… free…

the way that we decide what should be free and what we shoudl charge for is by simply seeing if its a

service
or a
product

eg: we don’t mind doing software dev for free
but running a service where we need to setup teams of people to look after the service etc etc we need to cover the costs for (even though some services we still run for free like whitelisting and av labs creating sigs for AV)…

bottom line is: we want it as much free stuff as possible within limits…

Melih

Dennis2 · March 24, 2008, 2:44pm

I presume this will be decided on how much the users input towards Threatcast, and how much Comodo has to input for it to run well.
Dennis

Opus_Dei · March 24, 2008, 6:24pm

Thanks just curious

OD

PS

I have not tried it yet, as the only reason I would/will (I am sure I will load the beta eventually) is to help out and just to have some expeiance with it, So I can answer question without being in the complete dark. I am a little busy for the next couple weeks. It might be interesting also to what others are selecting. I personally prefer to decide for myself on wether or not something is premted access in/out. I will usually block something the 2 or 3 times and see what negative results I get. If I dont notice any bad effects I will block and remember.

one of the main reasons for this is at one point in time with 2.4,after disableing the fire wall CPF 2.4 for less than 1 minute I allowed access to rtvscan.exe from some exterior IP and all of the sudden my pc started trying to connect to 100s of IPs about 20/second for 30 seconds or so then I unpluged the cable. I did a Vscan and foud a trojan and a bot had gotten in (there was a vulnerability for NAVcorp 10.0 that i had not plugged) now I only permit comunication between the NAV server an the client PCs. I thought RTVScan was a trusted App. It even checked out as the correct signed Symantec version with nothing bound to it y no ADSs attached. You can bind two EXEs. with out messing up a signiture using ADS not 100%sure if it will kill the signature using a binding program like YAB

So now I always ask myself do I really need this to access the web most of the time the answer is no. Sometimes this will cause problems in the future but so far I have been ableto work them all out

searchlight4759 · March 25, 2008, 3:02pm

After reading all the postings, I think it comes down to this: that maybe TC should really be used by Comodo Security experts in terms of determining a recommendation as to whether one should accept or reject a program.

I personally do not like convoluted pop-up alerts that rather than help me make the right decision make me more confused, and what I would not want is bloatware or features that take additional resources unless that feature provides another beneficial layer.

Like many have said, community based security is as good as the community.

Another suggestion. Rather than go the way of c.b.s. TC should compile info from other trusted security sources i.e. like Secunia or Matousec. I only use these as examples but if it would be too cumbersome and/or too costly to maintain the database compiling info from other known security sources might be more helpful to the user. I certainly would trust a source like these more easily than a community.

Finally, maybe a tab that one could click on that would take the user to a database that would give the user more info about the program he or she was unsure about. So instead of just accept or deny permission, one could click on a Threatcast button that would direct me to a database that would provide more realtime info to help me with my decision.

Again these are only ideas but I just want to see Comodo PFW continue be a cut above the rest, and not become like everybody else’s firewall.

gibran · March 25, 2008, 3:27pm

Threatcast is way off my preferred featureset but I guess it would pose an alternative security layer to the official comodo safelist db.
Guessing a normat usage pattern behaviour Threatcast should handle the time-frame between a new app is released and it gets analyzed by Comodo.

A community driven safelist is still used in many other product and there are very good derivatives where the community ruleset are evaluated by specialized personnel and certified for security.

A common implementation would be an anonymized submission where only the aggregated data is stored. This way privacy issues are nearly non-existant but the flexibility will be minimal.
If the results are going to be grouped by reliability then at least an installation id has to be stored. This provide much more meaningful results but it has strong privacy implications.

There was another alternative I’ve never seen around. Maybe there are some logical flaws I wasn’t able to see, or it will be simply difficult to implement or the chance it will be widely supported are low.

gibran post:61:

…snip…

Did I say that softwares are like a bloack box? ;D Are you fine with this? BTW that’s why we need alerts As of now if an executable is signed we can add it to trusted vendors and V3 will automatically learn it.
But what about unsigned executables? What abut developers that cannot afford a SSL certificate?

You know, developers could be the only ones that have no issues when it comes to create rulesets for their softwares. What gives? also hackers could create rulesets for their malwares but I wonder if they are really motivated to make it clear what their malwares will do ;D Anyway rulesets are not really suited for this task but a metalanguage to define an app behaviour will do. An interoperable standard could be created and we ssolve part of the issues.

If it is possible to outline an app behaviour before an app will run then a software could analyze such outline and output a security score, anyway it would be possible to read such behaviour in a human readable language and gain a better insight. So what we have there? A way to know in advance how an app will behave. We can block certain behaviours in advance. We can know if something that will occur was not declared in the outlined behaviour( an exploit?).

Then we have another chance. There are many security experts and advisories DB. A safe app could be vulnerable to exploits. So a way to learn about new vunerabilities and automatically tune the security software behaviour and take appropriate measures will further enhance the user experience.

This is somewhat a community isn’t it? ;D

Speaking of this Secunia already released a software that checks if the existing apps are exploitable (Secunia Personal Software Inspector).
IMHO as we move forward we’ll definitely see these many different approaches to merge in an holistic framework

As such sercurity requre a transversal approach where now we see many different individual approaches I wonder what ind the end will be.
Will it be one company to carry such humongous task by itself or will it a cooperative framework solution will be developed where many companies are going to strive for end-user security?
If the latter will be what company will develop the basis for such foundation?

system · April 1, 2008, 10:00am

Melih:

As to whether this should be free or not… Will Comodo Security Experts be monitoring the alerts made by users (Through TC)? Will TC have its own “server” for the database of user alerts?.

Also, Do you have ideas so when people accidentally click the wrong button on an alert, or there are idoits out there doing stupid things, would you guys know how to handle this situation, and make sure novice users get the right choice?

Will this make TC a “service”, therefore, charging for it?

This should be strongly thought through, IMO.

Josh.

Melih · April 1, 2008, 1:04pm

we will have people monitoring it (comodo experts) and we are building further protection against database poisioning (accidental or malicious). As to the fee, i hope it will be free! We’ll see.

Melih

gibran · April 1, 2008, 3:06pm

What about Comodo safelist? Will it be going to be updated less often letting many new executable be handled through Threatcast?
If file submission and file analisys will be left in place TC is only going to address executables before they’ll get analyzed by Comodo.
I still prefer that method over TC.
Also TC require an active internet connection while a safelist update require less frequent conections.
The only thing I miss in the current safelist implementation is an option to block training on a per application basis. Once a ruleset for a trusted app is considere finalized there would be no way for an application exploit to cause that app ruleset modification.

MrBrian · April 2, 2008, 3:08am

Perhaps in the future Comodo could use the ThreatCast information collected about a program (by its hash, not name) to make an automatic determination that a program is good or bad, ala what Prevx does. In an alert, if a given app is not in the Comodo whitelist, CFP could contact Comodo servers and retrieve and display the results of the automated analysis, if enough info has been collected to do an automated analysis. In other words, I’m suggesting to not just display ThreatCast stats about a particular interaction, but also display information about whether the app itself has been determined to be good or bad. I realize that the information currently being sent to Comodo via ThreatCast may not be enough to make such a determination, but perhaps more info about an app’s behavior could be sent to Comodo for analysis in future versions. This info could also assist Comodo staff in the development of the Comodo whitelist, and perhaps a blacklist too. Development of a blacklist could help make Comodo AntiVirusSpyware better too. Prevx currently does this type of analysis.

system · April 3, 2008, 12:42pm

If it evolves into Prevx’s concept, it seems nice and useful. Prevx and ThreatFire are among the new security programs for the masses imo. Pop-ups only if potentially dangerous, and cleaning capability.
Though i would ask for a standalone Firewall.

One would also go back to the earlier discussion, probably a year old: HIPS as standalone? Or in CAVS.

andyman35 · April 11, 2008, 1:29am

The principle behind Threatcast is solid,as stated the Prevx community based approach has a lot going for it.Malware only has to be encountered on one pc in the community,for it to be added to the database.

Having said that Prevx operates with a huge database making ‘unknown file’ pop-ups a rarity and it’ll be some time before Threatcast can boast a similarly extensive list.My concern would be that until a comprehensive database is available inexperienced users might well allow stuff they shouldn’t.Just because 5 or 10 other people have allowed an event doesn’t mean that those people haven’t allowed a malicious action.

It needs to be clearly shown to the end user that the statistics are merely one point of reference and not in any way proof that the action is safe,until of course it has been expertly verified.

panic · April 11, 2008, 3:10am

Hey guys,

Bear in mind that Ciomodo already have a DB of over one millions apps, that have been generated by the CAVS HIPS, the CFP file submission and their private collections. One million’s a pretty good starting point. The Threatcast CFP beta was exactly that - a beta with no links to existing data sources.

Maybe Comodo are looking for Threatcast to generate its own data source, but, as has been pointed out, that will take time. Maybe it will link to other, pre-existing sources.

Time will tell.

Ewen