I down load an installation program from the internet which, unknown to me, has been modified. I install it on my PC running as administrator call the program an installer or updater and switching to installation mode. The program I intend to install installs correctly but also the auto-update program that comes with some common software like quick time or adobe reader gets overwritten. An auto-run program with internet access is now installed on my PC. How would I be warned of this?
As no one has replied I am going to try and guess. Please correct me if I am wrong.
In clean PC mode the unwanted file would go to pending files and if it did anything the original application was not allowed to do a pop-up would occur as it would not be considered safe. It would still be able to do anything the original application was allowed to do.
In train with safe mode I am not sure if it would remember the file was modified as there is no pending file list. What would happen here? Would it be considered safe?
I have found in the help for image executable control that it checks the application hash against the white list. Presumably this will tell it the application has been modified. Is this how it is supposed to work?
Does my safe files also keep a hash of the programs?
How secure is this hash?
Reading https://forums.comodo.com/empty-t17679.0.html suggests there is no hash. In this case the computer is compromised. If the replaced program was allowed access to the keyboard (so many programs do this) and internet do we have a key logger installed?
I am sorry if this has all been discussed before but I would like to understand how it works (or not).
What to say, do not run Unknown programs with such privileges as installer or updater mode provide, look at screenshot for exe changes of unknown programs…
[attachment deleted by admin]
If I was installing something I thought was safe I would set it to installer or updater and go into installation mode at the first pop-up as is recommended. I would not know the safe site I got it from had bee hacked.
The first pop-up could be some reasonable request not overwriting a known program. I thought that then the program could do whatever it wanted without any further pop-ups so the obvious one you show would not happen.
Is the pending files the only way of knowing that something unexpected has been modified?
I’m not sure that there is way to protect yourself in that scenario. I’m sure someone with far more knowledge will come along with advice.
This is one of the reasons I have an AV with file system protection and I “on demand” scan every download with the AV and a different vendor’s trojan scanner. Overkill? Perhaps, but, I have not had an infection of any type in 10 years. Not that some didn’t try. Multi tiered protection is the safest
I don’t rely on one program to protect my computer nor do I want a suite of programs from the same vendor.
Different vendors = different virus/trojan data base = different results = safer computer.
JMHO
s.
I have found the answer myself by experimenting. It the program is in my own safe files it is removed if it gets modified and so can gain no new privileges without a pop-up. It will still have the privileges of the original application.