Eventually (perhaps in 2 decades) all other security product vendors will follow COMODO steps with Default Deny Technology, if they will.
By then, hackers will not be testing security products to see if signature-based or blacklist-based software can detect them. They will steal certificates to sign their malware with those, so AVs allow it’s execution. This is rare today, but it started to happen already. It’s a fact, Default Deny is good, but comes with it’s own attack vector attached.
What is or will do COMODO to protect against this when the time comes, or better yet, to start protecting today?
All of those Guru’s out there correct me if I’m wrong.
Short Way of saying it: Comodo already prevents this from happening with default deny;
Long Way: In order for a malware to bypass CIS, is almost impossible. Reason that it’s almost impossible and not completely impossible is two reasons, 1) USER - The User makes the decision whether or not to allow something on their system 2) Humans - Even though CIS is a good security application it’s built by humans and not robots thus by nature it does have bugs
They (Community and Comodo Staff) thoroughly tests D+ & Sandbox to make sure its top notch and nothing can get by, and so far Comodo is still in business and CIS is still getting Millions of installations so they must be doing something right . I believe one time Melih actually offered an award to those who find a bypass in D+.
[i]The following components make that impossible:
Signed Malware Wants To Run and It is going to be checked against the following lists
Safe List: You must be analyzed by top notch Malware Analysts in order to be on here
Vendor List: You too must be analyzed by Analysts and have direct communication with Comodo in order to be on here.
Black List: If you are on here than you are going to be either deleted or quarantined
If Signed Malware is not on either of the above than it continues down the line
Sandbox: Malware gets its own room to play in until Comodo Analyzes it and determines whether or not it is safe.
HIPS: (Default Disabled) If You are trying to access something than I’m telling on you! and you have to wait til User says Yes or No
BB: You Can’t Act Up! Or Else~
AV: AARG! I’m going to see if your scripts or your structure is like one of the malware that is on my list
[/i]
Signed malware isn’t much of a big deal, It’s like with every other signed software whether it’s good or bad, CIS just pretty much leaves it up to Comodo Analyst to say yes or no and if that is disabled than it’s up to the user but the Sandbox is a safety net.
If certificates would get stolen at a big scale then I am inclined to think the solution would be in making it harder to steal them. Also using strict revocation checking may help some.
It’s not easy to steal certificates so I am not expecting it to become a big issue in the future.
Revoked certificates? Well of course is a way to stop the spread. But sometimes, certificate owners don’t even know they were stolen and/or will take them days to revoke their certificate (as it happened recently). Plus, this will become like Blacklisting a malware: “During the time a new malware is discovered and is blacklisted, thousands of users are infected. During the time a certificate is stolen and revoked, it will also infect thousands of users too”. So why waiting to REACT, if we can be PROACTIVE?
So my friends, we are starting a new era of attacks with Trusted Malware, and so far CIS cannot stop it.
That is the reason why I posted my question.
This is certainly becoming a serious issue, Comodo must be already aware of it, but it sounds like there are more and more of stealed certificates cases now (which is quite obvious since malware authors are just adjusting their methods to Default Deny).
That is exactly my point. In the near future we will see even more.
So any words from COMODO. I trust COMODO and the Staff, they always have great ideas on how to protect users. Hopefully they can comment too in this topic.
I was also trying to make you see that it is a big issue in the future as well as it is now, based on what you said before: “I am not expecting it to become a big issue in the future.”
In two decades, how will your OS work? How will you install and update applications? Will you even have any locally installed applications (the way applications are installed on Windows today)?
I remember having seen a comment from egemen going back a couple of years ago when asked about an attack vector that was theoretical that it was not going to be considered to be added to protected areas.
When malware evolves and new attack vectors are used Comodo will adapt the protected areas. A typical example is protecting spoolserver as it got under attack by a well known malware which name escaped me.
Analogous to the problem with signed malware this problem may not be handled by the program but rather upstream.
We are also already witnessing OSs changing. The problem discussed here is present in an OS designed before the Internet-age, when software was distributed on floppy disks… When the distribution moved to the Internet, the “fun” began. >:-D
But installing applications by downloading installers from arbitrary websites and running them with admin privileges is an insane thing of the past. All modern OSs use some form of “store”, from which applications are installed in a safe manner. Install something like CIS, with kernel-mode drivers and a service running as admin/root on Windows RT or Chrome OS? Out of the question, of course.
But in the Windows-world things move slowly. 12 years after its launch, Windows XP is still the second most used desktop-OS, and Windows 7 will be supported until January 2020 (and probably used even longer), so phasing the past out will be a painfully slow process.
. I believe one time Melih actually offered an award to those who find a bypass in D+.
