Why no special filters in CFP for mass mailing worms

I tried two mass mailing worms with CFP and I noticed that there is no special popups by CFP indication about the mass mailing worms, especially if someone is not running Defence Plus.

I tried Netsky worm and Warezo worm.

See the pops by NG. In addition to network access NG atleast gives pop ups abouit:

1- malware reading text files etc grab e-mail addresses
2- malware connecting to port 25 SMTP

[attachment deleted by admin]

Now ZA FireWall. It gives special message that an e-mail program is trying to send e-mails. That,s pretty impressive.

[attachment deleted by admin]

Also in addition to this ZA FireWall has a special setting that can alert about mass mailing in short time.

[attachment deleted by admin]

Here is behavioral detection by TF( i disabled its blacklist to get these pop ups).

[attachment deleted by admin]

Anf finally pop up alets by CFP( FW Component). U will not even get SMTP port 25 access alert on default FW level. U need to push it to higher level to get these alerts.

I wish that developers can implement some clear pop ups like ZA Firewall that a mailing program is detected with some additional behav detection for mas mailing.


[attachment deleted by admin]

So in fact you suggesting “E-mail ports” triggering alerts to be tagged as potentially malicious?

I don’t really see the problem… D+ is alerting you that the heuristics have found potential malware infection and gives you the option to allow or deny it.

Yes but this feature aigle suggest is useful for lower alert settings (default), so you will be notified that soft tries to send mail(s) however your alert settings is low…

Hello let me say:

1- CFP does not give SMTP Port 25 access alert on default settings9 low pop up mode) as there was a DNS or HTTP port acccess alert in both cases and it u allowed that alert, no more alerts. But it seems Ok as user is asked to grant oiutbound access in any way.

2- Ordinary user has no idea of all these alets. An alert from ZA FireWall is much clear that an Inernet Mailing Program is asking fpr out bound access.

Even more clear are pop ups by TF- suspicious e-mail sending activity.

That is a heuristic detection by the CAVS engine. It may be true or false or even may be no detection with amny other mass mailing worms. We are not discussing it at the moment.

We are discussig about the behavioral detection here.

Yes, u got it.

Not only this but also an alert like from ZA FireWall is much more clear and understandable for an average person.

In addition to that ZA FireWall has additional settings that can be adjusted by a user to catch mass mailing worms. It,s Advanced E-mail Protection- Outbound Mail Safe. Pls see my third post in this thread.

I would like to know why you continually pick on Comodo and point out fault. Even over at Wilders. If you dislike Comodo then dont use it.

I can understand that. Maybe it’s a good thing also, Finding a weakness and then re-enforcing the program.

“Don’t always look at enemies as enemies, use them, make them your ally”
A quote that I like ^^

I agree that the overall concept of detecting mass mailing works is important and needs to be handled in a very obvious manner for the typical user. The CAVS2 BETA had this facility and I’m sure that it will be continued in CAVS3 or CIS (when released).

It’s interesting that ZoneAlarms firewall detected and alerted on this. What version and revision did you test?

What I find hard to figure out is why you are comparing CFP with Defense+ disabled (i.e. just a firewall) with Neoava (a HIPS product) and TF (a HIPS type product).

This little bit of obsfucation covers the valid point you’re trying to make - that ZA’s firewall spots it, but CFP doesn’t.

Ewen :slight_smile:

I will check the version when I boot into that snapshot. It,s not the latest version for sure.

Yes I did compare simple CFP with NG and TF. But if you digg deep, u will see that the pop up by NG( port 25 access alert) is purely from it network module, not the HIPS module. It does give so many other pop ups with these worms but they rae related to file, registry and memory modifications etc. Same is true of TF. Defence Plus in the same way, already gives a lot of popups about these activities. My point of interest was mainly mass mailing behaviour.

You will know it if u try these malware yourself. Hope I am able to clear my point.

Your post is of no help to me or CFP. You did not even understnad my thread.

Being the only relevant behavioural difference the number of opened files IMHO most considerations here are related to another topic CFP versus malware- interesting lacking features in Defence Plus?.

CFP default setting are tailored around newbies and have obvious drawbacks.

That’s why CFP firewall alert level is set to Low and D+ is set to CleanPC mode.

With Low F+ alert level setting users have only to decide if an app can connect to internet.
With CleanPC mode all application installed before CFP will be automatically learned (CFP installer scan for malwares to avoid learning malicious apps).

So the concerns about the firewall protection turns out to be no more that concerns about CFP defaults and maybe an CFP threat description update.

BTW I consider interesting the distributed DB approach of few security apps where additional details could be obtained connecting to an online DB in order to obtain a description tailored against a specific app.

While I agree on CFP improvements I’m against too specific behavioural alerts (meaning smart alerts that are supposed to be only displayed because the software believes it’s a malware).
IMHO its good to improve detection capabilities but I prefer that there is a way to customize behaviour enforcing with an improved ruleset language and reduce hardcoded logic to the minimum.

Besides read frequency behaviour is not a flawless detection method but I agree that could prove useful.

Anyway the design principles behind CFP are malware-prevention and newbie-friendly default settings so I guess that anything like more alerts by default will not be considered.

While I’m not only focused on malware detection but also on system integrity and behaviour enforcing I can still use CFP to handle less malware-aware scenarios (eg. enforce behaviours of legit apps).

Maybe it would be possible to add optional enhancements to CFP but only few users will benefit from this and those enhancement should not increase overall CFP complexity by much.
Let’s wait and see, I have not given up my hopes for new surprises :slight_smile:

Anyway before anything I wish for a CFP GUI functionality redesign and Translation support.
There are many little GUI tasks that could be made easy adding few functionalities.
Improving GUI usage will have security benefits too as it will be less painful to create complex policies.

I guess it would be about time to implement some wishlists. :-* (L)

Agree with this.

I just wanted to share some ideas that might be implemented at some stage of development.