wireshark

DARREN.1972 · December 8, 2010, 1:43am

hi
Is a program ny the name of wireshark safe for a complete computer novice to use?

Many thanks.
(V)

HeffeD · December 8, 2010, 2:32am

It’s safe because it’s only an analyzer, but whether or not a novice can decipher what it’s telling them is the better question.

SiberLynx · December 8, 2010, 2:47am

HeffeD was 1st

He took the words right out of my mouth : “definitely not for novice, but safe”

and he is telling the truth… again!!!
As I said before - he is boring (cauz always telling the truth) ;D

So:

Cheers!

HeffeD · December 8, 2010, 2:56am

DARREN.1972 · December 8, 2010, 5:00am

Hi
yes thanks for the info.
But defense+ does not approve of this program at all.
Its a red alert with unidentified publisher so i may not install the program after all.
It seems an interesting program to look at.

thanks again.
(V)

SiberLynx · December 8, 2010, 5:10am

Hi DARREN.1972,

Just ignore that “red” stuff

Defense+ is a pure classic HIPS - it is not a Behavioral Blocker (BB) or something
It is pretty dumb, as it should be - it will Alert you about any unknown Application & about every single move that new Application is doing.
You have to decide

Sure, in this particular case you have to “Allow”

Needless to say that with any BB user should make the decisions as well, but the amount of Alerts are drastically reduced because of the differences in analysis

Cheers!

DARREN.1972 · December 8, 2010, 2:34pm

hi
I dont think ignoring a red alert is a good idea somehow.
Why have the alerts and then ignore them?
Ive decided that wireshark is probably a program that i dont really need to install.
But if im going to ignore every defense+alert then im just asking to get infected with something.
Comodo has kept my machine clean so far and i would prefer to keep it that way.
After saying that i think sandboxie is a great product to install and co-exists with comodo just nicely.

Thanks again for the advice.
regards.
:ilovecomodo:

HeffeD · December 8, 2010, 5:36pm

SiberLynx wasn’t telling you to ignore every alert. :o Merely that in this case, there is nothing harmful about Wireshark, so you can safely ignore these particular alerts.

This is the reason that HIPS products have many detractors. They offer fantastic protection, but the downside is that they do require the user to make a determination about whether any process should be allowed. In most cases, it is not making a judgment call. Yes, it can sometimes say that this is suspicious behavior, but most often it is merely saying, this application wants to do this, should I let it? If the user makes the wrong choice, yes you can be infected.

Many people don’t understand the HIPS concept. They want the protection, yet complain that the HIPS is too chatty. Defense+ is giving me too many alerts! >:( Ummm… Yes, this is a HIPS after all… You’re going to get alerts… 88) The only way to avoid the alerts is to reduce your protection. Comodo has been trying to reduce the alerts by adding other protection methods that may or may not sacrifice protection. The AV, Sandbox, and the whitelist modes for the HIPS (Safe Mode, Clean PC Mode) all help to reduce the number of alerts the user is given.

However, it’s still a HIPS, so you’re going to get alerts! It’s your job as the user at this point to make sure that you make the right decisions. This will entail things like, submitting files to VirusTotal or CAMAS, searching for input on the internet, downloading from reputable sources, validating that the file you downloaded hasn’t been tampered with by comparing file hash, etc… So yes, you can often quite safely ignore the red alerts D+ hands you.

Now on the other hand, a behavior blocker is a different animal. It tries to make a lot of these decisions for you. Instead of asking you each time whether or not you want a process to run, it will make an attempt to determine if the application is actually trying to do something malicious or not by looking at which processes the application is attempting to spawn, or what registry keys the application wants access to.

DARREN.1972 · December 8, 2010, 6:41pm

hi heffeD
yes thank you for your in depth reply much appreciated.
Although i do think you have outlined a fundamental flaw in all HIPS applications,notably the distinction between good or bad programs.
lets take wireshark for an example,Suppose an average user comes across wireshark without any prior knowledge of the program whatsoever,and attempts to install blindly and receives an alert!
This leaves the user with a dilemma.
You said earlier in your reply that it would safe to “allow” wireshark but your decision is based purely on the fact you ““know”” the program to be safe.An average home user will not know this.
I think the majority of people would block this application instantly purely because they have no knowledge of the program in question.
Also it shows how the user "depends"on the security companies whitelist.now these whitelists will vary considerably amongst different vendors.This leaves the user being wholly dependent on the company whitelist for security.Comodo cannot possibly have every single safe program in its whitelist.
Thats a few thoughts of mine for what they are worth.
many thanks to you and regards.
(V)

HeffeD · December 8, 2010, 7:23pm

Exactly! This is why even now, some people feel that CIS isn’t well suited for the average user because they aren’t able to make educated decisions on a lot of the things D+ is asking them about. Comodo has made great steps forward in this regard, but there is still a bit of uncertainty if you don’t know what it is asking.

That said, I’ve installed CIS on two of my sisters machines, and she is very much a computer novice. She gets along fairly well for the most part, but she does call me occasionally with a question or two. I think the current incarnation of CIS is pretty usable for the less technically inclined, but there is still room for improvement. Cloud scanning is helpful, but a dedicated BB wouldn’t be a bad addition to the suite.

Maybe that’s what the secret upcoming DACS is all about?

Yep. This is why many people like to use products from several vendors instead of a complete suite from one vendor. Meaning, firewall from one vendor, AV from another, HIPS and/or BB from yet another. The theory is that this way, you’re overlapping protection. Hopefully if one vendors component drops the ball, it will be caught by another.

DARREN.1972 · December 8, 2010, 7:35pm

Hi
thanks again my friend for reply.
After everything ive said i am glad i have comodo internet security installed.
Yes the alerts may be slightly confusing at times but one thing is assured is thats its keeping the ■■■■ out of my computer.I love the application it is fantastic and at the moment i dont see any other viable solutions out there except for perhaps online armor which i used to have installed on another machine.
er kaspersky for a paid product.But why pay when you have powerful protection for free.

Do you have any info on DACS?
will it be upon us soon?

many thanks.

HeffeD · December 8, 2010, 9:19pm

Only the devs and mods know anything about DACS, and they’re not talking.

As for the time frame, I think we can expect it when it’s ready.

SiberLynx · December 9, 2010, 4:10am

Thanks for the support, man! Indeed.

Gotcha!
Eventually – you are not telling the truth
You are lying … cauz you know! >:-D

***
Your answer sucks
Read here bout DACS
Why you’re lying
When we’r desperate & sighing?
***
wanna have another quatrain ? ;D

HeffeD · December 9, 2010, 5:09am

Why not?

SiberLynx · December 9, 2010, 5:23am

Ok … but later
Have to write about 88) 200 lines of code now

…and as you know:

Disturbance Arisen when Coding Stinks !

Cheers!