Poll

Would you like to see this feature implemented?

Yes - high priority
2 (50%)
Yes - low priority
1 (25%)
Don't know
0 (0%)
No
1 (25%)

Total Members Voted: 4

Author Topic: Option to use CCAV as an anti-exe  (Read 1292 times)

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 1123
Option to use CCAV as an anti-exe
« on: August 02, 2018, 11:52:33 AM »
1. What actually happened or you saw:
Sometimes malware can mistakenly be whitelisted and it can run in the user's pc when CCAV makes a cloud lookup

2. What you wanted to happen or see:
The latest release (v1.19.456424.771) of CCAV has added an option to control the TVL, but if a file has been trusted on cloud, it will still run without warning.
It would be good for some users to lockdown their PC and allow to run only apps either already whitelisted or with a digital signature in the local TVL.
This can be achieved, for example, by adding a "Block all new apps" feature

3. Why you think it is desirable:
To avoid whitelisted malware

4. Any other information, screenshots etc:
Check the story here, from reply #9
https://forums.comodo.com/beta-corner-ccav/comodo-cloud-antivirus-v119456424771-rc-t122466.0.html

Offline Umesh

  • Comodo Alumni
  • Comodo's Hero
  • *****
  • Posts: 3421
  • Comodo Alumni
    • COMODO
Re: Option to use CCAV as an anti-exe
« Reply #1 on: August 02, 2018, 12:08:09 PM »
Hi Jon79,
Please see enclosed snaps.
Assume you have "ENTER LOCK DOWN MODE" option available in some form, more ideas are welcome.
When you press it, user will be shown following small notification message:
Quote
When you enable this mode, no new application (either safe or unknown) can run, except ones from Microsoft or Comodo. In case you still want to execute a new application, you can add that application in exclusion list as available in "Sandbox Settings". This mode is only valid till system is re-booted and upon next system re-boot will exit from this mode. You can exit this mode any point you want.

- Also added a new Sandbox mode, i.e. block all untrusted applications.

Everyone, please share your thoughts.

Thanks
-umesh
« Last Edit: August 02, 2018, 12:34:04 PM by umesh »
We can't stop malware entering user's PC but we render them use-less when they enter PC: Welcome to Comodo's Default Deny innovation

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 1123
Re: Option to use CCAV as an anti-exe
« Reply #2 on: August 02, 2018, 01:19:43 PM »
Hi Jon79,
Please see enclosed snaps.
Assume you have "ENTER LOCK DOWN MODE" option available in some form, more ideas are welcome.
When you press it, user will be shown following small notification message:
- Also added a new Sandbox mode, i.e. block all untrusted applications.

Everyone, please share your thoughts.

Thanks
-umesh
Hi Umesh,
Lockdown mode looks interesting, but limiting it to Microsoft and Comodo could lead to some problems (for example, what about Intel, Nvidia or Realtek?)
About sandbox mode, what do you mean by untrusted? Untrusted for the user or untrusted for Comodo Cloud?

My idea about this feature is that the user should have full control about apps that can run, either by manual whitelist or by custom TVL.
Any other app should be sandboxed unless the cloud lookup find it to be malicious (and the user still has the option to exclude such a file)

Offline Umesh

  • Comodo Alumni
  • Comodo's Hero
  • *****
  • Posts: 3421
  • Comodo Alumni
    • COMODO
Re: Option to use CCAV as an anti-exe
« Reply #3 on: August 02, 2018, 01:55:05 PM »
Hi Jon79,
Quote
Lockdown mode looks interesting, but limiting it to Microsoft and Comodo could lead to some problems (for example, what about Intel, Nvidia or Realtek?)
Consider this as a state, you get in and get out and is non-persistent across boot, as during boot there can be number of critical apps and services that should run, so assume this as a post boot option, you can enable.
Quote
About sandbox mode, what do you mean by untrusted? Untrusted for the user or untrusted for Comodo Cloud?
That is not connected with Lock Down mode, just another option in case Comodo rating is untrusted, application can be blocked, right now we have default option as sandbox.

Quote
My idea about this feature is that the user should have full control about apps that can run, either by manual whitelist or by custom TVL.
Any other app should be sandboxed unless the cloud lookup find it to be malicious (and the user still has the option to exclude such a file)
In "Lock Down" mode, you can define applications that can run and also malicious will be blocked as well as cloud look up will be working. So it pretty much achieves what you are looking for.

Thanks
-umesh


Hi Umesh,
Lockdown mode looks interesting, but limiting it to Microsoft and Comodo could lead to some problems (for example, what about Intel, Nvidia or Realtek?)
About sandbox mode, what do you mean by untrusted? Untrusted for the user or untrusted for Comodo Cloud?

My idea about this feature is that the user should have full control about apps that can run, either by manual whitelist or by custom TVL.
Any other app should be sandboxed unless the cloud lookup find it to be malicious (and the user still has the option to exclude such a file)
We can't stop malware entering user's PC but we render them use-less when they enter PC: Welcome to Comodo's Default Deny innovation

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 1123
Re: Option to use CCAV as an anti-exe
« Reply #4 on: August 02, 2018, 02:13:32 PM »
Hi Jon79,Consider this as a state, you get in and get out and is non-persistent across boot, as during boot there can be number of critical apps and services that should run, so assume this as a post boot option, you can enable.
Ok, it makes sense

In "Lock Down" mode, you can define applications that can run and also malicious will be blocked as well as cloud look up will be working. So it pretty much achieves what you are looking for.
Not really, since lockdown mode will be disable after rebooting.
I want something I can use always

That is not connected with Lock Down mode, just another option in case Comodo rating is untrusted, application can be blocked, right now we have default option as sandbox.
I think you can already do so by choosing "run only trusted apps"

I'll try to explain better my idea

Current mode
Trusted if:
  • Digital signature in the local TVL
  • Digital signature in the cloud TVL
  • Trusted by cloud
  • Trusted/whitelisted by the user

Blocked/Quarantined/Deleted if:
  • Found malicious in the cloud

Unknown if:
  • Anything else

Jon79 mode
Trusted if:
  • Digital signature in the local TVL
  • Trusted/whitelisted by the user

Blocked/Quarantined/Deleted if:
  • Found malicious in the cloud

Unknown if:
  • Anything else

No matter what mode you use, you can keep the current options about unknown files:
  • Automatically run in the sandbox
  • Block it
  • Ask the user
« Last Edit: August 02, 2018, 02:19:37 PM by Jon79 »

Offline Ploget

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1976
  • 'Your best teacher is your last mistake'
    • Schneier on Security
Re: Option to use CCAV as an anti-exe
« Reply #5 on: August 02, 2018, 02:21:25 PM »
Hi Umesh
Good ideas from Jon79 - and I think your explanations sound excellent. Would make CCAV a real 'control' and access application . . . . even more than at present

Hi Jon79,Consider this as a state, you get in and get out and is non-persistent across boot, as during boot there can be number of critical apps and services that should run, so assume this as a post boot option, you can enable.That is not connected with Lock Down mode, just another option in case Comodo rating is untrusted, application can be blocked, right now we have default option as sandbox.
In "Lock Down" mode, you can define applications that can run and also malicious will be blocked as well as cloud look up will be working. So it pretty much achieves what you are looking for.
Ploget

Win10 x 64 Pro - 21H1 (19044.1466) / CIS 12.2.2.8012 / WiseVector StopX
Win11 x 64 Pro - 21H2 (22000.434) / CIS 12.2.2.8012
Comodo Forum Policy
“If you think you are too small to make a difference, try sleeping with a mosquito”

Offline Umesh

  • Comodo Alumni
  • Comodo's Hero
  • *****
  • Posts: 3421
  • Comodo Alumni
    • COMODO
Re: Option to use CCAV as an anti-exe
« Reply #6 on: August 02, 2018, 02:45:08 PM »
Quote from: Jon79
[b
Jon79 mode[/b]
Trusted if:
Digital signature in the local TVL
Trusted/whitelisted by the user
2nd one is covered due to exclusion, so mode can be extended to include to trust all entries in local TVL.

Only thing left will be persistence, in case you are using local TVL then it won't hurt as persistence won't cause issue.

Thanks
-umesh

Ok, it makes sense
Not really, since lockdown mode will be disable after rebooting.
I want something I can use always
I think you can already do so by choosing "run only trusted apps"

I'll try to explain better my idea

Current mode
Trusted if:
  • Digital signature in the local TVL
  • Digital signature in the cloud TVL
  • Trusted by cloud
  • Trusted/whitelisted by the user

Blocked/Quarantined/Deleted if:
  • Found malicious in the cloud

Unknown if:
  • Anything else

Jon79 mode
Trusted if:
  • Digital signature in the local TVL
  • Trusted/whitelisted by the user

Blocked/Quarantined/Deleted if:
  • Found malicious in the cloud

Unknown if:
  • Anything else

No matter what mode you use, you can keep the current options about unknown files:
  • Automatically run in the sandbox
  • Block it
  • Ask the user
We can't stop malware entering user's PC but we render them use-less when they enter PC: Welcome to Comodo's Default Deny innovation

Offline cheater87

  • Comodo's Hero
  • *****
  • Posts: 704
Re: Option to use CCAV as an anti-exe
« Reply #7 on: August 19, 2018, 12:02:53 AM »
I love this, I already use CIS as an anti exe, this not sure why CCAV has no block feature for sandboxed apps.

Offline morphiusz

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3082
    • Suspicious file?
Re: Option to use CCAV as an anti-exe
« Reply #8 on: August 19, 2018, 08:16:11 PM »
I love this, I already use CIS as an anti exe, this not sure why CCAV has no block feature for sandboxed apps.


It has. Look at the 2nd option in here:
https://forums.comodo.com/index.php?action=dlattach;topic=122509.0;attach=120227;image


All exes that would be run in the sandbox will be blocked instead.

Offline cheater87

  • Comodo's Hero
  • *****
  • Posts: 704
Re: Option to use CCAV as an anti-exe
« Reply #9 on: August 19, 2018, 08:20:27 PM »

It has. Look at the 2nd option in here:
https://forums.comodo.com/index.php?action=dlattach;topic=122509.0;attach=120227;image


All exes that would be run in the sandbox will be blocked instead.

When was this added? 0_0

Offline morphiusz

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3082
    • Suspicious file?
Re: Option to use CCAV as an anti-exe
« Reply #10 on: August 19, 2018, 08:23:49 PM »
Of course I mean this “Run only safe applications” ; a second option in here :)

https://help.comodo.com/topic-394-1-767-9744-.html

I hope this is what you meant?

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 1123
Re: Option to use CCAV as an anti-exe
« Reply #11 on: August 20, 2018, 02:24:34 AM »
The point is, in CCAV you can't disable the cloud lookup, while in CIS you can.
It would be great if CCAV could lookup only for malicious files, letting the user choose what's safe (custom TVL and manual whitelist).
But it's OK, I have switched to Avast with Hardened Mode on Aggressive and I'm quite happy with it

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek