I have made a long thread at Comdod forums. I tried my best to convince the developers to improve the way CFP deals with this worm but I failed.

The discussion might be of interest to some HIPS users. Just wanted to know what do you this about this.

https://forums.comodo.com/leak_testingattacksvulnerability_research/downadup_conficker_worm_versus_defence_plus-t33410.0.html

Two most important alerts from CFP Defence Plus about this worm( IMO):

OA gives these alerts.

hmm that message comodo gives in the 2nd screenshot is a bit troubling, after reading the message most people would click allow, hmm i hope comodo fixes that.

They did not agree and will not change it.

Aigle, interesting and informative discussion. But is critical of Comodo, so unlikely to have any effect. At least you helped get OA to add some improvements in the latest version. Thank you for your efforts.

Yes, OA's alerts are much more clear, but if they don't want to listen... Pitty.

-{ Quote: "Yes, OA's alerts are much more clear, but if they don't want to listen... Pitty." }-
Not a pity to Comodo, a pity to the user. They rely on programs like CFP to protect them in an adequate way.

-{ Quote: "Not a pity to Comodo, a pity to the user. They rely on programs like CFP to protect them in an adequate way." }-

I think Comodo can protect in more than adeguate way. Not perfect of course. One flaw in a product doesn't make the whole product garbage. I don't know how Conficher is delivered, but if it was an exe , i would have blocked in anyway, despite the confusing pop ups.

Comodo is the best value for money firewall-hips product right now, if not else and runs very light too.

Don't be so harsh about it. Which one would you say it's better alternative for this kind of software?

-{ Quote: "I think Comodo can protect in more than adeguate way. Not perfect of course. One flaw in a product doesn't make the whole product garbage." }-
You are overreacting. I didn't mention the word "garbage" nor I provided the reader with such impression.
-{ Quote: "I don't know how Conficher is delivered, but if it was an exe , i would have blocked in anyway, despite the confusing pop ups." }-
You better can inform yourself about the ins and outs of that worm before you deliver comment on issues regarding that piece of malware. BTW, we have to consider the user without (specific) knowledge and how HE will react.
-{ Quote: "Don't be so harsh about it. Which one would you say it's better alternative for this kind of software?" }-
Calling one weak spot can hardly be categorised as being "harsh". And no, I will NOT suggest any alternative, that will lead to endless discussions about product x is better than product y, aso aso.

-{ Quote: "You are overreacting. I didn't mention the word "garbage" nor I provided the reader with such impression. " }-

Sorry, my misunderstanding! I took the "Not a pity to Comodo, a pity to the user.They rely on programs like CFP to protect them in an adequate way." comment as a way of saying that Comodo is practically trash - unreliable product. My mistake, i am not a native english speaker.

-{ Quote: "
You better can inform yourself about the ins and outs of that worm before you deliver comment on issues regarding that piece of malware. BTW, we have to consider the user without (specific) knowledge and how HE will react. " }-

You 're right. I am not informed. I hope this doesn't though have to do something with what i said about Comodo not being bad.

-{ Quote: "
Calling one weak spot can hardly be categorised as being "harsh". And no, I will NOT suggest any alternative, that will lead to endless discussions about product x is better than product y, aso aso." }-

As i said, i misintrepreted your comment as a too harsh attack on Comodo. Your remark, appeared to me, not concetrated on a weak spot, but rather bashing the entire product. My mistake. Ok, i am not going to force you to say which is better, don't worry. I was just curious to see the opinion of an expert! Recently i read the opinion of another expert and i wanted to see if it coincides with yours.

Just noting that Comodo has a long history of being intransigent about changes they didn't invent. Logging, SPI, the "ask" function, proxy issues, network management, Threatcast, AV features, standalone configurations, ... and many GUI aspects come to mind as issues that have led to long threads that have gone nowhere. Or look at their wish list, aka "black hole". But the long term Comodo users are certainly able to adapt to and use the Comodo features successfully.

-{ Quote: "Sorry, my misunderstanding!" }-
No prob. :)

aigle, even as a non-experienced user of HIPS software I can clearly see how this is wrong. You didn't talk about the AV not doing its job (if I remember correctly...), still that's what Melih keeps talking about. The AV! It's off-topic! :blink: On your side about this improper alert - what that discussion was actually about and proper criticism IMO.

Hi aigle,

Nice tests! And very interesting reactions over at the Comodo forum.

-{ Quote: "hmm that message comodo gives in the 2nd screenshot is a bit troubling, after reading the message most people would click allow," }-I certainly hope not!

Here you have an instance of connecting a USB device to your computer and some automatic action occurs.

Surely anyone with a HIPS program would be knowledgeable enough to question why something not normal is occurring, then Deny that action, and finally look at the contents of the device to see what was going on. Hopefully you would question why there is an AutoRun.inf file there.

More basic than that: surely anyone with a HIPS program would be knowledgeable enough about the dangers of AutoRun that procedures would be in place so that the exploit wouldn't run anyway.

It seems to me that people are asking a software product to do a task here that should be taken care of by common sense.

----
rich

Well,

I agree with Firzen and Aigle, the message of Comodo is blurred. Off course you have got a point that when after adding an external source (being USB or Internet) every pop-up is suspicious.

It made me change to Online Armor (also in Dutch :thumb: available) after getting GeSWall to work with internet control AND getting chrome to work with GeSWall while virtualising the regsitry and allowing only Chrome access to two directories TEMP and Downloads (so I could disable FW in OA :-X )

-{ Quote: "Hi aigle,

Nice tests! And very interesting reactions over at the Comodo forum.

I certainly hope not!

Here you have an instance of connecting a USB device to your computer and some automatic action occurs.

Surely anyone with a HIPS program would be knowledgeable enough to question why something not normal is occurring, then Deny that action, and finally look at the contents of the device to see what was going on. Hopefully you would question why there is an AutoRun.inf file there.

More basic than that: surely anyone with a HIPS program would be knowledgeable enough about the dangers of AutoRun that procedures would be in place so that the exploit wouldn't run anyway.

It seems to me that people are asking a software product to do a task here that should be taken care of by common sense.

----
rich" }-
No Rmus, user can allow this alert. Being a user of HIPS I can tell u that memoy access alerts between two legit applications are so common that i will never think to block any of it( unless one of the aplications is unknown or suspicious). Infact I guess that many users might end up having a permanant allow rule about this action.

Also with its default rules, CFP doesn,t give any info about autorun.inf file present there or being created.

-{ Quote: "aigle, even as a non-experienced user of HIPS software I can clearly see how this is wrong. You didn't talk about the AV not doing its job (if I remember correctly...), still that's what Melih keeps talking about. The AV! It's off-topic! :blink: On your side about this improper alert - what that discussion was actually about and proper criticism IMO." }-
Sorry I did not understand you fully.
I am not interested in AV as I don,t use it( or any other one). Their AV is for sure immature, all of us know, no matter what they claim. Future---? only time will tell.

BTW the AV caught this specific worm. :thumb:

Thanks for your replies. Atleast I am relax that I am not alone about this assessment. On Comodo forums, I felt different. ;D

Could somebody PM me a link to the actual test, so that I could run in on my machine with the newest CIS beta? I am especially interested if they did anything about that autorun.inf present on a removable device.

And yes, interprocess memory access is so common, that 95% of HIPS user wouln't hesitate much before clicking "allow".

Thank you in advance.

Best regards :)

ps. CIS is still, in my humble opinion, a very good product.

C'mon people,

Comodo users have been protected out of the box from this worm since day 0.

You shouldn't get to the second alert if you read the first one and deal
with it as advised.

And even if you do mess up, the AV picks it up.

Why should Comodo change things for people who refuse to understand how things work.
It is obvious here and on other forums that it bothers people, that there is a
free software that offers such complete and simple protection.

My guess in many cases is that there is no $ in admitting that the free
app in question is as good or better than their paid one.
And in other cases what would you have to do, but get on with your lives
if your security was set.

Peace out.

-{ Quote: "No Rmus, user can allow this alert. Being a user of HIPS I can tell u that memoy access alerts between two legit applications are so common that i will never think to block any of it( unless one of the aplications is unknown or suspicious). Infact I guess that many users might end up having a permanant allow rule about this action." }-I can understand this, which is why I think HIPS is not very practical for the user who is not somewhat technically literate.

-{ Quote: "Also with its default rules, CFP doesn,t give any info about autorun.inf file present there or being created." }-It seems to me that for the experienced users of HIPS, if connecting a USB device immediately triggers an alert, surely they would think that something must not be right. Why wouldn't they stop everything at this point and check the USB drive? Surely they know that the only way something can trigger from a USB device is via Autorun.inf. If not, then I think they need to re-evaluate their basic knowledge of computer operations.

----
rich

Hi Guys.

This worm can be simply stopped in it's tracks with "COMODO - Proactive Security" Configuration in CIS, As Egemen said, The lead CIS Developer.

Comodo would NOT leave you vulnerable knowingly anyway, Even with the default CIS configuration, And also the AV picks it up.

Let's say you only run Avira and the AV didn't detect it (Which it does)... You're dead. Atleast CIS does detect this worm, Alerts the user with D+, etc and as always for advanced users, Proactive Security & Paranoid mode can be for you, for further testing. But you are protected with the default configuration because of the likes of the AV along with it (And if a user didn't install the AV on installation, They have 3 choices to make sure they are protected with there needs - From Basic Firewall - To Max Defense+ which some users may choose if they do not have an AV or something). Remember ThreatCast is coming up to solve alot of users unsure about certain Alerts, So anyone get use CIS age 7-100.

Cheers,
Josh

-{ Quote: "
It seems to me that for the experienced users of HIPS, if connecting a USB device immediately triggers an alert, surely they would think that something must not be right. Why wouldn't they stop everything at this point and check the USB drive? Surely they know that the only way something can trigger from a USB device is via Autorun.inf. If not, then I think they need to re-evaluate their basic knowledge of computer operations.
" }-
I agree with you.

Actually Downadup/ Conficker worm is just an example that runs from a USB drive and has the potential/ possibility to bypass a HIPS with a single wrong click by user.

We don,t know about future, we might see some driveby attacks via browser, some dll loading etc that will work in a similar way and might be even more tricky ot deceive the user.

For me HIPS are like an advanced anti-execitable with behav blocker componnets and they are meant to deal zero day malware techniques so I expect them to mitigate the damage even if the malware is somehow allowed to un by user. This was the basis for all these tests and my thread at Comodo forums.

LOL. Well I confess to having $25 invested in my two machines worth of security suites and hope Tall Emu doesn't run off with it. But I think the AV still runs before the HIPS on the incoming traffic, so no recovery there. AV keeps things from getting in, HIPS keeps things from getting out/executing. And have you missed that many of the posters in this thread are Comodo users who speak well of CIS and are dismayed at the tone and finality of the Aigle thread responses there? Including Aigle. And perhaps they might be surprised that someone from the Comodo board would bother to register and troll here with a new name, instead of the one they use there. Or are you banned here under your other name? But interesting discussion anyway. :)

And we shall see with Threatcast. There is certainly a lot of skepticism, enough to have Melih try to quiet it with a "Why Threatcast will work" thread. And I had a good laugh over the "developing mathematical formulas" explanation for QA. I am a mathematician by training ( have the degrees and experience ) and it is a bit more complicated than that. BTW, you seem to have a lot of time to devote to Comodo again. Is this the holiday season for the Australian school system? Keep up the good work; Ed.

-{ Quote: "But I think the AV still runs before the HIPS on the incoming traffic, so no recovery there. AV keeps things from getting in, HIPS keeps things from getting out/executing.
." }-

It's like this. From a Protection point of view, Prevention should obviously be your first line of defense to to be 99% protected against ANY malware. Detection then comes in 2nd, And cure is yet to be integrated into this.

It is true, If the AV has a signature for a malware, or the heuristics in the next version detects actual malware behavior, Then no Defense+ will not alert you... There will be no point to receive an AV Alert then a Defense+ Alert. So here, malware vs malware usability is the same! And Detection still can be second to stop malware, Because again AV's can detect %age of malware So, for example... The AV in CIS detects 40% of malware, Prevention prevents the rest... So as confusing this may sound (I know I am confusing my self too) Prevention is still first in stopping malware because the AV is limited in detection.

1) The AV in CIS Detection helps give Defense+ more usability.
2) Everyone needs a layered security architecture.
3) CIS is the only one to have PREVENTION as first line of defense.

Hope this clarifies.

Cheers,
Josh

-{ Quote: "BTW the AV caught this specific worm. :thumb:" }-
The question has been asked (https://forums.comodo.com/comodo_boclean_antimalware/confickerdownandupkido-t33539.0.html;msg241146#msg241146) on the Comodo forums if BOClean stops this worm? Would you happen to know, or be willing to test for us? :thumb:

Hmmmm... OA gives a Memory Injection Alert, Defense+ Gives a BIG RED Alert and identifies as malware. Why users would ignore this big red alert…while with the same token block OA’s non descript alert about memory injection?

Users either ignore or allow all. And also why would those very users block OA’s memory injection alert?

Cheers,
Josh

Just in case sded's remarks were aimed at me.
I re registered here. was Pit Frog, kinda liked it.

Yes, I stand behind what I said.
No, I'm not a troll.
I'm also pretty sure I'm not who you thought I was.

I might be new posting here, but I have visited and read for years.
Many times if nothing else but for comic relief.
I have seen most of the regulars here in action, and the threads that
go on and on and on.
Mines better, no mines better, no mines better, blah blah blah.
See the latest test, I'm changing. Currently running 9 security apps.

Again do you not see the resistance to a simple free solution that just works?
What would you all do, find a new hobby.

-{ Quote: "Hmmmm... OA gives a Memory Injection Alert, Defense+ Gives a BIG RED Alert and identifies as malware. Why users would ignore this big red alert…while with the same token block OA’s non descript alert about memory injection?

Users either ignore or allow all. And also why would those very users block OA’s memory injection alert?

Cheers,
Josh" }-

What if Comodo didn't have this specific malware in its database? ;)

edit: And, I'd block it because if an unknown program, of which I don't know the source wanted to modify svchosts.exe, I'd think whether I should block it or allow it.

No worries Bad Frogger.

Can some one answer my above questions pls?

Cheers,
Josh

-{ Quote: "What if Comodo didn't have this specific malware in its database? ;)" }-

I'm talking Defense+ Red Alert & Online Armor alert, Not the red AV Alert. If you go to first 2 posts of this thread, you will see the Alerts. D+ obviously doesn't use signatures.

Feel free to answer.

Cheers,
Josh

-{ Quote: "Users either ignore or allow all. And also why would those very users block OA’s memory injection alert?
" }-
Because jwgkvsq.vmx is UNKNOWN while rundll32.exe is well known, and memory access alert for well known applications is so common.

-{ Quote: "I'm talking Defense+ Red Alert & Online Armor alert, Not the red AV Alert. If you go to first 2 posts of this thread, you will see the Alerts. D+ obviously doesn't use signatures.

Feel free to answer.

Cheers,
Josh" }-

uhm ;D

Well, with this you're right, but once you've allowed the first popup, you'd surely let it go. I'd change also the second popup, if I were Comodo.

Anyway, how frequently Comodo's heuristic detects possible malware behavior? ???

ps: i've answered the other question in the edit of my previous post

I just don't like 2 things in the way Defense+ gives the first alert, which is the most important one.

1st - It should advice the user to block the action, but, then the user could just think that it is one more of those alerts flagging something bad with heuristic analysis. It happens frequently.

2nd - It advices the user to submit the file to Comodo for further analysis, but, where is the Submit link? In the alert, I mean.

Whenever a red alert, such as that, appears, it should recommend the user to block and to provide a submit link.

Those are the only 2 flaws I see in the way Defense+ works.

But, a red alert is always a red alert. It is like traffic lights. Red means stop. And in this case, careful action shoud be taken, hence the need to advice the user to block the action and a submit link in the alert.

Look at Defense+ and OA, the user would give more attention to Defense+. The problem is the way the alert is given.

Regards

-{ Quote: "I'm talking Defense+ Red Alert & Online Armor alert, Not the red AV Alert. If you go to first 2 posts of this thread, you will see the Alerts. D+ obviously doesn't use signatures.

Feel free to answer.

Cheers,
Josh" }-
Hi, the red heuristic alert is common with so many applications/ utilities that are not malware.

BTW I don,t mean that a user will allow this execution alert. I was thinking some possibilties:

- accidental allow click
- allow click by mistake/ wrong user decision
- most importantly HIPS are like an advanced anti-execitable with behav blocker componnets and they are meant to deal zero day malware techniques so I expect them to mitigate the damage even if the malware is somehow allowed to un by user. This was the basis for all these tests and my thread at Comodo forums. If this is not the case, no need for all filters ( like memory acces, driver loading, registry access, global hooking etc etc). A simple execution ONLY interception( allow or block) may be all that is needed in a HIPS.

-{ Quote: "uhm ;D
Anyway, how frequently Comodo's heuristic detects possible malware behavior? ???" }-

That's besides the point. We are analyzing this worm here, Not anything else.

Okay... Now let's analyze this a little bit deeper.

The first Alert is the key here. And this is where naturally users will react.

Defense+ First Alert: Gives Red Alert, Identifies as Malware.
Online Armor First Alert: Can NOT make the decision for them.

Obviously, the average user will react to First Alerts. A user WILL be more likely to allow Online Armor Alert, and get infected then D+ Alert because D+ Says "Hey... This is malware behavior" And OA is clueless and a user will go, Well it MUST be ok and allow it and BANG your infected. D+ will bring a 2nd Alert STRAIGHT away when they block the first one, and again, users will naturally react and block this. If a user does NOT block this, It's simply a legitimate action that the user allowed it, And the malware is FREE to do all, After all, D+ Gave the first BIG Red Warning warning, NOT Online Armor.

I see the OA Alert also has a AV+ Alert (Which counts for the AV in OA), in CIS, With the AV CIS will preduce much less pop ups, I have NO IDEA if this is the case with OA, But with CIS if the AV detects something, D+ will NOT Alert.

Anyway, ThreatCast will solve MANY more Alert issues very soon when it's released (Currently v3.8 beta), And v3.8 beta already provides more usability, And I'm sorry, when that time does come, OA will not be comparable to CIS.

Cheers,
Josh

Red alert of CFP is cool but not so great unless they tweak their heuristics more.

I just went to nirsoft website and downloaded 5 utilitis at random. All gave red alerts.

205793
205794
205795
205796
205797

Pls read my previous post, aigle. And the example you just gave, I can also say that OA don't recognize a malware and a user will allow it or OA AV DETECTED a CD Burner app to be malware and a user removed/quarantine it.

I think what 3xist is saying, anything with Malware behavior being mentioned in a Red D+ box is something to be cautious with. I know its very easy to just click allow all the time but since OA and Comodo have come along way in suppressing the redundant popups, when they do report something, one must proceed with caution! :D

Ice

Come on guys really...

Imagine if Comodo had 10,000 malware in a test… CIS vs other HIPS…
CIS would clean them all without a single alert… whereas other HIPS would go into popup mania….. Because CIS has the AV.

That's just a usability point. Anyway there really is a flawed assumption here on his argument and I hope we can all end this soon, if not... We can continue to discuss technically.

Cheers,
Josh

-{ Quote: "Come on guys really...

Imagine if Comodo had 10,000 malware in a test… CIS vs other HIPS…
CIS would clean them all without a single alert… whereas other HIPS would go into popup mania….. Because CIS has the AV.

That's just a usability point. Anyway there really is a flawed assumption here on his argument and I hope we can all end this soon, if not... We can continue to discuss technically.

Cheers,
Josh" }-
I'm confused, so are u saying Comodo's AV has 100% detection rate?

-{ Quote: "I'm confused, so are u saying Comodo's AV has 100% detection rate?" }-

Nope.

I mean If Comodo had 10,000 in a test (That CIS actually detected as an AV) vs other HIPS. This is what I mean. :) Great Usability...

People need to know...

1) AV's only detect %age of malware.
2) In CIS, If AV Detects a malware, D+ won't alert.
3) Detecting 40% of malware while rest have D+ Alerts Vs Other HIPS provides a usability Advantage, etc and that is only one aspect of CIS on this. :-)

And btw the Comodo virus DB is building fast. (http://forums.comodo.com/feedbackcommentsannouncementsnews_cis/over_11_million_signatures_and_comodos_database_continues_to_grow_rapidly-t33585.0.html)

Cheers,
Josh

-{ Quote: "(That CIS actually detected as an AV)" }-
Sorry, I do not understand? ???

-{ Quote: "Sorry, I do not understand? ???" }-

Okay...

Scenario: There are 10,000 malware here. The Antivirus in CIS detects them all, Therefore, Defense+ will not Alert. Here CIS vs other HIPS. the AV in CIS wipes all 10,000 malware with ONE Alert of the AV, D+ Shuts up totally! Other HIPS go pop up crazy! CIS use detection capability to make life easy and not show popups…

So by using AV to simply make life easy for users, while still prevention being the first line of defense is a outstanding thing IMO.

:)

Cheers,
Josh

Comodo's alert The Red warning is great.You get this (not sure if with this malware) but with others even if u install only the firewall.This makes Comodo very good
Hovewer as aigle posted,and many persons that use comodo know legitimate software installs can also give same warning,meaning that users will tend to ignore the warning and allow.
Then what?
I would like to see how this will be dealt when the final CIS is out especilly how ThreatCast will handle 0 day threats like this .If it will still depend of pop-ups for protection and remain a tool for advanced users or it will be one of the masses favourite product.
3xist your contribution is appreciated ,i hope that if u skip rivalities you'll see that most of us like good working products ,don't care if it's Comodo,Online Armor,both etc.
I will say again my opinion .The pop-ups from Comodo and OA can't be handled by average users.It's 50/50 if they are lucky.

-{ Quote: "The question has been asked (https://forums.comodo.com/comodo_boclean_antimalware/confickerdownandupkido-t33539.0.html;msg241146#msg241146) on the Comodo forums if BOClean stops this worm?

-snip-

" }-

and that question has not been answered as of yet at the Comodo forum in that thread, except by 3xist with ...

-{ Quote: "
CIS AV Detects this...
" }-

and that doesn't answer the question.

Where are the good old times with Kevin? :-X

-{ Quote: "Comodo's alert The Red warning is great.You get this (not sure if with this malware) but with others even if u install only the firewall.This makes Comodo very good
Hovewer as aigle posted,and many persons that use comodo know legitimate software installs can also give same warning,meaning that users will tend to ignore the warning and allow.
Then what?
I would like to see how this will be dealt when the final CIS is out especilly how ThreatCast will handle 0 day threats like this .If it will still depend of pop-ups for protection and remain a tool for advanced users or it will be one of the masses favourite product.
3xist your contribution is appreciated ,i hope that if u skip rivalities you'll see that most of us like good working products ,don't care if it's Comodo,Online Armor,both etc.
I will say again my opinion .The pop-ups from Comodo and OA can't be handled by average users.It's 50/50 if they are lucky." }-

ThreatCast is a community based thing. Advanced users will answer pop ups and make the average users job so much easier! And btw Comodo are adding a whole heap of Trusted Vendors, Whitelist, etc v3.8 in beta is a huge update, MUCH for usability. And not forgetting... If CIS AV Detects, D+ won't Alert and that detection capability is very good for CIS as the malware DB grows dramatically...

Everyone has their own opinions! And I respect that alot, I'm just giving the facts here with this worm! :D

:)

Cheers,
Josh

-{ Quote: "and that question has not been answered as of yet at the Comodo forum in that thread, except by 3xist with ...



and that doesn't answer the question.

Where are the good old times with Kevin? :-X" }-

Sorry. I was busy then. :( Need Kevin... :( :-)

Cheers,
Josh

-{ Quote: "I'm confused, so are u saying Comodo's AV has 100% detection rate?" }-
No there is No such thing as 100 percent AV,I think what he is saying because of the AV and its signatures in place it takes some of the guess work out and helps reduce uneeded pop ups.Anther words the AV detects it handles it with out the need the user to make the decision from the Hips.correct me if I am wrong.

-{ Quote: "
Sorry. I was busy then. Need Kevin... :-)

Cheers,
Josh" }-

Yes please ask Kevin !

Regards,
Jan.

(edited because Josh edited the posting ;))

-{ Quote: "Okay...

Scenario: There are 10,000 malware here. The Antivirus in CIS detects them all, Therefore, Defense+ will not Alert. Here CIS vs other HIPS. the AV in CIS wipes all 10,000 malware with ONE Alert of the AV, D+ Shuts up totally! Other HIPS go pop up crazy! CIS use detection capability to make life easy and not show popups…

So by using AV to simply make life easy for users, while still prevention being the first line of defense is a outstanding thing IMO.

:)

Cheers,
Josh" }-
Ah, so it's just 10000 malware that the AV detects, I thought you meant in-the-wild malware. But if a user decides to use a HIPS, why can't they add a separate AV as well? It seems like you're comparing a HIPS+AV with a HIPS and saying the HIPS+AV is better?

-{ Quote: "I think what 3xist is saying, anything with Malware behavior being mentioned in a Red D+ box is something to be cautious with. I know its very easy to just click allow all the time but since OA and Comodo have come along way in suppressing the redundant popups, when they do report something, one must proceed with caution! :D

Ice" }-

Totally! If a user allows a malware by HIPS Alert, It's totally legitimate. You're spot on!

Cheers,
Josh

-{ Quote: "Ah, so it's just 10000 malware that the AV detects, I thought you meant in-the-wild malware. But if a user decides to use a HIPS, why can't they add a separate AV as well? It seems like you're comparing a HIPS+AV with a HIPS and saying the HIPS+AV is better?" }-

They can add a Seperate AV, I didn't say they couldn't? :)

I'm just saying that, If people use the the entire CIS, They will have the usability Advantage for them. If a user chooses just Defense+, Which comes with firewall, They will have 3 choices on installation to suite there needs, And that user most likely will be an Intermediate/Adv user. No one is forced to install anything.... YUCK... :P If I told everyone to install CIS and let it be, I would be the biggest idiot here... lol I'm only giving facts about CIS and this worm issue. And btw ThreatCast will come with both Firewall & AV Seperate in CIS.

Cheers,
Josh

-{ Quote: "They can add a Seperate AV, I didn't say they couldn't? :)

I'm just saying that, If people use the the entire CIS, They will have the usability Advantage for them. If a user chooses just Defense+, Which comes with firewall, They will have 3 choices on installation to suite there needs, And that user most likely will be an Intermediate/Adv user. No one is forced to install anything.... YUCK... :P If I told everyone to install CIS and let it be, I would be the biggest idiot here... lol I'm only giving facts about CIS.

Cheers,
Josh" }-
It seems to me you're saying a HIPS+AV is more usable than a HIPS? Well of course, but that's comparing apples with oranges.

-{ Quote: "It seems to me you're saying a HIPS+AV is more usable than a HIPS? Well of course, but that's comparing apples with oranges." }-

You see.. that's the Advantage CIS has as a "Prevention as first line of Defense" security product, and AV follows as 2nd. That's natural for CIS as a security product.

People who use Just Comodo Firewall & Defense+, And a separate AV... Then so be it! Both AV & Firewall will come with ThreatCast, and people can always tweak CIS, etc... :) But as the AV grows in CIS, and it's growing very fast, more users will switch over as they will see tests from VB100 And Av-Comparatives this year some time... And even so Avira, Kaspersky, etc have a higher detection rate then AV in CIS so it's also an Advantage.. Just extra pop ups from CIS HIPS but AV will detect it anyway!

But really separate AV and Firewall/D+ for CIS they are not architected to work together and you don’t know whether you will get a popup from hips as well as from AV at the same time….

Cheers,
Josh

-{ Quote: "
Mines better, no mines better, no mines better, blah blah blah.
" }-
You don't like these kind of guys?

-{ Quote: "
Again do you not see the resistance to a simple free solution that just works?
" }-
Yours is better? ;)

Cheers

-{ Quote: "You see.. that's the Advantage CIS has as a "Prevention as first line of Defense" security product, and AV follows as 2nd. That's natural for CIS as a security product.

People who use Just Comodo Firewall & Defense+, And a separate AV... Then so be it! Both AV & Firewall will come with ThreatCast, and people can always tweak CIS, etc... :) But as the AV grows in CIS, and it's growing very fast, more users will switch over as they will see tests from VB100 And Av-Comparatives this year some time... And even so Avira, Kaspersky, etc have a higher detection rate then AV in CIS so it's also an Advantage.. Just extra pop ups from CIS HIPS but AV will detect it anyway!

Cheers,
Josh" }-
I don't see the advantage?

Thanks

@subset
LOL ya got me.

It's not exactly what I meant. But a good catch nonetheless.

I didn't mean mine is the flat out best. But as a generality there is
a resistance by many.
The security industry feeds on paranoia.
The industry naturally would resist a better free solution as a matter of
survival.
If someone achieved perfection in security and gave it away, the
hatred would be palpable and the resistance intense.
Know what I mean.

Later

-{ Quote: "I don't see the advantage?

Thanks" }-

If AV in Comodo Detects something, D+ won't alert (No point).

If Separate AV Detects something D+ will Alert. Because Separate AV and D+ are not designed to work together... they are not architected to work together and you don’t know whether you will get a popup from hips as well as from AV at the same time…. (As said above)...

This is the beauty of CIS, it uses the AV to reduce the popups. It still is a HIPS, but a clever hips that uses it's own AV to reduce its popups, This is very rare.

Cheers,
Josh

I guess I am still lost on why D+ HIPS is better than all other HIPS too ??? Doesn't everyone go FW-->AV-->HIPS-->BB more or less? And the AVs, for example, detect and quarantine/delete things so they never get to the HIPS ( at least Avast! and the others I have used do). And "Prevention as the first line of defense" still confuses, although it is a nice slogan. FW prevents, AV detects, HIPS (and user) prevents, BB prevents. I use Prevx Edge also, and it does a bit of both, using the "cloud" very carefully, as do some of the other vendors. If Comodo means that Prevention is the main line of defense (HIPS) vs their AV, that I can understand. But probably irrelevant, since Egeman said the subject is closed. ;)

-{ Quote: "The industry naturally would resist a better free solution as a matter of survival.
If someone achieved perfection in security and gave it away, the
hatred would be palpable and the resistance intense.
Know what I mean." }-
In this case it looks like it's normal users discussing how a product could improve, not intensely resisting a better solution with hatred.

Gee, the OP and many of the other posters are Comodo users, trying to figure out whether they are happy with some of the Comodo decisions. I am happy with what OA did, consistent with Aigle's study, but there are lots of other solutions out there.

-{ Quote: "If AV in Comodo Detects something, D+ won't alert (No point).

If Separate AV Detects something D+ will Alert. Because Separate AV and D+ are not designed to work together... they are not architected to work together and you don’t know whether you will get a popup from hips as well as from AV at the same time…. (As said above)...

This is the beauty of CIS, it uses the AV to reduce the popups. It still is a HIPS, but a clever hips that uses it's own AV to reduce its popups, This is very rare.

Cheers,
Josh" }-
Like sded said, if a separate AV detects something and quarantines it D+ won't alert. Only if the AV scans on execution there might be a chance of conflicts, but I think most AV's scan when reading or writing.

HIPS+AV is quite rare, but there are many behavioural blockers + AV, so it doesn't seem that unique.

-{ Quote: "Like sded said, if a separate AV detects something and quarantines it D+ won't alert. Only if the AV scans on execution there might be a chance of conflicts, but I think most AV's scan when reading or writing.

HIPS+AV is quite rare, but there are many behavioural blockers + AV, so it doesn't seem that unique." }-

Can you prove that HIPS/Behavior Blocker/AV Combo's apart from CIS provide the kind of usability of not alerting if an AV Detects something? I would be interested.

This usability is only one part of CIS. v3.8 is coming for more usability... ThreatCast for example you don't see in every day HIPS/Behavior Blockers.

Cheers,
Josh

-{ Quote: " And "Prevention as the first line of defense" still confuses, although it is a nice slogan. FW prevents, AV detects, HIPS (and user) prevents, BB prevents. I use Prevx Edge also, and it does a bit of both, using the "cloud" very carefully, as do some of the other vendors. If Comodo means that Prevention is the main line of defense (HIPS) vs their AV, that I can understand. But probably irrelevant, since Egeman said the subject is closed. ;)" }-
Personally I always thought it confusing, IMHO "prevention" means not getting malware on your computer in the first place, e.g. with inbound firewall, site rating programs such as SiteAdvisor, MVPS Host File, etc.

-{ Quote: "I guess I am still lost on why D+ HIPS is better than all other HIPS too ??? Doesn't everyone go FW-->AV-->HIPS-->BB more or less? And the AVs, for example, detect and quarantine/delete things so they never get to the HIPS ( at least Avast! and the others I have used do). And "Prevention as the first line of defense" still confuses, although it is a nice slogan. FW prevents, AV detects, HIPS (and user) prevents, BB prevents. I use Prevx Edge also, and it does a bit of both, using the "cloud" very carefully, as do some of the other vendors. If Comodo means that Prevention is the main line of defense (HIPS) vs their AV, that I can understand. But probably irrelevant, since Egeman said the subject is closed. ;)" }-

I wouldn't say D+ is the end-all of hips. OA has a nice one as does, SSM etc etc. I think what 3xist is saying is that if you install the CIS package as a whole, the AV might pick up on some of the nasties and end it right there without any interference from D+. If it gets by the AV, then D+ will give some sort of a warning. I've played around with OA free with Avira Free and liked that combo also. I have to give Comodo credit, they are trying very hard to make CIS a superior product.

Ice

-{ Quote: "I wouldn't say D+ is the end-all of hips. OA has a nice one as does, SSM etc etc. I think what 3xist is saying is that if you install the CIS package as a whole, the AV might pick up on some of the nasties and end it right there without any interference from D+. If it gets by the AV, then D+ will give some sort of a warning. I've played around with OA free with Avira Free and liked that combo also. I have to give Comodo credit, they are trying very hard to make CIS a superior product.

Ice" }-so how is the beta?is it fast?cpu?

Whether you use OA or not, It doesn't matter to me. I am only here to give the true facts surrounding CIS, And I believe I have said enough IMO.

This discussion is getting OT... I was only here for the worm (lol) but we kind of expanded... Anyway take care dudes. :)

Cheers,
Josh

-{ Quote: "Can you prove that HIPS/Behavior Blocker/AV Combo's apart from CIS provide the kind of usability of not alerting if an AV Detects something? I would be interested.

This usability is only one part of CIS. v3.8 is coming for more usability... ThreatCast for example you don't see in every day HIPS/Behavior Blockers.

Cheers,
Josh" }-
I'm not sure what's there to prove. Let's say a user downloads a file that is malware but he doesn't know it. Before he opens it, the AV detects it. It's quarantined. How can D+ alert about it?

Threatcast is definitely unique in HIPS, not behavioural blockers.

-{ Quote: "so how is the beta?is it fast?cpu?" }-

the CIS beta is amazingly light, just as light as the current release version, im using ti right now and its extremely stable.

-{ Quote: "Whether you use OA or not, It doesn't matter to me. I am only here to give the true facts surrounding CIS, And I believe I have said enough IMO.

This discussion is getting OT... I was only here for the worm (lol) but we kind of expanded... Anyway take care dudes. :)

Cheers,
Josh" }-the good thing about the av part of comodo that it deteted the Qhost infection in a infected machine;) this is very impresive cause even people say is not mature i think it is more mature than other antivirus that i know:thumb:

My point was just that if I install any good AV, it blocks and deletes everything known in its database-usually gives a single popup for each detection to do it. I hit a couple of sites today for research purposes with avast! that gave big "do not download this, dummy" signs and aborted the downloads so the OA HIPS never saw it. Similar stuff for email attachments. A malware prevention and detection system is a sieve: get as much crapware out at each step as you can without getting killed by the FPs. Nothing really unique about Comodo's approach; they just need to show that their sieve is as good or better than some other sieve. And that is where the "better ideas" come in. And they seem to be working the problem- but the rest of the world isn't standing still either.

-{ Quote: "the good thing about the av part of comodo that it deteted the Qhost infection in a infected machine;) this is very impresive cause even people say is not mature i think it is more mature than other antivirus that i know:thumb:" }-

wen this beta is released and its heuristics is fine tuned i might give the whole package a shot 8)

-{ Quote: "wen this beta is released and its heuristics is fine tuned i might give the whole package a shot 8)" }-cool:thumb:

Some people like one product and some people like the other.

This is, I believe, the fifth thread about exactly this same topic - one versus the other - and which ends the same way. No winner and closed.