Downadup/ Conficker worm and CFP Defence Plus

I have made a long thread at Comdod forums. I tried my best to convince the developers to improve the way CFP deals with this worm but I failed.

The discussion might be of interest to some HIPS users. Just wanted to know what do you this about this.

https://forums.comodo.com/leak_test...ficker_worm_versus_defence_plus-t33410.0.html

Two most important alerts from CFP Defence Plus about this worm( IMO):

 

OA gives these alerts.

 

hmm that message comodo gives in the 2nd screenshot is a bit troubling, after reading the message most people would click allow, hmm i hope comodo fixes that.

 

They did not agree and will not change it.

 

Aigle, interesting and informative discussion. But is critical of Comodo, so unlikely to have any effect. At least you helped get OA to add some improvements in the latest version. Thank you for your efforts.

 

Yes, OA's alerts are much more clear, but if they don't want to listen... Pitty.

 

Not a pity to Comodo, a pity to the user. They rely on programs like CFP to protect them in an adequate way.

 

I think Comodo can protect in more than adeguate way. Not perfect of course. One flaw in a product doesn't make the whole product garbage. I don't know how Conficher is delivered, but if it was an exe , i would have blocked in anyway, despite the confusing pop ups.

Comodo is the best value for money firewall-hips product right now, if not else and runs very light too.

Don't be so harsh about it. Which one would you say it's better alternative for this kind of software?

 

You are overreacting. I didn't mention the word "garbage" nor I provided the reader with such impression.

You better can inform yourself about the ins and outs of that worm before you deliver comment on issues regarding that piece of malware. BTW, we have to consider the user without (specific) knowledge and how HE will react.

Calling one weak spot can hardly be categorised as being "harsh". And no, I will NOT suggest any alternative, that will lead to endless discussions about product x is better than product y, aso aso.

 

Sorry, my misunderstanding! I took the "Not a pity to Comodo, a pity to the user.They rely on programs like CFP to protect them in an adequate way." comment as a way of saying that Comodo is practically trash - unreliable product. My mistake, i am not a native english speaker.

You 're right. I am not informed. I hope this doesn't though have to do something with what i said about Comodo not being bad.

As i said, i misintrepreted your comment as a too harsh attack on Comodo. Your remark, appeared to me, not concetrated on a weak spot, but rather bashing the entire product. My mistake. Ok, i am not going to force you to say which is better, don't worry. I was just curious to see the opinion of an expert! Recently i read the opinion of another expert and i wanted to see if it coincides with yours.

 

Just noting that Comodo has a long history of being intransigent about changes they didn't invent. Logging, SPI, the "ask" function, proxy issues, network management, Threatcast, AV features, standalone configurations, ... and many GUI aspects come to mind as issues that have led to long threads that have gone nowhere. Or look at their wish list, aka "black hole". But the long term Comodo users are certainly able to adapt to and use the Comodo features successfully.

 

No prob.

 

aigle, even as a non-experienced user of HIPS software I can clearly see how this is wrong. You didn't talk about the AV not doing its job (if I remember correctly...), still that's what Melih keeps talking about. The AV! It's off-topic! On your side about this improper alert - what that discussion was actually about and proper criticism IMO.

 

Hi aigle,

Nice tests! And very interesting reactions over at the Comodo forum.

I certainly hope not!

Here you have an instance of connecting a USB device to your computer and some automatic action occurs.

Surely anyone with a HIPS program would be knowledgeable enough to question why something not normal is occurring, then Deny that action, and finally look at the contents of the device to see what was going on. Hopefully you would question why there is an AutoRun.inf file there.

More basic than that: surely anyone with a HIPS program would be knowledgeable enough about the dangers of AutoRun that procedures would be in place so that the exploit wouldn't run anyway.

It seems to me that people are asking a software product to do a task here that should be taken care of by common sense.

----
rich

 

Well,

I agree with Firzen and Aigle, the message of Comodo is blurred. Off course you have got a point that when after adding an external source (being USB or Internet) every pop-up is suspicious.

It made me change to Online Armor (also in Dutch available) after getting GeSWall to work with internet control AND getting chrome to work with GeSWall while virtualising the regsitry and allowing only Chrome access to two directories TEMP and Downloads (so I could disable FW in OA )

 

No Rmus, user can allow this alert. Being a user of HIPS I can tell u that memoy access alerts between two legit applications are so common that i will never think to block any of it( unless one of the aplications is unknown or suspicious). Infact I guess that many users might end up having a permanant allow rule about this action.

Also with its default rules, CFP doesn,t give any info about autorun.inf file present there or being created.

 

Sorry I did not understand you fully.
I am not interested in AV as I don,t use it( or any other one). Their AV is for sure immature, all of us know, no matter what they claim. Future---? only time will tell.

BTW the AV caught this specific worm.

 

Thanks for your replies. Atleast I am relax that I am not alone about this assessment. On Comodo forums, I felt different.

 

Could somebody PM me a link to the actual test, so that I could run in on my machine with the newest CIS beta? I am especially interested if they did anything about that autorun.inf present on a removable device.

And yes, interprocess memory access is so common, that 95% of HIPS user wouln't hesitate much before clicking "allow".

Thank you in advance.

Best regards

ps. CIS is still, in my humble opinion, a very good product.

 

C'mon people,

Comodo users have been protected out of the box from this worm since day 0.

You shouldn't get to the second alert if you read the first one and deal
with it as advised.

And even if you do mess up, the AV picks it up.

Why should Comodo change things for people who refuse to understand how things work.
It is obvious here and on other forums that it bothers people, that there is a
free software that offers such complete and simple protection.

My guess in many cases is that there is no $ in admitting that the free
app in question is as good or better than their paid one.
And in other cases what would you have to do, but get on with your lives
if your security was set.

Peace out.

 

I can understand this, which is why I think HIPS is not very practical for the user who is not somewhat technically literate.

It seems to me that for the experienced users of HIPS, if connecting a USB device immediately triggers an alert, surely they would think that something must not be right. Why wouldn't they stop everything at this point and check the USB drive? Surely they know that the only way something can trigger from a USB device is via Autorun.inf. If not, then I think they need to re-evaluate their basic knowledge of computer operations.

----
rich

 

Hi Guys.

This worm can be simply stopped in it's tracks with "COMODO - Proactive Security" Configuration in CIS, As Egemen said, The lead CIS Developer.

Comodo would NOT leave you vulnerable knowingly anyway, Even with the default CIS configuration, And also the AV picks it up.

Let's say you only run Avira and the AV didn't detect it (Which it does)... You're dead. Atleast CIS does detect this worm, Alerts the user with D+, etc and as always for advanced users, Proactive Security & Paranoid mode can be for you, for further testing. But you are protected with the default configuration because of the likes of the AV along with it (And if a user didn't install the AV on installation, They have 3 choices to make sure they are protected with there needs - From Basic Firewall - To Max Defense+ which some users may choose if they do not have an AV or something). Remember ThreatCast is coming up to solve alot of users unsure about certain Alerts, So anyone get use CIS age 7-100.

Cheers,
Josh

 

I agree with you.

Actually Downadup/ Conficker worm is just an example that runs from a USB drive and has the potential/ possibility to bypass a HIPS with a single wrong click by user.

We don,t know about future, we might see some driveby attacks via browser, some dll loading etc that will work in a similar way and might be even more tricky ot deceive the user.

For me HIPS are like an advanced anti-execitable with behav blocker componnets and they are meant to deal zero day malware techniques so I expect them to mitigate the damage even if the malware is somehow allowed to un by user. This was the basis for all these tests and my thread at Comodo forums.

 

LOL. Well I confess to having $25 invested in my two machines worth of security suites and hope Tall Emu doesn't run off with it. But I think the AV still runs before the HIPS on the incoming traffic, so no recovery there. AV keeps things from getting in, HIPS keeps things from getting out/executing. And have you missed that many of the posters in this thread are Comodo users who speak well of CIS and are dismayed at the tone and finality of the Aigle thread responses there? Including Aigle. And perhaps they might be surprised that someone from the Comodo board would bother to register and troll here with a new name, instead of the one they use there. Or are you banned here under your other name? But interesting discussion anyway.

And we shall see with Threatcast. There is certainly a lot of skepticism, enough to have Melih try to quiet it with a "Why Threatcast will work" thread. And I had a good laugh over the "developing mathematical formulas" explanation for QA. I am a mathematician by training ( have the degrees and experience ) and it is a bit more complicated than that. BTW, you seem to have a lot of time to devote to Comodo again. Is this the holiday season for the Australian school system? Keep up the good work; Ed.

 

It's like this. From a Protection point of view, Prevention should obviously be your first line of defense to to be 99% protected against ANY malware. Detection then comes in 2nd, And cure is yet to be integrated into this.

It is true, If the AV has a signature for a malware, or the heuristics in the next version detects actual malware behavior, Then no Defense+ will not alert you... There will be no point to receive an AV Alert then a Defense+ Alert. So here, malware vs malware usability is the same! And Detection still can be second to stop malware, Because again AV's can detect %age of malware So, for example... The AV in CIS detects 40% of malware, Prevention prevents the rest... So as confusing this may sound (I know I am confusing my self too) Prevention is still first in stopping malware because the AV is limited in detection.

1) The AV in CIS Detection helps give Defense+ more usability.
2) Everyone needs a layered security architecture.
3) CIS is the only one to have PREVENTION as first line of defense.

Hope this clarifies.

Cheers,
Josh