CIS V5 public beta

Discussion in 'other anti-malware software' started by kjdemuth, Jul 29, 2010.

Thread Status:
Not open for further replies.
  1. Cvette

    Cvette Registered Member

    Joined:
    Apr 16, 2010
    Posts:
    373
    Location:
    South Carolina, USA
    Quite stable, but not secure. Quite a few people are having files bypass D+ completely :doubt:
     
  2. Cvette

    Cvette Registered Member

    Joined:
    Apr 16, 2010
    Posts:
    373
    Location:
    South Carolina, USA
    Ugh... :doubt: I think that's all anyone can say.
     
  3. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,974
    Location:
    Boston, MA
    I'm sorry but to look at this forum and looking over at comodo's forum, I don't know how they could have released RC yet. I hope that they intend to fix alot of the things people are finding before final.
     
  4. guest

    guest Guest

    Well they can still have many RC's usually when a software is stable enough moves from beta to RC, now almost all the problems with the stability of the AV are fixed.

    I would like to see at least 4 RC's :thumb:
     
  5. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,974
    Location:
    Boston, MA
    I would have to disagree. You still have people saying that some malware pass right through without a hiccup. You also have some folks still having BSOD according to the comodo forum. I would think that it isn't stable enough and should stay in beta. RC are normal reserved for minor tweaking such as GUI or programs that are conflicting. I mean listen to some of the people on the comodo forum saying that they shouldn't rush and to fix some of the problems before moving on.
     
  6. SFC

    SFC Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    33
    The AV component works really more faster now. I´m impressed.
     
  7. guest

    guest Guest

    The bypass found by AlanMcAlan is not real, the sandbox dont let the malware infect the computer (AV disabled)
    To bypass the sandbox you have to.
    1. Execute the malware
    2. It will run inside the sandbox (It could even create files some folders)
    3. Restart the computer and check if the computer is infected.
     
  8. DOSawaits

    DOSawaits Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    469
    Location:
    Belgium
    it will probably be 1 RC, then a final 1 week later, and in 1 month, first beta's for v6.....
     
  9. clocks

    clocks Registered Member

    Joined:
    Aug 25, 2007
    Posts:
    2,787

    I think part of that is because it is a free product, so they have no incentive to wait for next years big release, needing to make a big splash to get sales. They can just release improvements incrementally throughout the year.

    I have used CIS off and on a lot, and I have not found it any buggier than any other AV program.
     
  10. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    917
    True,yet after very well-received v3.14 came v4...now v5 is making its way...rush hour?
     
  11. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I think that was largely due to CIS not functioning fully in Virtualbox,although there may have been others.
     
  12. Cvette

    Cvette Registered Member

    Joined:
    Apr 16, 2010
    Posts:
    373
    Location:
    South Carolina, USA
    As I said before, I test without the sandbox, cloud scanning, antivirus...etc to be fair in comparison to versions 3 and 4. I will gather some more samples later in the week and see if the new beta is able to do anything about samples bypassing the Defense+.

    @Andyman, I run the COMODO beta on my testing PC to eliminate the chance of a VM causing problems.
     
  13. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I think the problems were confined to Virtualbox only,but it's best to run on a real system if you have one spare.:thumb:
     
  14. guest

    guest Guest

    So it's only able to bypass D+?
    I will try it again later, but I think they will not give much relevance since only D+ is enable. It was in paranoid mode?
     
  15. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen

    guest, I always read with many interest and regard your posts, but THIS I really can't understand: " it's only able to bypass D+? ": ONLY ?? :eek: - " not give much relevance since only D+ is enable." ?? Defense+ is the HIPS, the core of the system security. Don't trusting Defense+ means to be alone HIPS.... :rolleyes:
     
  16. guest

    guest Guest

    I have the samples of this malware and I tried it on CIS 5 beta.
    When I tried at first was detected by the AV as malware so I deactivated the AV.
    After this I ran again the files and they were running inside the sandbox (I dont remember if I got any popup from D+), I restarted the computer and the computer was clean.
    I didnt tried disabling the sandbox and letting D+ alone.
    I didnt tried disabling the sandbox and letting D+ in paranoid mode alone.

    What I wanted to say is that a malware bypassing a HIPS it's nothing new, I have never seen a HIPS defeat all the malware.
    I am not sure but maybe in this case you get an alert from D+ telling that the file want to be executed and is asking for permisions... and if you allow this popup (because you want to see if D+ is able to block the malware "installation") you will be infected without any other popup.

    In order to bypass CIS in this case we need to disable 2 main layers of security the AV and the sandbox. I can bypass any security app disabling layers of security...

    If somebody wants the malware to test it with another HIPS (OSS or MD please) or whatever, PM me. I am in "holidays" and I cant run VMWAre in this laptop.

    I would like to remember that Comodo dont work correctly on Virtualbox due to some limitations of Virtualbox.
     
    Last edited by a moderator: Aug 20, 2010
  17. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    Ya, so I agree.

    Ya, true. The only thing, I would like that my HIPS, whatever it is, is the strongest component of my multilayering, stronger than av and sandbox, also external as GesWAll... Thanks for your answer. :thumb:
     
  18. guest

    guest Guest

    I agree but I feel that the HIPS is not a priority for Comodo right now (only matousec can change that :D ), they are focusing the development in the sandbox, the behabioural blocker, the cloud...

    Take into account that since the sandbox, the trusted vendor list, and the white list appeared in Comodo you dont see almost any alert from D+.
    And my experience with the sandbox is that is better than the HIPS, much better. I launch almost every week many 0day malware to the sandbox, I havent find anything yet able to bypass it.

    Also with the new "cloud behaviour blocker" (like an intelligent HIPS) D+ "losses" importance.

    @AlanMcAlan did you use the paranoid mode?
     
    Last edited by a moderator: Aug 20, 2010
  19. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen

    I'm not glad to read it :( . I never trusted security system cloud-based, and I don't like BB. I always liked and used classical and powerful HIPS, as System Safety Monitor or OSSS. Sure, I use a sandboxing layer, GesWAll, but HIPS for me must be the first defense line.

    I hope that these new development choices in CIS don't neglect Defense+ enhancement and improvement !! :( :(



     
  20. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I think the important point in determining the severity of this malware bypassing D+ is the nature of the malware itself.

    If it's an mbr rootkit,or something of that ilk then yes,it's extremely serious.However if it's a 'benign code' rogue or similar,then not so much.

    If it's the latter,the HIPS isn't expected to determine malicious intent,unless there's accompanying malicious actions too.The normal checks and balances (AV,BB,Sandbox) being disabled makes all the difference in this scenario.
     
    Last edited: Aug 20, 2010
  21. DOSawaits

    DOSawaits Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    469
    Location:
    Belgium
    No, it has nothing to do with rushing, it's solely about getting ATTENTION, drawing more vict euhm users to Comodo.
    They have no interest at all in releasing updates for v3 or 4 because that doesn't make enough fuzz.
     
  22. Cvette

    Cvette Registered Member

    Joined:
    Apr 16, 2010
    Posts:
    373
    Location:
    South Carolina, USA
    @guest
    Nothing new? The Defense+ is COMODO's famous Default-Deny technology, deny the unknown (or in the case of running paranoid mode) deny everything unless the user says otherwise. I never "allowed" a pop-up from COMODO during testing, I clean out the policy before-hand and after each sample has been tested. This is the core and in my view the most important component of COMODO that is being bypassed. Yes, I use and always have used paranoid mode.

    I disagree, if however that is the real case I am deeply saddened. I was never, never able to get anything past V3 and V4's paranoid Defense+ (without the sandbox...etc.) I simply do not understand the need for more and more components for the same level of security.

    @everyone
    *Due to the amount of requests for the two samples of malware, both on this forum and on the COMODO beta forum, It would be much easier for you to private message me :)
     
    Last edited: Aug 20, 2010
  23. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,974
    Location:
    Boston, MA
    I truely appreciate the development for CIS. I also have used it with alot of success. I wouldn't say that I'm a fanboy but I do believe that its a great product. With that being said....I also feel that they should be talking a greater role in ironing out some of the issues. Things that people have been saying since ver 4. If you don't listen to the people that use it, then you are lost. I hope that the following RC have all the fixes that make it a better product.
     
  24. Cvette

    Cvette Registered Member

    Joined:
    Apr 16, 2010
    Posts:
    373
    Location:
    South Carolina, USA
    I could not have said it better. As well I would not call myself a fanboy of any kind for any product, I have dropped COMODO a few times in the past because of things from personal issues with the staff to bugs that seemed to never go away. I have used COMODO for... geez... well over 3 years, and am starting to see it decline and improve at the same time.

    Cheers.
     
    Last edited: Aug 20, 2010
  25. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    Wait a minute, is fanboy a dirty word? :D

    Thanks.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.