An approach for configuring Comodo Internet Security Defense+ for fewer alerts

Discussion in 'other anti-malware software' started by MrBrian, Mar 21, 2009.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I have outlined my new approach for configuring Comodo Internet Security Defense+ for fewer alerts here. Since this approach also results in a considerably smaller ruleset, those of you who want to reduce the amount of time spent remembering the answer to a Defense+ alert may also be interested.
     
    Last edited: Mar 21, 2009
  2. 3xist

    3xist Guest

    Brian,

    I saw it, It's excellent! Well done. I hope Egemen, Melih and other Developers take note and atleast put ONE of your concepts into consideration for CIS v4.0 (for the usability side).

    Great work!

    Cheers,
    Josh
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thank you for the kind words Josh :). There's actually nothing too novel in my approach, except for the idea of putting most of the execution rules in the 'All Applications' policy instead of individual parent/child policies. It would be nice if future versions of CIS had the option of automating this for those that desire to do so.
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    For the sake of usability, I would recommend that future versions of CIS Defense+ policy by default emphasize mainly the prevention of malware execution, as has been done in my approach. I would remove the parent/child execution alerts by default, and replace it with execution alerts that don't mention the parent, with the resulting execution rules placed in the 'All Applications' policy.

    My approach leaves out a lot of monitoring related to detection of malware that is already running, in order to not burden the user with too many alerts. In future versions of CIS, including a first-class behavior blocker similar to ThreatFire would help in the detection of malware already running, without sacrificing usability. Combined with the planned addition of rollback technology in case of malware infection, and an improving Comodo Antivirus, CIS would become quite astounding!
     
  5. 3xist

    3xist Guest

    Melih is interested in the behavior analysis bit. :)

    And yes, Time Machine in CIS 4.0 is going to be very good. But v3.9 first!

    Cheers,
    Josh
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  7. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    :eek: Melih is interested in BB's :D man i predict CIS becoming either one of the best products (if they do it right since their adding SOOO much) or it could possibly flop after all that stuff is added (if they do it wrong and just make a messy app) they have REALLY gotta be careful with how they package this app with all those components to make it simple and not a huge anchor on the system...

    i really hope its the first one that happens, i have lots of hope for CIS, and if it gets far enough, i plan to use it solely. :D
     
  8. 3xist

    3xist Guest

    I hope Comodo can introduce Behavior Analysis my self... And also keep the HIPS too. This will make Defense+ even more usable with the detection layers being BOClean/CAV.

    Will also work well with heuristics IMO.

    Cheers,
    Josh
     
  9. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    527
    Location:
    USA
    Thanks for taking the time for the detailed posts. This is very interesting.

    I have been trialing Returnil's new anti-executable and driver protection option, but this looks like a more comprehensive solution with a good balance of usability. Perhaps Comodo could add a dropped rights function similar to the runsafer option in OA.

    Would you make any changes in your ruleset for say, using on XP Home as admin vs. Vista running as a standard user?
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :)

    I would likely make some changes to Vista's ruleset, but sorry I don't know what changes to make, since I don't use it.
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If you're running Vista as a standard user, you don't need to use the 'Basic User' security level in Software Restriction Policies.
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    FYI: some changes have been made to my recommendations, such CIS self-protection settings and the policy for rundll32.exe. Please see thread mentioned in first post for more details.
     
Loading...
Thread Status:
Not open for further replies.