Anything else combined with Comodo Defense+

Discussion in 'other anti-malware software' started by usnuli, Jan 23, 2009.

Thread Status:
Not open for further replies.
  1. usnuli

    usnuli Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    29
    Hi everyone!
    I've got Comodo Defense+ installed on my computer together with Avira AntiVir Free. Should I combine my security setup with ThreatFire or DriveSentry, or has D+ already got everything covered? :cool:
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    with D+ you are covered and secure;)
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes, no need, keep it slim n fast. I run GesWall with it but no AV( even from CIS). So a total of two applications.
     
  4. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    I'm currently using Comodo Internet Security.
    It's Antivirus, Firewall, and HIPS all-in-one for FREE!
    No need for AntiVir.
    TBH, with D+, it almost makes an AV obsolete.
     
  5. usnuli

    usnuli Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    29
    Great! Thank you guys! :)
     
  6. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    You can run just D+ and you will be 99% safe. At most, you could run Sandboxie along it. It's so light, that wouldn't make much difference. Threatfire is good, but it's a bit hungry on CPU. Some people notice a system slowdown. Drive Sentry will be completely redudant once the new Comodo version with Threatcast comes out.
     
  7. Miyasashi

    Miyasashi Registered Member

    Joined:
    Dec 10, 2008
    Posts:
    62
    Wrong! ... 99% safe? That is if you "pick" the right answer at all times. and there's a reason why security software is being updated daily
     
  8. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    True, very true. But, hopefully if you make the wrong choice the AV will pick you up. The thing about CIS is the people there are really working the arses off to make it a successful product. My hats off to the Comodo team and the user base that really gives some good input.

    Ice
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    :D you are wrong too that will depend how you configure the D+ part of comodo for example if you denny access to write to the hard drive and block excutables files from running how can you get infected:D including dll,exe,com, and so on executables which can carry infections i will say not only 99% but 100% secure:D again depends on how you configure the softwares by default some dont protect even 90% plus knowing how to deal with pop ups:D well;)
     
  10. 3xist

    3xist Guest

    And there is also a reason why ThreatCast and usability changes are going on in the new v3.8 beta so users can know when to allow and block things with ease.

    And yes, You are 99% protected with CIS as last 2 users explained. You have the AV too... And soon, You will have Heuristics & Buffer Overflow protection (Currently in v3.8 beta) & With Defense+ all that will be hard to bypass.

    Yes, You're sweet! :)

    Cheers,
    Josh
     
  11. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Josh, what happend to you old account?
     
  12. Miyasashi

    Miyasashi Registered Member

    Joined:
    Dec 10, 2008
    Posts:
    62
    He said "with just D+". and I would prefer a 3rd-party anti-virus.


    it will depend how you configure the D+ part of comodo
    Right, there are people that misconfigure it, making it less secure.







    99% is overrated like the users above mention... and like I mentioned in my previous post.. there's a reason they update security software daily .. to improve detection/protection or whatever the software offers. To fill up the existing gaps.
     
  13. 3xist

    3xist Guest

    Now I find that interesting. Detection only goes so far, You saying you prefer an AV over Defense+? So you rely only on detection (Which ONLY Covers only %age of malware out there), Rather then Prevention? Such as D+ which does Prevent ALOT more then any AV.

    And I say, For example Comodo Internet Security switching to "Proactive Security" provides 99% Protection. As you said above, You prefer detection (AV) over Defense+

    You totally missed my ThreatCast, etc point - I will explain. No, It's not over rated. What they say is totally true. Why?

    1) You are Alerted when any unknown exectuable is loaded on your PC. Defense+ watches everything. Along with that: Registry Keys, Protected Files (like System32 and a whole lot more where Sys32 ALOT of malware goes in) You got the Antivirus which balances "DETECTION & PREVENTION" while still maintaining Prevention as first line of Defense.
    2) You say users may click wrong Alerts. In the current CIS BETA v3.8, It provides ThreatCast which shows people how many times people said YES, and NO etc. There are smart things going on to actually watch people who abuse ThreatCast.
    3) In v3.8 beta There is also Heuristics, Memory Firewall And Extended whitelist & Also The D+ Architecture has been tweaked/coded to be more intelligent. This provides even more usability. So again, this reduces the risk of users clicking allow accidentally on a Alert, But ThreatCast REALLY makes this almost uncertain for the average user. V3.8 has so many less pop up - And with ThreatCast when you do get popups, that helps a hell of alot too. Then a user won't get something recognized by D+ and simply they can block it! :) 99% right there.

    You say "Wrong!!... 99% Safe?" You haven't used or studied CIS long enough before mate, if you ever used it. And for the people who misconfigure it, etc... will find v3.8 final release out in a few weeks will suite there needs.

    Cheers,
    Josh
     
    Last edited by a moderator: Jan 25, 2009
  14. 3xist

    3xist Guest

    I needed a small break. :) Hope it don't mind... hehehe...

    Cheers,
    Josh
     
  15. Miyasashi

    Miyasashi Registered Member

    Joined:
    Dec 10, 2008
    Posts:
    62
    No, an AV in Addition to Defense+ ;)



    No I did not, how are you so sure it "provides" 99% protection?


    1) True
    2) lol? like everybody can "figure" something is malicious or not.
    3) 3.8 isn't official yet, I have used 3.5 ;)
    Let me ask you a few questions; Are you a computer expert? and where did you get the "99%" from? How are you so sure it is actually "99%" even when excluding "misclicks"? Did you fire malware/viruses at it ...


    If you don't do stupid things on the internet anything can be 99% secure.
     
  16. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Yes, the whole purpose of running a classical HIPS, is to be able to pick the right answers. A classical HIPS doesn't need to be updated daily, that's what signature based products are for. A classical HIPS, for people that know what the HIPS is supposed to do and what their system is, at any given moment can be i believe 99% safe. Meaning, every 100 malware out there, it will probably be able to fend 99. Of course HIPS are being updated from time to time too, to be able to cope with new threats. But don't blame the product, blame the user! It's like with lifejackets in a sinking ship. 99% of times it will work and save you as advertised. But, if you don't pay attention on the crew demonstration on how to operate it and that you must NOT inflate it before jumping from height (or in that case you should hold it tight and pull towards down), it will break your neck or knock you out. Don't blame the lifejacket if you weren't paying attention on the instructions! Comodo has a very detailed help file. Read it. You still don't understand it? Then DON'T USE IT! This apply to ANY HIPS, from OA, to Malware Defender! If you don't understand it, you are not safe, so don't use it! But don't blame it for your failure! It's the same with people that disable automatic update in their AV and forget to update manually. Don't blame the AV if it you got infected while it HAD the signature in its database the moment you got infected! It was YOUR fault that didn't update! Same goes for a firewall. If you execute a malware that your AV didn't catch and your firewall asks for it outbound access port 80 and also incoming connection, don't blame the firewall if you allow it and you just made your PC a Zombie! Blame: 1) your Av for not detecting the malware, 2) yourself for not knowing what the firewalls alerts are about! But it's not the firewall's fault for not saying to you "This is a trojan and is currently zombifying your pc, please deny the connection alerts!".

    My dear friend, if someone can't understand classical HIPS, he shouldn't be running them in the first place. It's THAT simple... The only way that a knowledgeable user can be fooled is by installing an infected installer. Otherwise, exes (cracks, keygens, no cd patches from p2p), media files, pdfs, word documents, drive bys, will produce an alert that is not NATURAL and a LOGICAL user, should DENY. It's as simple as this. Many classical HIPS users, go even further, with a default DENY policy (aka disconnect user interface in SSM). In this way, they won't even get a pop up. This IS 99% security. Of course, one may be a peculiar user with a talent in finding rogue programs with infected installers. In that case he will have serious trouble with ANY security product probably and he won't think his HIPS is telling him anything important. But well, what can you do about it... Run your AV and pray.

    Even if he did take 100 malware and prove it to you, would it change anything for you? You 'd say that they weren't enough samples. So take it as an educated guess if you like. You are free not to agree. But go to Matousec and see the scores. Then ask yourself, how many of the malware in the wild operate the methods of Matousec and you should get an idea of what a classical HIPS can do.

    I guess i could ask you, "how can you be so sure"? or "how do you define a stupid thing, when even bank sites have been infected in the past" :) "But i won't because i agree. The difference is, a classical HIPS will save you even if you run "stupid" things. See above for examples. You DO need basic logic however and a basic knowledge of file types. You surf happily in a site and your HIPS pops up. Why should you allow it! Drive-by killed by simple logic. You download from p2p the latest game no cd patch, but oddly enough you click it and wants to inject process, change hosts file, run at startup, install driver/service , your latest mp3/video file from p2p wants to do things that your other same files never do, now why should you allow it, the latest keygen from p2p wants to do weird things, while a keygen should run without need for driver and the like, why should you allow? That's how people i know get infected... And in all those cases, they do get an alert. From their av they get it only when it's in the database, otherwise they will have no chance, not even an educated guess or a 50% chance (allow vs deny).

    If i had to choose, i would CERTAINLY choose D+ over ANY antivirus! AV comparatives proactive tests and a visit to Jottis' or Virus Total should explain why. Why are you so shocked? Most AVs have a pittyful score agaist 1 week old malware. Classical HIPS will score much better against the same threats.

    Classical HIPS isn't for everyone. This has been told over and over again. It's getting tiring to repeat it everytime in here, which is a specialized forum and people who read it know this by now. As a matter of fact, it's also a logical conclusion. Personally, when i first installed Comodo, i saw i was lost, so read the help file. Why? Because since i was lost, it became obvious to me, that unless i could understand more on its operating mode, i wasn't protected! So i read the help file! I also ran some real malware and leak test and malware simulators just to be sure i could familiriaze more with the alerts. I may still fail. But if i do , while i DID get an alert, i WON'T blame Comodo or any other HIPS! It will be MY FAULT. The job of the hips is to alert. I will consider a "FAIL" if it doesn't alert. If it alerts and i allow, i will consider it a FAIL of MY brain. Not of the HIPS.
     
    Last edited: Jan 25, 2009
  17. Miyasashi

    Miyasashi Registered Member

    Joined:
    Dec 10, 2008
    Posts:
    62
    Yes the user is responsible for what he does on the system, every software has bugs/faults so it has to be updated atleast monthly, depending on the software.




    China's population on the internet is growing by around 200k a day (so I read), and seemingly there are many people not knowing what threats are ... there are still many people that install "rogue" anti-spyware/malware/virus programs.

    There are hella lots of computers infected and you could say it's the fault of the one's using, lacking either security software or for being "stupid".


    Source? and most likely the results are from maybe days/weeks/months/years ago... malware-creators are getting niftier every day and it's not like they sit still and use the same tactics as before if they know it's being blocked.





    I can't, I am not a expert but I think percentages like mentioned depends on the user. Like you mentioned yourself .. it's the user who's responsible.. you can't expect any software to save your back at all times.


    I don't think it's a matter of picking [a] over . I don't know but for some reason I don't believe tests... it's like being a sheep following the rest of the sheep.





    In the end it's the user's responsibility whatever security software you're using...

    While looking at threatcast most people answer 2/3rd on Allow/Deny and the other third answers the opposite... it still makes you wonder "What would be the right answer?"
     
  18. 3xist

    3xist Guest

    Nope... You want to know what I am?

    (2 min later)...

    Okay here it goes!

    I am some one who gets emails a day asking about Comodo Internet Security/Firewall/Antivirus. I am some one who gets Private Messages a day asking about Comodo Internet Security. I invest time and management into the Comodo Forums where I learn and gain knowledge, Help thousands of others, And responsible for some of the "stickies" at the Comodo Forums. I am known as 3xist there, And you will find me in blue at the Comodo Forums where I also preform moderation, Which includes Moderation & Management of the Forum groups such as Malware Research Group, etc and I also test Comodo Software before they are released to the forums. I interact with the CEO of Comodo on a daily basis Over the past 5 years, I have tested hundreds of Software in the past (Security Related) and ever since Comodo Firewall Pro 3.0 was released in November 2007, I found it to be the best and have used it since up to now with Comodo Internet Security. I have tested Traditional AV's vs Defense+ in Virtual Machine. I gave each AV 20 malicious URL's, The results were average because back then those links were only 5 days old. I then tested Defense+ moudel and Got some great Alerts and Comodo stopped them dead in there tracks! (There is an example of a D+ Alert for you btw). It Prevented them all! I then studied more about and realized that Detection should not be your first line of Defense anymore! Detection only goes so far, Where AV's can only catch % age of malware out there! Because they use detection technologies. Defense+ on the other hand, Uses Prevention. *3xist cuts through alot of stuff! too much to tell! :)* And now I use Comodo Internet Security where Prevention comes first, and than detection second. And now I know I am 99% secured because the Antivirus in Comodo Internet Security gives me much more usability and if a malware runs I shall block it! Also the upcoming v3.8 will improve usability further, ThreatCast, Extended Whitelist, etc... Can't wait! :)

    So yes I am an very Advanced user of Comodo, Not a Computer Expert, Just highly experienced on the "Comodo" side.

    Comodo Internet Security offers 99% Protection. Because:
    a) You are Alerted when an an Executable Runs
    b) The Antivirus provides more usability.
    c) With ThreatCast very soon, A user will know how to Answer Alerts. I say this again, Comodo are rebuilding the ThreatCast base and working on ways to stop people who abuse ThreatCast (Some Smart Mathematical formulas... still early days) Memory Firewall will be in final state in CIS soon, Along with heuristics.
    d) Even if a user does not install the AV, They still have ThreatCast and their AV running as 2nd line of Defense.
    e) In Comodo Internet Security, advanced users can have CIS switched to "COMODO - Proactive Security" policy which will catch everything for those who have no AV and are Advanced users.

    Yes I did. Explained above & Below (Screen Shot too!) :)


    Well if your just running an AV and that's it, Then I disagree with you. Anyone can enter a legitimate site and get infected because the AV didn't pick it up.

    As I said, I did throw very new malware at D+ and blocked them all that lots of AV's could NOT detect. Look what D+ Saids to this malware attached! What else is there to say? 99% Protection from Defense+ for PREVENTING all the malware I threw at it and for this malware, actually saying it is malware! Good job Defense+!!!! :)

    Cheers,
    Josh

    P.S - I am responsible for these threads:
    1. http://forums.comodo.com/feedbackco...spector_launched_for_the_forums-t33492.0.html
    2. http://forums.comodo.com/feedbackco...abase_continues_to_grow_rapidly-t33585.0.html
     

    Attached Files:

    Last edited by a moderator: Jan 25, 2009
  19. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    in that screenshot, does D+ only say its heuristics detected it as malware if u have the comodo AV installed with the suite? i just have the firewall and D+ and would it still identify is something is potential malware or does it have to have the AV component installed to say that?
     
  20. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I don't say that products don't need updating, but it depends on what the product does. Classical HIPS, unless a problem is known, can be used for quite some time without updating.

    My friend, i agree! My own brother doesn't know anything else about his PC , other than where is the browser and Open Office. Besides that he is incapable of understanding even Zone Alarm free, because he never cared to listen what i tell him. So, for my brother, i never even attempted to install to his PC a HIPS. I have left him with ZAF configured by me and Sandboxie, which for what he does is plenty and the only defense that i KNOW he "understands" (= he doesn't need to understand) and that i know he won't mess it with changing settings.

    They aren't ineherently stupid, they act stupidly, because they want to use something but without learning even the basics. They want to use the internet, p2p, but they don't want to learn what are the threats, how they get infected and what they can do about it. That's the problem. It's like driving a car, without having read the instructions of how traffic is regulated (road signs, traffic wardens, lights etc). So, although people are born stupid, they behave stupidly when sat in front of the pc, because they intend to go somewhere where threats exist, but they don't want to learn ANYTHING about what they are, how they are delivered, how most of them act, etc.



    You mean about Matousec? Here it is:
    http://www.matousec.com/projects/firewall-challenge/results.php

    You can perform a similar test on your own from here:
    http://personalfirewall.comodo.com/cltinfo.html

    Mind you, most of those are POC. Most common malware, isn't as sophisticated as that in evading classical HIPS. They are more targeted in evading traditional antiviruses. The last malware i ran (under Shadow Defender), was "stopped" at least in its communicating part, by the humble Ashampoo firewall (outbound request, simple, with no hijacking other processes etc). There ARE new malware every now and then that evade classical HIPS, but i wouldn't think them more than 1%. Much less really. The effectiveness of HIPS agaisnt new malware has often been proved in this forum too.


    Of course it depends on the user. I don't claim the HIPS will miraculously save you! But it CAN save you i 'd say 99% of the times, because it gives you the OPPORTUNITY to save yourself. Which much better than what your AV will ever give you , specially with zero-day malware or very recent malware. It DOES require some knowledge. I am not an expert either. But i have ran classical HIPS for years now and i can detect most abnormal behaviour and block it. I DO know, that i can still shoot on the foot my self with infected installers. (a program that i think legitimate while it has a packed malware). But this isn't the way most people are infected and if you downlad programs from "reputable" sources, most likely it won't happen. Most people get infected by surfing to sites, executing infected no cd games, media files, documents, keygens. Such files, shouldnt' produce an alert when run under a HIPS in the first place! So if they do, just block them! I mean, why would a no cd crack require to install a driver for example? Why would going to website make your HIPS ask you for allowing a new exe to execute or to modify your existing system? Deny! Why would a keygen need to install a service, inject another process or put registry run keys? Deny it! Why should an MP3 you downloaded from p2p, provoke a HIPS alert? Logic says it must be infected! Deny it! As i said, after setting up a clean system, some users go into an even more secure method. The "default deny" policy. Meaning, that by default, any new exe will be killed immediately and you won't even be bothered about it if you don't want to. So you walk in an infected site that downloads and runs a payload? Your HIPS will deny it and won't even ask you. Your infected MP3 will be denied to even ask you. And so on. The only way to be infected is again to install yourself a program that you *think* is clean while it isn't. Well, in these cases, you need be quite knowledgeable. I usually run them in sandbox and also try to judge from the nature of the program. Meaning, simple programs that are supposed to do simple tasks, usually don't require exotic priviledges. So if you see let's say a calendar application trying to hijack processes, installing services and the like, i would get suspicious.



    I don't believe test either, but meaning AV detection tests! A good part of it is promotion of products. In recent threats, most AVs wouldn't even go near 90%, which instead they all get in all magazine tests and most internet tests, because the tester uses malware recent (where they score badly), but also many many OLD samples (where they all score extremely well, being the samples old), with the result that the final score is always >90% , which even for the non top tiers, is good for business.

    One thing i do know about classical HIPS. 1) No exe will execute unless you permit it, 2) On all malware cases or simulators i 've ran or i 've seen in this forum posted, your chances of getting an alert about the malware, are much better with the classical HIPS than being stopped by the AV, in the first days of circulation of the malware.

    Without a doubt! It's your brain at the end! Antiviruses ,provide EASIER security. Meaning a less interactive security, which spares you the thinking. But, classical HIPS provide you with HIGHER security, in a more difficult way. Meaning, they give you the means of FAR SUPERIOR CONTROL on what happens on your AV, but require more thinking on your part. So, objectively, classical HIPS, IS MORE SECURE, provided that you are willing to learn some things an to THINK.

    It's like going to war and you expect the attack of 50 enemies. You have available weapons: 1) a knife , 2) a handgun , 3) an automatic submachine gun. The EASIEST to use, is the knife. But it will also be the least "safe" (=effective), because you will be likely overrun sooner or later by the enemy. The handgun is safer option, but it also requires some thinking on to how to use the safe, change magazines, but has a small recoil , so you will be better. The safest option (= the most probability for you to survive), is to use the submachine gun. But it requires more knowledge, on how to set fire mode, how to cope with the stronger recoil, how to change magazine, set the scopes according to distance. For me, classical HIPS = the submachine gun of internet security. Antivirus = the knife or the handgun, depending on what modules they include.

    Yes, that's the problem. Unfortunately, there are people that run Comodo, without actually having a clue or how it works or what they should do. And this will soon cause Threatcast to show ambiguous proposals , mainly for rare files. Because for more common files, as more people use Threatcast, soon the "good" ratings will grow by far in number. It's the price to pay for classical HIPS. Personally i think i won't be using Threatcast. Of course, you can't reply 100% in Threatcast either! One can make a new malware, phone his 10 buddies and tell them to run it in Comodo and allow it, so to fool the next unaware users!

    The "easy" way is Antivirus + behaviour blocker. But the classical hips way is more bulletproof, assuming you are ready to read the help file of your product and do some reading and testing on malware and how it comes to your PC and operates.

    The BEST way, is to have them all! I too run AV (that also has a behaviour blocker) + Sandboxie + classical HIPS. But, from personal experience,i know that if i run something outside the sandbox, my best bet to stop it if it is malware, will be the HIPS, not the AV. It has occured to me over the years , specially when i was running AVG free, to encouter many no cd game cracks, that were infected and my AV didn't see anything. I was always saved by my classical HIPS, because on clicking it told me it wanted to do various things (which a no cd crack shouldn't do, because it's not supposed to!). Same once with a media file from p2p.

    In HIPS i trust. And i do make a bad decision, well, at least it was my bad decision and it will mean that my AV will have already failed, so, i had the chance to stop it with my HIPS, i allowed it, my fault.

    The baseline with classical hips to understand is this: They don't report MALWARE. They report ACTIONS. Good or bad, it's up to you to decide. So, don't expect them to report malware, it's not their job. Respect them and judge them for what they are supposed to do: "report actions". That's how i see it, and that's why i see them as extrememely safe. I consider a "fail" only when they don't report.


    Sorry, for yet another, VERY LONG , post.
     
    Last edited: Jan 25, 2009
  21. 3xist

    3xist Guest

    You don't need AV for the message/tech. :) D+ does it on its own. But remember some malware it wont bring up the message... D+ needs to be very very sure, like almost 100% sure its malware which is impossible, to bring up that message. But yeah D+ HIPS is only one I know who has this kinda neat message...

    Cheers,
    Josh
     
    Last edited by a moderator: Jan 25, 2009
  22. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Comodo's D+ always had some heuristic detection without the AV part involved. I believe this is the case. I myself don't run the AV part of CIS, but i have seen instances with similar alert. Of course this isn't the usual thing.
     
  23. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    ok was just making sure because i havent seen that message yet so was curious, thx for the info though.
     
  24. Miyasashi

    Miyasashi Registered Member

    Joined:
    Dec 10, 2008
    Posts:
    62
    Well, it still depends on the person, seemingly you're experienced, but others aren't.

    I am a moderate user, maybe slightly above that.

    *off topic*
    Bleach = MALWARE! :p





    Agreed ;)



    What if he does mess with the settings XD everything that goes wrong is his fault then.


    The thing is people believe or think they're "Anonymous" on the internet, and that nothing can touch them.





    Comodo scores 90%, well 3.5 atleast ... 10% is a lot.
    Well the thing is... when HIPS get more popular, as they're getting now... more malware-writers will look for ways around them.


    =)


    The problem is .. some people go by "tests" and some tests aren't valid -_- like "This test is powered by Weak Anti-Virus" <-- those kinds of tests lol

    HIPS is actually 50% protection, 50% common sense.

    Agreed
     
  25. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Yes, because i told him "You are not to touch anything here. All you need to browse is click on the sandboxed browser thingie on the dektop". If i tell him "don't drive on the right while in the UK, but he insist to, he will get killed and will be his fault"... He is an adult , not a baby that you tell "don't put the finger in the oven" and it does.


    Yes, they also think (well at least in the beginning) that antiviruses are "infallible" and then just pray they don't get infected.

    Yes, he didn't test the latest version, that scores higher and ranks 1st. The version he tested had 2 bugs. You must also udnerstand here, that these are POCs, just concept methods, which most common malware doesn't operate. They are methods specifically made to bypass classical hips. Most malware writers aren' so advanced and they don't sweat to make so sophisticated malware. Why? Because most people don't run HIPS anyway, so why bother sweating to write a malware that can beat them? Meaning, in real life, Matousec's tests, have dubious worth. But they DO prove, that even when using ultra-sophisticated ways, classical hips, even in zero-day malware, will most likely protect you.

    Classical HIPs, will never become mainstream. Or, maybe they do use them, but many click allow anyway, so malware writers know they don't represent a good percentage of people that will resist the infection. Moreover, hips are updated too. And, the ways the malware can act, are limited in a sense. Classical hips now have ample experience over the years and monitor almost everything. Writing a malware capable of evading all these steps, is becoming very difficult, reserved for the best malware writers. And that's why i give 1% of chance of failiure for a classical hips (as potential, presuming the user will be knowledgeable). Evade an AV is easy! They don't have your signature? You did it! For some days you will be infecting. Evading a classical HIPS requires much more sweat and unlike Matousec, you want to do something really malicious. It's not about signatures,it's about working in the OS, while there is a constant monitoring of the system itself that you need to work in and hooks and "tripwires" in every door.


    I agree! Many people go by tests... I usually take those tests only as relative strenght and combine it with others. Meaning, if i see in 10 tests Avira first, i think that most probably is better than the second. But as to the various 99.96% that they score in AV tests, those are with old samples included, so that all vendors can be happy. I find my own malware from time to time and see... And one thing i 've seen, is that usually classical hips will at least give you 1 (one) alert even in the most vicious malware. In most common malware, you will get multiple alerts.


    Depends on the user and the threat. For malware that comes as a simple exe, either directly or masqueraded as another file type, it's mostly common sense. You allow the exe. Why should you allow the rest?


    Here are examples from some real malware i found (January samples, i put them in Twister's thread too, some AV by the time i got them, still didn't detect them). So, suppose you 're the unlucky guy that your AV hasn't the signatures yet and you execute them merrily, thinking you execute one of the files i mentioned earlier. Your AV is sleeping happily. While your HIPS...

    (All ran under Shadow Defender of course, in "test account" i have).

    Malware no1.:

    http://img177.imageshack.us/img177/8283/29117526aw7.png

    You think it's an exe/no cd patch/mp3/avi/keygen/document

    So you ALLOW it to run (Comodo doesn't say anything about heuristics like in 3xist's very cosy case).

    Then a new pop up comes:

    http://img134.imageshack.us/img134/5792/45289745ay7.png

    Now, why on earth should one of the above files need debuging priviledges!? So you DENY! Even if you don't know anything about what it is, why such a file provoke an alert? So you DENY using common sense and you 're safe.


    Malware No2 (these aren't even ALL the alerts, just some). Again, you are an unlucky guy and your AV hasn't this malware yet it its signatures... But you have your HIPS:

    Comodo (AV not installed) says it's suspicious:
    http://img172.imageshack.us/img172/6378/11gc2.png

    But you are a happy clicking fella so you go on to run your "keygen".

    At some point, you HAVE to become suspicious! Apart the fact that you keygen shoudln't do anything of this, for a medium user, between startup keys, creating new directories to put a batch file no less, installing services, something must ring a bell and block it.

    http://img204.imageshack.us/img204/6553/12ia3.png

    http://img529.imageshack.us/img529/5818/13is6.png

    http://img502.imageshack.us/img502/4253/14yy1.png

    http://img259.imageshack.us/img259/8453/15es6.png

    It continues on and on, it wants to use cmd.exe , creates a csrss.exe like to fool you that it is the windows legitimate one and finally uses that to ask outbound connection (which your firewall will stop, something Matousec doesn't do in many tests, but unlike him, many malware writers, actually want the malware to communicate with them and the firewall will block it).


    Malware no3. This is more vicious and possibly dangerous, it tries among other things, direct disk access, but alone the fact that tries to make a new directory in system32 should alert anyone knowing what's in system32:

    http://img204.imageshack.us/img204/520/50522774ya5.png

    http://img242.imageshack.us/img242/6205/67405701dk3.png

    http://img502.imageshack.us/img502/2690/25667280ym3.png

    http://img258.imageshack.us/img258/272/63023321ka6.png

    http://img299.imageshack.us/img299/898/57334894nl1.png

    http://img405.imageshack.us/img405/4189/29199918sl6.png

    http://img101.imageshack.us/img101/5310/40135026xb0.png

    http://img502.imageshack.us/img502/5382/19638308kv1.png



    Of course the user must have some knowledge... But if he does, real malware is usually detectable, beause unlike Matousec, it's not a "proof of concept" and wants to do something really malicious.

    As for Matousec's score, not all is about blocking the POCs.

    For example:

    http://www.matousec.com/projects/firewall-challenge/level.php?num=9

    http://www.matousec.com/projects/firewall-challenge/level.php?num=10

    But he uses these tests in the same score as the rest. Ok. But as i said, the big majority of malware out there, doesn't even come close to be as capable. Not all malware writers are geniouses, quite the opposite.
     
    Last edited: Jan 25, 2009
Loading...
Thread Status:
Not open for further replies.