CIS default settings good enough?

Discussion in 'other anti-virus software' started by ellison64, Sep 20, 2011.

Thread Status:
Not open for further replies.
  1. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    I installed CIS on a friends laptop yesterday,as she wanted a decent suite that wouldn't slow it down and offered good protection.It was a default install.Out of curiosity we then ventured to malcode and executed one of the links there.Comodo did not recognise the file and partially limited it.It apparently wasn't enough ,as comodo was then shutdown.So was malwarebytes when we tried to run that.The laptop was imaged so no problem there.Does CIS have some sort of inbuilt self protection or is it the D+ that is the self protection?.I have now altered the D+ setting to untrusted (there seems to be a concensus that this is the safest policy) which blocks the malware completely (limited also blocks it).What is the experience of users setting to untrusted?Would it create any problems for a user that doesn't want to answer too many/any hips popups etc?.
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Disable autosandboxing, run untrusted programs yourself in a manual sandbox (right click, sandbox with Comod)

    I've never seen a piece of malware get through the manual sandbox.
     
  3. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Thanks...
    The thing is my friend wants a suite that requires little or no intervention.She doesnt know what a sandbox is,so I want to try and make it very secure but not be too loud.Im just wondering whether changing the default setting from "partially limited" ( which allowed CIS to be shutdown) to " untrusted" will create to many problems/popups for a novice user.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    idk how it managed to shut CIS down, it shouldn't be able to

    Yes, it will. In fact really any autosandboxing will. That's why there's a whitelist, but you have to really bet that you'll only ever install a whitelisted application.

    If she's a novice user a HIPS isn't a great program for her, leave her with panda cloud and a secure browser + adblocker.
     
  5. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    ~Link information removed.~ Comodo did partially limit it but i looks like it wasn't enough.The av didn't seem to detect it that i could see yesterday.I did try CIS in default settings for a few hours before i gave her her laptop back.and it didnt seem to bad.Not many popups or user intervention.But after the "experiment" i wondered whether to changethe settings.I havent had time to see whether this would cause too many popups for her.I may just leave it at default as shes hardly likely to go clicking links to experiment anyway,but i would welcome any more suggestions to make it as tight as possible but still keep user intervention limited.
     
    Last edited by a moderator: Sep 20, 2011
  6. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    973
    Location:
    Paris
    The best way to prevent what you describe is quite easy.

    1). First off, right click on the Comodo icon in the tray and set it to Proactive Security.
    2). Open Comodo and go into Defense Plus settings- On General Settings, set the slider to Safe Mode. Uncheck all except "Enable Adaptive Mode ..."
    3). Click over to Execution Control- Set slider to Enabled and make sure everything is checked. Set "Treat Unrecognized Files as" Untrusted.
    4). On the Sandbox Settings, Check everything EXCEPT "Automatically Detect Installers ..."
    5). For the Firewall, set it to Safe Mode.

    Now retry your malware. I'm familiar with the malware file that you are posting about (it's been around for about 3 days) and at my suggested settings you will be pleasantly surprised.

    Trust me.

    ps- you may have to shut down the AV and Cloud to re-run the test as CIS is now detecting today's variant. Good thing is there will be a new one on the morrow!
     
    Last edited: Sep 20, 2011
  7. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Hi CruelSister...
    Its easy to prevent when the default settings are changed ,but it just goes to show that even CIS, can be shutdown as easily as NIS 2012 ,though i havent seen a languy video of it yet :rolleyes:
    That said ,I still think this suite would offer first class protection for my friend ,who doesn't like to interact much with her security ,and in the default settings it worked pretty good.I think ill leave it as it is until she gets use to it and see how it goes.
     
  8. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    Is that bug has been reported over at comodo forums?

    Thanks,
    Harsha
     
  9. pabrate

    pabrate Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    685
    That movie from him, showing his beloved Comodo failing, you'll never going to see :D
     
  10. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    973
    Location:
    Paris
    Ellison- I just retrieved today's variant from my malware zoo and tried it as partially limited (and I was in error- it made it's first appearance on 14 Sept). CIS certainly was not shut down in any way on my system (I'm assuming your file was ~234K; it comes in a few other flavors all with file names in the animal motif).

    Quite frankly this Trojan isn't particularly obnoxious at all so I'm quite surprised that you noticed it doing anything even at stock settings. Could there be something else happening on your system?
     
  11. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    It wasnt my system.It was my friends vista 32 bit laptop.and i believe it was 229k ,(though i could be mistaken)On default settings (partially limited) comodo av didn't seem to detect it,although d+partially limited it.About 5 seconds later comodo icon disappeared i checked task manager which had a long numerical.exe running.The process couldn't be ended.Clicking its properties resulted in an error message saying the file couldn't be found.Malwarebytes also would not start,neither would comodo.It was in truth easily got rid of by a system restore from safe mode,although i did have an image of her pc ,but didn't need to completely re image.In the last hour or so , i installed cis on my own laptop with d+set at trusted and executed one of the 19/9/links.This time the av detected consrv.dll in system 32 as a threat.At the same time malwarebytes website blocking popped up stopping outbound to a malicious site.I did nothing for a few seconds expecting d+to do something...however it didn't ,so i then clicked clean,and the av removed the .dll.However when i then went to my windows folder i noticed a locked system64 folder next to my system 32 folder (i use windows7 64 bit).Ive never seen a system 64 folder (not syswow 64) before.I also noticed that my browser seemed to be ok ,except when i tried to go to certain links such as keyscrambler site ,i noticed the page was being directed through a different search to googleand would not load,and malwarebytes website blocking was popping up ,blocking access to a malicious site.At that point I realised that my laptop had been compromised and that for whatever reasom CIS in the D+ trusted mode also failed as it didnt seem to initiate that i could see.Only the av seemed to detect the file.Ive now re-imaged my own pc .I don't want to get into a discussion of how or why CIS failed for me or seemed to work for you(possibly because something has been updated in CIS since yesterday when the first fail occured on my friends laptop?).On my friends laptop i wouldnt really call it a fail as the d+ settings were perhaps too low.However im a little concerned that on mine D+ didnt come into play and i was compromised.The file i used is the 3rd one down starting at the date 19/9 at the link that i provided earlier
     
  12. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    973
    Location:
    Paris
    Just an FYI- SysWOW64 is a valid folder for 64 bit machines. It is the Windows System folder (system directory) for 32-bit files, so please don't delete anything inside!

    But I totally agree with your observation that CIS at default settings is not the way to go. Fortunately with a minute of time and a few clicks it can be set up to be a very robust antimalware defense.
     
    Last edited: Sep 21, 2011
  13. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Hi..Yes i know about the system wow folder hence (not the system wow folder ).The new folder created after being compromised was called system64 directly below system32.Im going to retest tonight .I have changed my mind about comodo and find it a very good choice,however like all the other avs etc,it has its weaknesses and is certainly not invincible or immune from being disabled given the right conditions
     
  14. sm1

    sm1 Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    520
    I think you can set password to protect CIS. Also I used to block unknown executables through Defense + settings.
     
  15. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    by changing security mode to proactive and changing D+ to Safe mode and Sandbox either to Restricted or Untrusted. Protection will be tightened very much.

    Remember v5.8 brings a whole lot of improvements to current version for 64bit along few bypasses to current D+.. :)

    Thanks,
    Harsha
     
  16. carat

    carat Guest

    The default settings are good enough but the AV is still poor ... :D
     
  17. icr

    icr Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    1,588
    Location:
    Mumbai
    Its a solid product all together, well you can't ask for more for free. I have used it many times and always in default configuration. Wasn't infected at all;)
     
  18. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    I never will understand the mean to use an HIPS and to don't set it as an HIPS, that is with the highest settings. Yes, you can do it, but it will not more really an HIPS.
     
  19. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,067
    It's enough, if you want something else try the proactive mode.
    I have read in comodo forums a similar problem with a malware file, it's already fixed in the current beta.
     
  20. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Thanks ive left the laptop with her today and put CIS in proactive mode and limited mode.We went through most of her setup and only one d+ plus pop up occured,so things seem fine.One question if i may?.Does new versions of comodo auto update or does the current one need to be downloaded manually and installed?
     
  21. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    973
    Location:
    Paris
    It hasn't so far auto updated per se, but you can use the "Check for Updates" function under the "More" tab. Your settings will carry over fine.
     
  22. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,067
    CIS 5 will check for updates automatically, and if there is any it will download it and install it. (You don't need to download it via browser or save it to the desktop)
    In CIS beta 6 I have notice during the beta updates that CIS only download the needed files to be updated and not the full package.

    But for update from 5 to 6 probably it will need to download everything and install it, but you will get a notification from CIS a few days after the release.
     
  23. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Thanks everyone for replies.Its is good to know that it will auto update.Another question if I may?.Is there any/limited security tradeoff if "create rules for safe applications" is ticked in d+ and firewall?
     
  24. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,067
    No, is just that CIS will create a rule in the Firewall and in D+ policy for the trusted files, if you don't check them and the file is trusted CIS will not create the rule. (This options are not related with show or not show popups)

    For example I like to see the firewall rules, so I have the setting checked for the firewall but not for the HIPS.
     
  25. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Its no security tradeoff as far as I know but it may cause decreased performance, one of the reasons it is ticked off by default.
     
Loading...
Thread Status:
Not open for further replies.