COMODO Internet Security 4.0.664.127486 BETA Released

On Vistax64 and Windows7 it is impossible to prevent all side by side infections. These API's are simply not available. So next best thing you can do is manage the DAMAGE which could be done with FILE and REGISTRY virtualisation, so Comodo takes a sensible approach (even with process modification guard on, there is no way it can prevent all process modifications in x64, so it was a false promise in the first place)

By the way DAMAGE is relatively limited when running with lowest user rights, therefore CIS3 on x64 delt with most intrusions (possible all living in the wild) and users wonder why software A is able to deal with x64 and why Software B is not providing a version for this OS (x64).



Regards Kees

 

Really is so ? I stopped to use KIS after the version 8 release for a similar reason. I hope that dragons forever might to clarify it.

 

I don,t understand all what you said but it was same situation with CIS 3 on XP.

 

Just an example. In CIS 3, there was almost no way to make a rule that will alert user whenever services.exe tries to load a driver. Everytime u set the rule to Ask, it will be converted to Allow during a system reboot. Same is true of cIS 4.

I had a malware sample in the apst that used to load its rootkit driver via services.exe.

 

Sorry was related to "Paranoid mode is a joke in CIS4".

Since CIS4 is more geared to Windows7 (majority is x64 versions), they might as well drop this mode, since it gives an ilusion of paranoid protection (simply not all intrusions can be prevented). Therefore the new approach of Comodo makes sense, The sandbox does in fact doubles UAC elevation control, extends protected mode to all unknown applications and has file and regsitry virtualisation for non-white listed aps (while Windows7 and Vista only offer this for compatibility = running as pseudo admin, or manual selection of virtualised running through the task manager). This means that D+ options can be trimmed down to fie and registry protection, direct keyboard and screen access.

In regard to your complaint to the generated rules

Only when you install Comodo with the highest security, you will get a default ask on all items when Comodo generates a new program rule. In all other modes, it does not matter what you select in D+, it falls back to a less safe generated rule (usually only file and registry on ask, others on allow). So I share your critism.
When you select tickboxes in the D+ defense, these should be the items where a generated rule should have ASK.

Hope this helps

 

Sorry Kees, today I don't run at 100% ( chagrin d'amour.. ), it means that Defense+ 4 ( I'm using the 3 version now ) in paranoid mode runs at the same way than Defense+ 3 or less safety?

 

Installed the beta and all went well. But I remembed why I went back to Kaspersky within an hour. It decided to block PS3 Media Server from connecting. I could see the problem in the log but no matter what I added to the rules and allowed it just wouldn't work! Why on earth can't you just select the relevant line in the log and click allow connection?!

Can anyone talk me how to get a program working?! On a plus note, pop-ups and general meither has been vastly minimised so good work there.

 

A very needed feature indeed.

Also highly needed feature is the on the fly rules creation via pop up alerts.

And the logging is very very poor in CIS indeed.

 

Do you compare MD with CIS sometimes or what?

Cheers

 

CIS 3 problably delivers what it promises on x32

CIS 3 could not deliver the same on x64 as on x32

CIS4 takes an intelligent approach to existing Microsoft mechanismens

* Run least priveledge User for programs in the user space (programs out of C:\Windows and C:\Program Files directories)

* Provides an elevation prompt on installers (only with an auto allow whitelist of trusted vendors), like UAC does, it only applies Elevation prompts to NEW instead of EVERY program.

* Apply a allow execution whitelist (like in AppDefend) by adding programs to your trusted programs in D+

* Provides File and Registry virtualisation (available since Vista), only unlike Microsoft it is not intended to run as Pseudo Admin for compatibility (virtualise access to Program Files and HKLM hive of registry), It also can be managed by the user by selecting this in the Sandbox setting, With Vista and Windows 7, this could only be done manually through the taskmanager (see pic and for explanation http://blogs.technet.com/richard_macdonald/archive/2007/05/18/990366.aspx). Big difference Pseudo Admin of Vista/Win7 runs on EXISTING programs to handle UAC incompatibility, while CIS4 applies it on NEW/unkown processes to protect files and registry of Admin.

* File and Registry protecton while in the Sandbox is handled by D+ (so you can defend vulnarable folders and regsitry entries in the user space, like prevent setting off Windows7 UAC or changing RUN/RunOnce and zone settings of IE8 in HKCU).


In short all the OS improvements of VISTA (with full UAC) which are directed towards higher reliability (and were also a security improvement) are used by CIS4 in such a way it becomes REAL security features. CIS3 was a mature classical HIPS. CIS4 will be a juvenile policy/Sandbox HIPS.

It achieves (to a lesser degree) a sort of cross over between Sandboxie and DefenseWall. Have a look at this thread https://www.wilderssecurity.com/showthread.php?t=255963 On x32 SBIE+DW are still the best/quiet solution, on x64 I am seriously looking at CIS4 with some help of Sully's Pretty Good Security and UAC in quiet mode (I have to discover the registry setting for that in Windows7, equivalent of TweakUAC for Vista), so Ilya and Tzuk please consider a combo for x64 when eggman and omeleteguy can do it, you two are way better software developers So wait until CIS 4.1 to hop on this wagon (I never use Comodo 1.0 products, CIS 4 really is CIS 1.0 policy/sandbox)

 

Hi Kees, thanks a lot for a so deep answer. My worry is really this ( I've understood right ) " In short all the OS improvements of VISTA (with full UAC) which are directed towards higher reliability (and were also a security improvement) are used by CIS4 in such a way it becomes REAL security features. CIS3 was a mature classical HIPS. CIS4 will be a juvenile policy/Sandbox HIPS ":

- I use XP SP3 ( I have Seven, but actually i don't like so much it ), and I want a classical HIPS, not a policy HIPS. I want go on to decide entirely my HIPS configuration, and I wouldn't want that an HIPS use UAC, neither in Vista nor in Seven. I would like that Dragons Forever could confirm that I can use also Defense + 4 as I use 3 in XP. I'm afraid that Comodo HIPS is becoming too much similar to KIS.

 

Okay, just some refinements

- CIS4 works also on XP
- CIS4 does not use UAC, it is more like an improved UAC (intelligently askes only at installs, not belonging to a trusted vendor or a vendor/program listed in your personally managed "my trusted programs").

As for the terms classical or policy HIPS, I rather would use a policy hips, simply because the attack surface is reduces substantially (compare a classical HIPS with rugby, just any one passing the try-line will result in a score, while with soccer you have to shoot the ball in the net of the goal plus there is a goal keeper, which you have to pass also, so I would prefer a policy HIPS any time over a classical HIPS).

So the good news is that CIS4 brings a strong policy enforcement (and beter than Vista/UAC it also allows you to protect the user space intrusions).

Read the critisim of Aigle. All CIS versions have a major Achilles weakness: generated rules are often wider / less restrictive than the general * (all programs) rule. So you think you allow only intrusion 1 for program A, but unknowingly you have allowed intrusions 5,6,7,8 also. I would prefer Malware Defender as a better classical HIPS (or OA's HIPS) over CIS anytime.

Downside of using XP versus Vista or Windows 7 is that lower rights processes are allowed to manipulate higher rights objects, so with UAC in quiet mode and running some internet facing software as limited user (with the aid of PGS), this would be a great advantage over a third party security software. You can also choose to protect Internet facing software through CIS (an option most people don't use, because every one focusses on the attack vectors, not the weak spot of intrusion).

It would be nice to know whether CIS4 also protects higher rights objects from manipulation on XP by lower rights objects. Maybe Dragons Forever (formerly known as 3exist) can provide some insight on this.

Regards Kees

 

Thanks a lot Kees, very kind and clear answer.

 

Well I had to try CIS4 beta

So I made an Image of my wife's PC (it is XP Home with a dual core CPU on 3GHZ, with a new 1TB Samsung F3 hard disk)has ) and removed all security aps (DefenseWall + Sandboxie ad hoc).

Installed with maximum security without a glitch. Trimmed down the file protection (remove all files, just select all the other groups to protect, you are fine with that), trimmed down limited policy to check only on direct disk, driver install, file, registry, keyboard and screen). I left paranoid mode and went into clean PC mode. Allowed programs in trusted policy to start programs from C;\Windows and C:\Program Files.

Have to admit the pop-ups noise goes down (compared to CIS 3 in simular setting). Considering it is a major code overhaul, the beta surprised me (I normally encounter bugs in Comodo betas real fast, this one seemed decently enough tested to be called a beta, so this gives hope for the future).

Delay of program startup is a little more than V3:
- cold start IE8 = 6+ seconds
- repeat start = 3+ seconds
- sandboxed start = 4+ seconds

Compared with DW/SBIE for reference
- cold start IE8 = 4 seconds (only DW)
- repeat start = just under 2 secs (only DW)
- sandboxed start = 3 seconds (DW + SBIE)

Considering most of the new PC's will be AMD X4 or Intel 5/7 chips on it (the Samsung F3 has 135MB/sec throughput on the C partition, so new PC's won't have much faster Harddisks), the 'delay' price for this type of security (policy plus sandboxing) is reasonable.

Was a little disappointed that in the Sandbox the default limited policy applied. So my question to Dragons Forever is : does Comodo also applies OS policy management, (according to documentation it should run Least Priveledge User).

I noticed some typical Comodo programming issues: for instance you can change the name of the policies, but the policy name in the GUI are hard coded, so you won't recognise this. These types of infringements against good programming practise on a low level, are no good sign of the re-use/service architecture on a higher level. So I did some more empirical / grey box testing, but that all turned out okay.

So for a beta, not bad, for a Comodo beta real good (CTM also positively surprised me, pitty their 'final' release of on-line scanner was really a dragon of an application and was demoted to beta soon after introduction).

Regards Kees

 

I don't think so Kees.

Since Vista and Windows 7 have the latest and better OS Security features, XP 64 is very limited I'm afraid when it comes to virtualisation it is quite hard. Please keep in mind virtualization will NOT be supported in XP x64. However, Windows 7 and Vista will have it, as well as XP x32. But whether it's XP 32 or XP 64 I doubt higher rights manipulation is supported.

I am glad you are also seeing the power of CIS4. This is still on going development and CIS4 utilizes OS Security very well at this point. Eg, When you see a elevation alert you should think of it as a UAC Alert in Vista/7.

Cheers,
Josh

 

Btw if anyone is not registered on the comodo forums and wants a look at the first beta of CIS4, pls PM me and I can provide you download links and keep you updated with future beta releases.

 

Josh thanks for the answer. In regard to seeing the power, remember the thread I posted in which I tried to create a simular setup with CIS3, EgdeGuard and TreatFire, so I am happy that Comodo is seeing the power of policy management/sandboxing (I am the one who is still promoting the same message, only CIS changed, so now I am happy with it).

I have one more question: the documentation states that within teh sandbox a least priviledge user rights policy is implied. Is this through the OS or through the policy selected for this application in the sandbox or do the both apply (LUA + f.i. Limited Policy)?

Thanks again

 

thanks for this info!!!

see you soon!

 

COMODO Internet Security 4.0.129536.679 BETA Released

What is new in version 4.0.129536.679?

This release addressed total 127 bugs that are either reported publicly or found during private testing. Here are some of the fixes:

Code:

FIXED! USB devices are not recognized while CIS is installed
FIXED! AV Scanner crashes while scanning some files
FIXED! CIS BSODs with Xlisoft Video Converter
FIXED! CIS keeps logging when logging is disabled
FIXED! CIS does not remember answers to some COM alerts
FIXED! CIS icon stays permanently in Windows 7 task bar
FIXED! Many incompatibility problems: Googlle Sidebar Consumes 100% CPU when sandboxed, Opera can not open default browser settings etc.
FIXED! AV full scanning status is not reflected properly in the summary screen

We are aware of some issues that cause incompatibility problems and we are still working on them. We also would like to let you know that every issue reported is being handled by the CIS team. Thank you for your cooperation.

 

Why doesn't Comodo have a way to export application policies?

 

Is it just me or is CIS4 growing in resource usage vs. version 3? I still wouldn't consider it heavy, but is is growing.

This latest beta build works better than the last one, but I am not sure I like the direction this program is headed. I wish they had made some improvements to the AV.

 

Memory usage snapshot:

CFP.exe - 3484K (Private) 26288K (Commit)

cmdagent.exe - 2264K (Private) 40588 (Commit)


Is that much worse than before?

 

Hehe... RAM usage never matters today unless something is wrong - CPU and Disk I/O does.

 

I did find there to be a certain degree of latency when performing right click/opening folders/starting applications when I first installed CIS4.However after the system 'settled down' and been used for a few hours it feels no different (or at least not noticeably) than V3.

As for the AV,with the way the program is developing,although not quite redundant it is very much of secondary importance now IMO.As Kees superbly explained this policy based HIPS approach makes malware detection less critical.