Downadup/ Conficker worm and CFP Defence Plus

The question has been asked on the Comodo forums if BOClean stops this worm? Would you happen to know, or be willing to test for us?

 

Hmmmm... OA gives a Memory Injection Alert, Defense+ Gives a BIG RED Alert and identifies as malware. Why users would ignore this big red alert…while with the same token block OA’s non descript alert about memory injection?

Users either ignore or allow all. And also why would those very users block OA’s memory injection alert?

Cheers,
Josh

 

Just in case sded's remarks were aimed at me.
I re registered here. was Pit Frog, kinda liked it.

Yes, I stand behind what I said.
No, I'm not a troll.
I'm also pretty sure I'm not who you thought I was.

I might be new posting here, but I have visited and read for years.
Many times if nothing else but for comic relief.
I have seen most of the regulars here in action, and the threads that
go on and on and on.
Mines better, no mines better, no mines better, blah blah blah.
See the latest test, I'm changing. Currently running 9 security apps.

Again do you not see the resistance to a simple free solution that just works?
What would you all do, find a new hobby.

 

What if Comodo didn't have this specific malware in its database?

edit: And, I'd block it because if an unknown program, of which I don't know the source wanted to modify svchosts.exe, I'd think whether I should block it or allow it.

 

No worries Bad Frogger.

Can some one answer my above questions pls?

Cheers,
Josh

 

I'm talking Defense+ Red Alert & Online Armor alert, Not the red AV Alert. If you go to first 2 posts of this thread, you will see the Alerts. D+ obviously doesn't use signatures.

Feel free to answer.

Cheers,
Josh

 

Because jwgkvsq.vmx is UNKNOWN while rundll32.exe is well known, and memory access alert for well known applications is so common.

 

uhm

Well, with this you're right, but once you've allowed the first popup, you'd surely let it go. I'd change also the second popup, if I were Comodo.

Anyway, how frequently Comodo's heuristic detects possible malware behavior?

ps: i've answered the other question in the edit of my previous post

 

I just don't like 2 things in the way Defense+ gives the first alert, which is the most important one.

1st - It should advice the user to block the action, but, then the user could just think that it is one more of those alerts flagging something bad with heuristic analysis. It happens frequently.

2nd - It advices the user to submit the file to Comodo for further analysis, but, where is the Submit link? In the alert, I mean.

Whenever a red alert, such as that, appears, it should recommend the user to block and to provide a submit link.

Those are the only 2 flaws I see in the way Defense+ works.

But, a red alert is always a red alert. It is like traffic lights. Red means stop. And in this case, careful action shoud be taken, hence the need to advice the user to block the action and a submit link in the alert.

Look at Defense+ and OA, the user would give more attention to Defense+. The problem is the way the alert is given.

Regards

 

Hi, the red heuristic alert is common with so many applications/ utilities that are not malware.

BTW I don,t mean that a user will allow this execution alert. I was thinking some possibilties:

- accidental allow click
- allow click by mistake/ wrong user decision
- most importantly HIPS are like an advanced anti-execitable with behav blocker componnets and they are meant to deal zero day malware techniques so I expect them to mitigate the damage even if the malware is somehow allowed to un by user. This was the basis for all these tests and my thread at Comodo forums. If this is not the case, no need for all filters ( like memory acces, driver loading, registry access, global hooking etc etc). A simple execution ONLY interception( allow or block) may be all that is needed in a HIPS.

 

That's besides the point. We are analyzing this worm here, Not anything else.

Okay... Now let's analyze this a little bit deeper.

The first Alert is the key here. And this is where naturally users will react.

Defense+ First Alert: Gives Red Alert, Identifies as Malware.
Online Armor First Alert: Can NOT make the decision for them.

Obviously, the average user will react to First Alerts. A user WILL be more likely to allow Online Armor Alert, and get infected then D+ Alert because D+ Says "Hey... This is malware behavior" And OA is clueless and a user will go, Well it MUST be ok and allow it and BANG your infected. D+ will bring a 2nd Alert STRAIGHT away when they block the first one, and again, users will naturally react and block this. If a user does NOT block this, It's simply a legitimate action that the user allowed it, And the malware is FREE to do all, After all, D+ Gave the first BIG Red Warning warning, NOT Online Armor.

I see the OA Alert also has a AV+ Alert (Which counts for the AV in OA), in CIS, With the AV CIS will preduce much less pop ups, I have NO IDEA if this is the case with OA, But with CIS if the AV detects something, D+ will NOT Alert.

Anyway, ThreatCast will solve MANY more Alert issues very soon when it's released (Currently v3.8 beta), And v3.8 beta already provides more usability, And I'm sorry, when that time does come, OA will not be comparable to CIS.

Cheers,
Josh

 

Red alert of CFP is cool but not so great unless they tweak their heuristics more.

I just went to nirsoft website and downloaded 5 utilitis at random. All gave red alerts.

 

Pls read my previous post, aigle. And the example you just gave, I can also say that OA don't recognize a malware and a user will allow it or OA AV DETECTED a CD Burner app to be malware and a user removed/quarantine it.

 

I think what 3xist is saying, anything with Malware behavior being mentioned in a Red D+ box is something to be cautious with. I know its very easy to just click allow all the time but since OA and Comodo have come along way in suppressing the redundant popups, when they do report something, one must proceed with caution!

Ice

 

Come on guys really...

Imagine if Comodo had 10,000 malware in a test… CIS vs other HIPS…
CIS would clean them all without a single alert… whereas other HIPS would go into popup mania….. Because CIS has the AV.

That's just a usability point. Anyway there really is a flawed assumption here on his argument and I hope we can all end this soon, if not... We can continue to discuss technically.

Cheers,
Josh

 

I'm confused, so are u saying Comodo's AV has 100% detection rate?

 

Nope.

I mean If Comodo had 10,000 in a test (That CIS actually detected as an AV) vs other HIPS. This is what I mean. Great Usability...

People need to know...

1) AV's only detect %age of malware.
2) In CIS, If AV Detects a malware, D+ won't alert.
3) Detecting 40% of malware while rest have D+ Alerts Vs Other HIPS provides a usability Advantage, etc and that is only one aspect of CIS on this.

And btw the Comodo virus DB is building fast.

Cheers,
Josh

 

Sorry, I do not understand?

 

Okay...

Scenario: There are 10,000 malware here. The Antivirus in CIS detects them all, Therefore, Defense+ will not Alert. Here CIS vs other HIPS. the AV in CIS wipes all 10,000 malware with ONE Alert of the AV, D+ Shuts up totally! Other HIPS go pop up crazy! CIS use detection capability to make life easy and not show popups…

So by using AV to simply make life easy for users, while still prevention being the first line of defense is a outstanding thing IMO.



Cheers,
Josh

 

Comodo's alert The Red warning is great.You get this (not sure if with this malware) but with others even if u install only the firewall.This makes Comodo very good
Hovewer as aigle posted,and many persons that use comodo know legitimate software installs can also give same warning,meaning that users will tend to ignore the warning and allow.
Then what?
I would like to see how this will be dealt when the final CIS is out especilly how ThreatCast will handle 0 day threats like this .If it will still depend of pop-ups for protection and remain a tool for advanced users or it will be one of the masses favourite product.
3xist your contribution is appreciated ,i hope that if u skip rivalities you'll see that most of us like good working products ,don't care if it's Comodo,Online Armor,both etc.
I will say again my opinion .The pop-ups from Comodo and OA can't be handled by average users.It's 50/50 if they are lucky.

 

and that question has not been answered as of yet at the Comodo forum in that thread, except by 3xist with ...

and that doesn't answer the question.

Where are the good old times with Kevin?

 

ThreatCast is a community based thing. Advanced users will answer pop ups and make the average users job so much easier! And btw Comodo are adding a whole heap of Trusted Vendors, Whitelist, etc v3.8 in beta is a huge update, MUCH for usability. And not forgetting... If CIS AV Detects, D+ won't Alert and that detection capability is very good for CIS as the malware DB grows dramatically...

Everyone has their own opinions! And I respect that alot, I'm just giving the facts here with this worm!



Cheers,
Josh

 

Sorry. I was busy then. Need Kevin...

Cheers,
Josh

 

No there is No such thing as 100 percent AV,I think what he is saying because of the AV and its signatures in place it takes some of the guess work out and helps reduce uneeded pop ups.Anther words the AV detects it handles it with out the need the user to make the decision from the Hips.correct me if I am wrong.

 

Yes please ask Kevin !

Regards,
Jan.

(edited because Josh edited the posting )