POLL: How will a Behaviour Blocker prove useful for CIS?

Discussion in 'other anti-malware software' started by 3xist, Mar 22, 2009.

Thread Status:
Not open for further replies.
  1. 3xist

    3xist Guest

  2. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
  3. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Re: POLL: How will a Behaviour Blocker proveuseful for CIS?

    Hi,

    IMHO a good solution may be to offer two versions of CIS.
    CIS as it is now, with FW, HIPS and AV, which targets advanced users.
    And a new version with with a basic FW, a Behaviour Blocker and the AV, which should be quite easy to use, ergo a possible solution for the majority of PC users.

    Cheers
     
  4. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    Re: POLL: How will a Behaviour Blocker proveuseful for CIS?

    Well, I think it would be better if they just implement the BB in a separate module which you can add/remove easily with the uninstaller.
    Like what the current CIS has, you can uncheck the AV module and leave the Firewall and HIPS modules checked.

    I think they should do this with BOClean also.
    So technically speaking they have 6 modules: AV, Firewall, D+, BB, BOClean, and TM.
     
  5. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    Re: POLL: How will a Behaviour Blocker proveuseful for CIS?

    or they can try to do a separation during the setup (even if it will confuse, maybe):

    1. Experienced User: This will install CIS with its full capabilities. You can choose between Optimum Security, or Maximum Security, and which module to install (Av, D+, Firewall, BB, BOClean ecc)...so you can choose how to create your own suite.

    2. Simple User: This will install CIS with best settings for most users; It will be simple, with less alerts. The user wouldn't be able to choose the modules to install...By default it should be with BB, BOClean, CAVS, Firewall with LowAlertSetting, D+ based on ThreatCast feedback (so the popup would be = 0)

    This just for example...

    However my opinion, as I already said in Comodo 3d, is to not implement the BB...:isay:
     
    Last edited: Mar 23, 2009
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Josh,

    I would suggest a deferentiation between static defense by D+ (e.g. low level registry access, startup registry keys, crucial OS files, direct disk access, setting hooks, API call redirection (on which WHIPS is based), direct memory access) and dynamic defense by BB and heuristics.

    This BB + heuristics would focus on common intrusions like dll injection, manipulation of other processes, shutdown, delayed file operations, messages, DDE, Com etc.

    First heuristics would filter out new occurences of existing (generic) malware fingerprints, secondly BB would kick in as follows:

    1. After an intrusion the sandbox would be launched and the process causing the intrusion would be send to threatcast
    2. Threatcast should analyse new samples and when majority voting is in line with the automated threatcast analysis either a block (with rollback to initial state of teh sandbox) or an allow (with commit of the virtualised sandbox with the real environment) would be generated silently
    3. Only a pop-up would be thrown at the user when above does not provide a clear answer

    Cheers Kees
     
  7. 3xist

    3xist Guest

    Great ideas guys.

    It would be very useful if some of you could share your thoughts the poll I made in the Comodo Forums too, Melih is watching that thread. And also Kees your ideas are also very good.

    Here is a plan I made:

    COMODO Internet Security 4.0 Security Architecture (ONLY A PLAN BY 3XIST).

    ***
    Prevention
    Firewall
    Defense+
    Memory Firewall (Built into Defense+)

    Detection
    CAV
    Heuristics (Built in to CAV) - CIMA like heuristics will come in CIS v3.9.
    BOClean Memory Scanner (Built into Defense+) - This will be in CIS v3.9 anyway.
    Behavior Analysis (Built into Defense+) - Will act as another layer of heuristics (behavior like).

    Cure
    Time Machine
    ***

    The whole idea is to have 2 type of heuristics:
    Behavior Analysis
    AV Heuristics.

    This will give greater detection, and make Defense+ being a HIPS system much more usable while not sacrificing security.

    The above security architecture of CIS looks nice IMO...

    Cheers,
    Josh
     
  8. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Melih has shown interest in utilising BB technology so hopefully some of the excellent suggestions here may well become reality.:thumb:
    From my own experience running Mamutu seamlessly with CIS it's definitely got potential.
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I wonder what changed in Melih's mind regarding behavior blockers, considering, that, not so long ago, such tools, were not of his liking.

    Also, if Defense+ is now, indeed, and I can't tell, less intrusive, and offering a great security, then, what's the need for such?

    What additional security will it provide?
     
  10. TrojanHunter

    TrojanHunter Registered Member

    Joined:
    Jul 8, 2007
    Posts:
    151
    Location:
    United Kingdom
    I don't really like HIPS, not because I don't understand them....but the allow and deny pop-ups test my patience. Since a HIPS system prompts on the good as well as the bad...who the hell knows if the prompt really is a malware action, unless it gives away tell tale signs. If I was test a HIPS product against Malware it would pass with flying colours because I know the pop-ups are for something bad, but in a day to day situation I personally think such a system is flawed IMO.

    I do like Behavioural blocking though, but of course nothing is perfect and nothing is ever likely to be. Behavioural Blockers don't annoy me and software like Threatfire has done well in the various tests I've seen. That's how sercurity software should be...not to bother me unless something bad happens. Anti-virus + Firewall + Behavioural blocker + Sandboxing seems solid enough for my needs.

    If Comodo could implement behavioural blocking, then those of us who hate Defence + could still have a good all in one security product with it disabled, provided the Anti-virus component improves further.
     
Loading...
Thread Status:
Not open for further replies.