POLL: How will a Behaviour Blocker prove useful for CIS?

I made a poll here: https://forums.comodo.com/feedbackc...or_cis_please_vote_and_pls_read-t36853.0.html

Views and votes are all welcomed not only there but also here.

Cheers,
Josh

 

Re: POLL: How will a Behaviour Blocker proveuseful for CIS?

interesting, sounds like a good idea (for now...) we shall see what happens

 

Re: POLL: How will a Behaviour Blocker proveuseful for CIS?

Hi,

IMHO a good solution may be to offer two versions of CIS.
CIS as it is now, with FW, HIPS and AV, which targets advanced users.
And a new version with with a basic FW, a Behaviour Blocker and the AV, which should be quite easy to use, ergo a possible solution for the majority of PC users.

Cheers

 

Re: POLL: How will a Behaviour Blocker proveuseful for CIS?

Well, I think it would be better if they just implement the BB in a separate module which you can add/remove easily with the uninstaller.
Like what the current CIS has, you can uncheck the AV module and leave the Firewall and HIPS modules checked.

I think they should do this with BOClean also.
So technically speaking they have 6 modules: AV, Firewall, D+, BB, BOClean, and TM.

 

Re: POLL: How will a Behaviour Blocker proveuseful for CIS?

or they can try to do a separation during the setup (even if it will confuse, maybe):

1. Experienced User: This will install CIS with its full capabilities. You can choose between Optimum Security, or Maximum Security, and which module to install (Av, D+, Firewall, BB, BOClean ecc)...so you can choose how to create your own suite.

2. Simple User: This will install CIS with best settings for most users; It will be simple, with less alerts. The user wouldn't be able to choose the modules to install...By default it should be with BB, BOClean, CAVS, Firewall with LowAlertSetting, D+ based on ThreatCast feedback (so the popup would be = 0)

This just for example...

However my opinion, as I already said in Comodo 3d, is to not implement the BB...

 

Josh,

I would suggest a deferentiation between static defense by D+ (e.g. low level registry access, startup registry keys, crucial OS files, direct disk access, setting hooks, API call redirection (on which WHIPS is based), direct memory access) and dynamic defense by BB and heuristics.

This BB + heuristics would focus on common intrusions like dll injection, manipulation of other processes, shutdown, delayed file operations, messages, DDE, Com etc.

First heuristics would filter out new occurences of existing (generic) malware fingerprints, secondly BB would kick in as follows:

1. After an intrusion the sandbox would be launched and the process causing the intrusion would be send to threatcast
2. Threatcast should analyse new samples and when majority voting is in line with the automated threatcast analysis either a block (with rollback to initial state of teh sandbox) or an allow (with commit of the virtualised sandbox with the real environment) would be generated silently
3. Only a pop-up would be thrown at the user when above does not provide a clear answer

Cheers Kees

 

Great ideas guys.

It would be very useful if some of you could share your thoughts the poll I made in the Comodo Forums too, Melih is watching that thread. And also Kees your ideas are also very good.

Here is a plan I made:

COMODO Internet Security 4.0 Security Architecture (ONLY A PLAN BY 3XIST).

***
Prevention
Firewall
Defense+
Memory Firewall (Built into Defense+)

Detection
CAV
Heuristics (Built in to CAV) - CIMA like heuristics will come in CIS v3.9.
BOClean Memory Scanner (Built into Defense+) - This will be in CIS v3.9 anyway.
Behavior Analysis (Built into Defense+) - Will act as another layer of heuristics (behavior like).

Cure
Time Machine
***

The whole idea is to have 2 type of heuristics:
Behavior Analysis
AV Heuristics.

This will give greater detection, and make Defense+ being a HIPS system much more usable while not sacrificing security.

The above security architecture of CIS looks nice IMO...

Cheers,
Josh

 

Melih has shown interest in utilising BB technology so hopefully some of the excellent suggestions here may well become reality.
From my own experience running Mamutu seamlessly with CIS it's definitely got potential.

 

I wonder what changed in Melih's mind regarding behavior blockers, considering, that, not so long ago, such tools, were not of his liking.

Also, if Defense+ is now, indeed, and I can't tell, less intrusive, and offering a great security, then, what's the need for such?

What additional security will it provide?

 

I don't really like HIPS, not because I don't understand them....but the allow and deny pop-ups test my patience. Since a HIPS system prompts on the good as well as the bad...who the hell knows if the prompt really is a malware action, unless it gives away tell tale signs. If I was test a HIPS product against Malware it would pass with flying colours because I know the pop-ups are for something bad, but in a day to day situation I personally think such a system is flawed IMO.

I do like Behavioural blocking though, but of course nothing is perfect and nothing is ever likely to be. Behavioural Blockers don't annoy me and software like Threatfire has done well in the various tests I've seen. That's how sercurity software should be...not to bother me unless something bad happens. Anti-virus + Firewall + Behavioural blocker + Sandboxing seems solid enough for my needs.

If Comodo could implement behavioural blocking, then those of us who hate Defence + could still have a good all in one security product with it disabled, provided the Anti-virus component improves further.