imuade

Level 11
Verified
Lockdown or Vaccine.png

This is a new message from Melih, Comodo's CEO, on their forum.
I personally think this message is really astonishing.
That statement goes completely against the concept of containment that Comodo has always advertised...

Default Deny with Auto-sandboxing
The Jail House Method of Containment
So, containment is like placing a virus into a jail house (so, like the lockdown in the picture) so that it can't harm the PC, while traditional AVs are like killing an already spread virus (you can make a vaccine only after you discover something unknown is a virus)... but now they advertise Comodo like a vaccine...

What do you think about this?
 

Spawn

Administrator
Verified
Staff member
Comodo's R&D engineers, who have developed an extraordinary application that allows you to run your critical application, such as POS System, safely when the platform has already been compromised.

This is what we call securing a Good file in a Container operation in a Bad environment. But we can also contain a Bad (or unknown) file operating in a Good (clean) environment and keep a device clean!
 

danb

From VoodooShield
Verified
Developer
@cruelsister

Great to see you! I wanted to get your thoughts on a couple of things, purely out of curiosity and also for a potentially interesting discussion on friendly terms (I am not dissing Comodo at all, it is an amazing product).

To me, global whitelists are nothing more than a repository for pre-analyzed files. Our WhitelistCloud is extremely accurate, but it is certainly not perfect, and it would be difficult to imagine any global whitelist with an efficacy of > 99.9% or so. To me, the only item that should be allowed is what is on the tiny, customized whitelist snapshot of the processes that were previously running. I mean, if you want to be super safe.

I was also curious what you thought about anti-sandboxing mechanisms. At some point, the code needs to run for real, or it never needed to run at all.

Just curious… I am certain you have some amazing insights.
 

imuade

Level 11
Verified
@cruelsister

Great to see you! I wanted to get your thoughts on a couple of things, purely out of curiosity and also for a potentially interesting discussion on friendly terms (I am not dissing Comodo at all, it is an amazing product).

To me, global whitelists are nothing more than a repository for pre-analyzed files. Our WhitelistCloud is extremely accurate, but it is certainly not perfect, and it would be difficult to imagine any global whitelist with an efficacy of > 99.9% or so. To me, the only item that should be allowed is what is on the tiny, customized whitelist snapshot of the processes that were previously running. I mean, if you want to be super safe.

I was also curious what you thought about anti-sandboxing mechanisms. At some point, the code needs to run for real, or it never needed to run at all.

Just curious… I am certain you have some amazing insights.
Hi Dan,
Thanks for your questions, I'm also looking forward to reading cruelsister's answers, but I'd like to write my notes too, if you don't mind :)

Whitelist
Many Comodo users complained about the length of their whitelist, even because actually there are two whitelists, one local and one on cloud.
Now the user can modify the local whitelist and can choose to either check or not the cloud one.
Having a huge whitelist can lead to false negatives (malware whitelisted by mistake) and that actually happened to Comodo. But a short whitelist will surely lead to many false positives (I experienced a lot of them when I tried VS), so it's not easy to find a balance.

Anti-sandbox
I'm not a fan of the sandbox approach, that's why I prefer to use Comodo containment as an anti-exe and block unknowns instead of virtualizing them

Have a nice day :)
 

danb

From VoodooShield
Verified
Developer
Hi Dan,
Thanks for your questions, I'm also looking forward to reading cruelsister's answers, but I'd like to write my notes too, if you don't mind :)

Whitelist
Many Comodo users complained about the length of their whitelist, even because actually there are two whitelists, one local and one on cloud.
Now the user can modify the local whitelist and can choose to either check or not the cloud one.
Having a huge whitelist can lead to false negatives (malware whitelisted by mistake) and that actually happened to Comodo. But a short whitelist will surely lead to many false positives (I experienced a lot of them when I tried VS), so it's not easy to find a balance.

Anti-sandbox
I'm not a fan of the sandbox approach, that's why I prefer to use Comodo containment as an anti-exe and block unknowns instead of virtualizing them

Have a nice day :)
Hi imuade, yeah, that is one of the great things about Comodo... you can configure it pretty much however you want, and I would certainly opt for blocking unknows as well. That is the funny thing about whitelists, they need to be large enough to reduce false positives, and small enough to reduce false negatives ;).
 

Chri.Mi

Level 7
Hi imuade, yeah, that is one of the great things about Comodo... you can configure it pretty much however you want, and I would certainly opt for blocking unknows as well. That is the funny thing about whitelists, they need to be large enough to reduce false positives, and small enough to reduce false negatives ;).
I am not a programmer or smth like that,
but is not possible to use process and parent process signer for reduce the database size?
 

show-Zi

Level 25
Verified
About the comodo message.
The infected person gets rid of the virus by treatment. People who have had contact with infected people or who have a slight tendency to become infected are isolated and monitored.
I interpret it this way.

I like the idea of a whitelist, but I don't think that list is provided by anyone else. I think it is basic that each user makes it by trial and error.
 

AtlBo

Level 27
Verified
Content Creator
Think Melih is saying that other methods are inferior and leave the customer imprisoned with malware, while Comodo with its HIPS detects everything happening under the surface. In other words, even an infected system could be cured by installing Comodo, because all infection activity would be detected by HIPS.

So I guess Comodo is the vaccine in this scenario and in Melih's presentation. If the software were combined with good network and control monitoring software, I suppose this could be true of Comodo really. As it is it is good on machines on a one by one basis where the operator understands what is happening. Don't think Comodo has great network control software at this point (STILL :)).
 

fabiobr

Level 9
Verified
Hi imuade, yeah, that is one of the great things about Comodo... you can configure it pretty much however you want, and I would certainly opt for blocking unknows as well. That is the funny thing about whitelists, they need to be large enough to reduce false positives, and small enough to reduce false negatives ;).
For full protection whitelisting is not enough.

As we saw here at MT and showed by Bitdefender researches, a good behavior blocker is needed to block suspicious behavior that a healthy process might be having.

Ransomware and financial malware are already using trusted Windows process to bypass AVs protections/whitelists.
 
Top