Trusted Application Module vs Application Control vs CIS

C5584

Level 1
Thread author
May 17, 2018
5
Long story short:
The idea is to let only signed (and therefore trusted) applications to run and to make changes to the system.

If a application is not signed:
- It is sandboxed
- It is blocked

I only know these vendors who do it:

Comodo Internet Security: HIPS "Safe Mode" only allows signed executables to run. Users can submit vendors executables to be whitelisted. One of the most effective methodologies that I know which effectively block all kind of threats: known and unknown, independently of the threat being recognized by signatures or not. When I setup this on users that run everything blindly I never had problems again

Kaspersky Internet Security:Trusted Applications Module, works similarly to the Comodo. If a .dll/.exe/whatever isn't signed and unknown to the Kaspersky Security Network (KSN). Unkown dlls are blocked. You can even query if an executable is common and run by many users in the KSN

BitDefender App Protection: the weaker one (and huge confusion with the "Threat Defense" and "behavior blocker" ?). Doesn't seem to do much. I barely see any information about signed/unsigned apps, dlls or whatsoever. Or even if this is the way this module runs or if it is even more basic than that. Barely any documentation how is the module operates.


A discussion about Kaspersky Free vs Bifender Free an user states the following:
My opinion: bitdefender free. Why? No Ads, good signatures and with atc (proactive detection). Kaspersky free and sophos don't have a behavior blocker.


I've tested CIS and KIS and I'm currently evaluating the renewal of the security product. I'm having a few doubts if Bitdefender is sophisticated and in pair with CIS/KIS.

1. Best: CIS
2. Second nd best: KIS
3. Weak: Bitdefender

CIS seems to be the most polished implementation, flowed right back by KIS.

So, a few questions:
a) Any opinion about the BitDefender modus operandi?
b) Any difference between BitDefender's Threat Defense, behavior blocker and App Protection?
b1) Is any of those actually built in the BitDefender free?
c) Any other vendors that have implemented something like this?

Any comments/experience about this kind of next-generation defense is appreciated.
 
5

509322

Long story short:
The idea is to let only signed (and therefore trusted) applications to run and to make changes to the system.

If a application is not signed:
- It is sandboxed
- It is blocked

I only know these vendors who do it:

Comodo Internet Security: HIPS "Safe Mode" only allows signed executables to run. Users can submit vendors executables to be whitelisted. One of the most effective methodologies that I know which effectively block all kind of threats: known and unknown, independently of the threat being recognized by signatures or not. When I setup this on users that run everything blindly I never had problems again

Kaspersky Internet Security:Trusted Applications Module, works similarly to the Comodo. If a .dll/.exe/whatever isn't signed and unknown to the Kaspersky Security Network (KSN). Unkown dlls are blocked. You can even query if an executable is common and run by many users in the KSN

BitDefender App Protection: the weaker one (and huge confusion with the "Threat Defense" and "behavior blocker" ?). Doesn't seem to do much. I barely see any information about signed/unsigned apps, dlls or whatsoever. Or even if this is the way this module runs or if it is even more basic than that. Barely any documentation how is the module operates.


A discussion about Kaspersky Free vs Bifender Free an user states the following:



I've tested CIS and KIS and I'm currently evaluating the renewal of the security product. I'm having a few doubts if Bitdefender is sophisticated and in pair with CIS/KIS.

1. Best: CIS
2. Second nd best: KIS
3. Weak: Bitdefender

CIS seems to be the most polished implementation, flowed right back by KIS.

So, a few questions:
a) Any opinion about the BitDefender modus operandi?
b) Any difference between BitDefender's Threat Defense, behavior blocker and App Protection?
b1) Is any of those actually built in the BitDefender free?
c) Any other vendors that have implemented something like this?

Any comments/experience about this kind of next-generation defense is appreciated.

Kaspersky TAM just blocks stuff, whereas COMODO will auto-sandbox it (assuming that the HIPS module is disabled). TIP: You can configure COMODO to function the same as TAM by setting the sandbox policy to block unknown stuff instead of running it in the sandbox.

Block by default is always the safest, most conservative option.

The weakness with all reputation based systems is allowing files based predominantly upon a digital certificate and a list of trusted publishers. Reputation systems provide relatively high, convenient security but they can still be bypassed and they are not immune to errors.
 
Last edited by a moderator:

C5584

Level 1
Thread author
May 17, 2018
5
I know about the need of trusting the chain of signing an executable.
Comodo's HIPS "Safe Mode" works same as TAM indeed. But I had a few problems of KIS TAM blocking a few *signed* dlls and breaking applications, whereas Comodo correctly identified and recognized new/updated components.

So, KIS TAM is only blocking and KIS as no auto-sandbox, is that right?

Where dos BitDefender stands in all of this?

Comodo seems to be the most sophisticated one on this?
 
5

509322

I know about the need of trusting the chain of signing an executable.
Comodo's HIPS "Safe Mode" works same as TAM indeed. But I had a few problems of KIS TAM blocking a few *signed* dlls and breaking applications, whereas Comodo correctly identified and recognized new/updated components.

So, KIS TAM is only blocking and KIS as no auto-sandbox, is that right?

Where dos BitDefender stands in all of this?

Comodo seems to be the most sophisticated one on this?

Kaspersky TAM is default-deny based upon a policy of allowing files by file reputation - either a file is digitally signed by a publisher on the Kaspersky trusted publisher list or an unsigned file with an acceptable community\KSN reputation; it does not use virtualization like sandboxing.

Kaspersky sometimes blocks updated\modified programs, but the user is provided the mechanism with TAM\Application Control to unblock.

I don't know about Bitdefender.
 
D

Deleted member 178

for Comodo to be effective, its Trusted Vendor List must be rebuild by the user. Comodo sell their certificate to almost anyone with enough cash.
The default Comodo TVL can't be trusted.
 
  • Like
Reactions: harlan4096

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
That's not really correct. An application can be signed and counter signed by whomever, but the legitimacy of that file would be made on a file by file basis. The initial stolen certificate can be revoked- this results in a block of that file even though the Vendor itself is still on the TVL. Essetially the same proceedure as with other vendors in dealing with signed malware.
 

C5584

Level 1
Thread author
May 17, 2018
5
Despite the fact that the certification chain could be corrupted of fooled, I'm more interested in the fact that KSN/Comodo or whatever is reliable enough to ensure the protection of "block by default".

KIS/Comodo solutions are more clear to me now.

However, I still have a few doubts and if anyone could answer or knows something about:

a) Does actually BitDefender has that "Behavional blocker"?
b) Does Kaspersky free lacks this technology and does BitDefender free has it?
c) Clarification about BitDefender's "Threat Defense" vs "Behavior Blocker" vs "App Protection"

Or if anyone wants to discuss if this feature is that important. I have the fell that it makes A LOT of difference when protecting users, but does anyone have a different opinion on real-world scenarios?
 

C5584

Level 1
Thread author
May 17, 2018
5
TAM continues to be in Kaspersky 2019 products

Screenshot_20180607_095457.png


Application control -> Sandbox-like application control
Trusted Applications Module -> Deny by default based on KSN reputation

This looks a LOT superior to BitDefender's technology, that was what I was trying to compare initially.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top