Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Comodo
What makes CF so special and should I use it + an issue with it and some other questions
Message
<blockquote data-quote="vertigo" data-source="post: 788492" data-attributes="member: 70928"><p>[USER=73949]@imuade[/USER] - Thanks. As I mentioned, I suspected the sandboxing was it, but while it appears great in theory for unknowns (I say in theory due to the UAC/PL bug as well as who knows what other ones since, as you said, they have a reputation for being slow to fix them), it's awful dealing with files it deems as malware that the user wants to run anyway, suspecting them to be clean but not being sure, and therefore wanting to run them sandboxed as a precaution. The reason is, as detailed in the OP, when removing an item from the quarantine, the rule it creates for it is an ignore/allow rule, NOT a limited/restricted one. I consider this to be a very dangerous default, which is even worse considering there's no option (that I could find anyway) to change it. What other software is there that could accomplish the same thing? Sandboxie runs things virtualized, which is different and, while certainly great for some things, isn't as good as limited containment for others. Shadow Defender would sort of do it, but on a system-wide level, and I didn't care for it at all when I tested it. Is there something that will do containment like CF vs full virtualization?</p><p></p><p>[USER=59283]@Arequire[/USER] - Thanks. I understand certificates, my point was that I was hoping heuristics/BBs would detect malicious activity despite a software being certified and warn about it, but it appears they all just completely ignore it due to the certificate, which certainly makes sense, and prevents lots of FPs no doubt, but can be an issue when the certificate is compromised. And I don't have to imagine a case where black hats do this; as I mentioned in my OP, my test file is the CCleaner file that exactly this happened with, which is why I'm using it, because it allows me to at least somewhat test that type of situation. And as much as I like EAM from my testing, the fact it didn't block it based on the revoked certificate simply because it wasn't in the signatures (as I said, I installed it without them intentionally to test this) is one of the big issues I have with that software. And I'm aware that it will quarantine applications perceived to be malicious, but that's my point. This makes it very poor at dealing with suspected malicious files that may or may not actually be malicious. The reason is, as detailed in the OP, when removing an item from the quarantine, the rule it creates for it is an ignore/allow rule, NOT a limited/restricted one. I consider this to be a very dangerous default, which is even worse considering there's no option (that I could find anyway) to change it. Thanks for the explanation of the various containment levels. I find it interesting that CS considers PL, the lowest level, to be enough. Based on their descriptions, I certainly wouldn't think it would be, but I guess I'd just have to trust her on that one, and it would at least be better than nothing. Still, it would be nice if the UAC bug would be fixed. As for treating everything that gets sandboxed as malicious (and inversely, assuming everything that doesn't is NOT malicious), the problem is that I worry apps may not be able to run 100% properly in that state, so if they're sandboxed and I trust them but am not absolutely sure, which you can never really be without auditing the code, then I'm wondering how I could determine if they are safe or malicious if they might be acting safe since they're sandboxed. And with regard to running CF and SAP together, I'm not sure which one I'd rather go without (I actually mostly like SAP, though they haven't responded to an email I sent about a month ago), but I tested them together in a VM just now and there were no immediate problems, so maybe the issue's been fixed.</p><p></p><p>[USER=178]@Umbra[/USER] - This rings a bell, and I'm sure I read it somewhere around these forums. Do you mean they just disappear randomly, or during updates, or something else? Is it firewall, containment, or all rules? I'm assuming Settings > General Settings > Configuration > Import/Export allows you to back them up and restore them, so that's something at least, but I'm guessing you don't even know it happened without either checking periodically or finding out a program was able to do something it shouldn't? I agree, though, any program, but <em>especially</em> a security software, needs to be reliable. Reports of CF's bugs and concerns of Comodo at a minimum continuing to ignore them and worse completely dropping the product make me wary of using it, as good as it might otherwise be. Frankly, I'd rather not use it, since I'd use something else for firewall management anyway and I don't want to deal with random compatibiility issues which it's apparently known for, but if it's the only/best protection against unknowns, I don't want to dismiss it out of hand.</p></blockquote><p></p>
[QUOTE="vertigo, post: 788492, member: 70928"] [USER=73949]@imuade[/USER] - Thanks. As I mentioned, I suspected the sandboxing was it, but while it appears great in theory for unknowns (I say in theory due to the UAC/PL bug as well as who knows what other ones since, as you said, they have a reputation for being slow to fix them), it's awful dealing with files it deems as malware that the user wants to run anyway, suspecting them to be clean but not being sure, and therefore wanting to run them sandboxed as a precaution. The reason is, as detailed in the OP, when removing an item from the quarantine, the rule it creates for it is an ignore/allow rule, NOT a limited/restricted one. I consider this to be a very dangerous default, which is even worse considering there's no option (that I could find anyway) to change it. What other software is there that could accomplish the same thing? Sandboxie runs things virtualized, which is different and, while certainly great for some things, isn't as good as limited containment for others. Shadow Defender would sort of do it, but on a system-wide level, and I didn't care for it at all when I tested it. Is there something that will do containment like CF vs full virtualization? [USER=59283]@Arequire[/USER] - Thanks. I understand certificates, my point was that I was hoping heuristics/BBs would detect malicious activity despite a software being certified and warn about it, but it appears they all just completely ignore it due to the certificate, which certainly makes sense, and prevents lots of FPs no doubt, but can be an issue when the certificate is compromised. And I don't have to imagine a case where black hats do this; as I mentioned in my OP, my test file is the CCleaner file that exactly this happened with, which is why I'm using it, because it allows me to at least somewhat test that type of situation. And as much as I like EAM from my testing, the fact it didn't block it based on the revoked certificate simply because it wasn't in the signatures (as I said, I installed it without them intentionally to test this) is one of the big issues I have with that software. And I'm aware that it will quarantine applications perceived to be malicious, but that's my point. This makes it very poor at dealing with suspected malicious files that may or may not actually be malicious. The reason is, as detailed in the OP, when removing an item from the quarantine, the rule it creates for it is an ignore/allow rule, NOT a limited/restricted one. I consider this to be a very dangerous default, which is even worse considering there's no option (that I could find anyway) to change it. Thanks for the explanation of the various containment levels. I find it interesting that CS considers PL, the lowest level, to be enough. Based on their descriptions, I certainly wouldn't think it would be, but I guess I'd just have to trust her on that one, and it would at least be better than nothing. Still, it would be nice if the UAC bug would be fixed. As for treating everything that gets sandboxed as malicious (and inversely, assuming everything that doesn't is NOT malicious), the problem is that I worry apps may not be able to run 100% properly in that state, so if they're sandboxed and I trust them but am not absolutely sure, which you can never really be without auditing the code, then I'm wondering how I could determine if they are safe or malicious if they might be acting safe since they're sandboxed. And with regard to running CF and SAP together, I'm not sure which one I'd rather go without (I actually mostly like SAP, though they haven't responded to an email I sent about a month ago), but I tested them together in a VM just now and there were no immediate problems, so maybe the issue's been fixed. [USER=178]@Umbra[/USER] - This rings a bell, and I'm sure I read it somewhere around these forums. Do you mean they just disappear randomly, or during updates, or something else? Is it firewall, containment, or all rules? I'm assuming Settings > General Settings > Configuration > Import/Export allows you to back them up and restore them, so that's something at least, but I'm guessing you don't even know it happened without either checking periodically or finding out a program was able to do something it shouldn't? I agree, though, any program, but [I]especially[/I] a security software, needs to be reliable. Reports of CF's bugs and concerns of Comodo at a minimum continuing to ignore them and worse completely dropping the product make me wary of using it, as good as it might otherwise be. Frankly, I'd rather not use it, since I'd use something else for firewall management anyway and I don't want to deal with random compatibiility issues which it's apparently known for, but if it's the only/best protection against unknowns, I don't want to dismiss it out of hand. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
