Re: How good is Comodo Internet Security?

nik gr <nikos1337@xxxxxxxxx> wrote:
"Ansgar -59cobalt- Wiechers" <usenet-2008@xxxxxxxxxxxxxxxx> wrote:
nik gr <nikos1337@xxxxxxxxx> wrote:
"Ansgar -59cobalt- Wiechers" <usenet-2008@xxxxxxxxxxxxxxxx> wrote:
Ask yourself:

a) How would a program manage to detect every possible kind of malware?
b) How would a program manage to reliably distinguish between user
actions and actions carried out by some software in place of the
user?

The answer to both questions is, of course, very simple: it can't.

a) Of course CPF it cant detect every possible kind of malware but it
can analyse the behaviour of a weird executable that is trying to
meddle with windows itself by means of gain ing access to specific
system services or creating hooks or using shared dlls. The moment
such thing might occur then CPF will alert me to react to these
actions by allowing them or block them

When running with admin priviles, any program can do anything on your
system. Period. That's what administrative privileges mean. That
includes of course terminating Comodo before doing anyting else. If the
program can't do that, it doesn't have admin privileges anymore. And
neither do you.

No it can't, because firewalls are there to block those actions.

Again, they can't do that reliably.

If you don't believe that then why don't you remove your firewall from
your system?

Why would I remove something I haven't installed in the first place?

By your sayign its crap. Any malware with admin rights can *** it
down as you say. Then why bother?

Exactly.

Perosnally I believe CPF has mechanisms to prevent this.

Security is not a religion. This is about knowing, not about believing.
And I can assure you that Comodo cannot have mechanisms to prevent this,
unless it strips your admin account of its admin privileges.

Stripping an admin account of its admin privileges instead of simply
using an account with limited privileges is plain stupid.

Who said anythign about stripping admin accounts from admin rights?

I did. Because that is the only way the program could ristrict software
running with admin privileges from doing whatever it pleases.

How many drink did you have?

Unlike you I happen to know what I'm talking about.

b) Same as answer (a). CPF can't tell if I made an action or some
trojan did. But by analysing the nature of the action, its behaviour,
as in what it tries to mess with it will notify me for the event taken
place.

Same answer as a): no.

You. Cannot. Restrict. Administrators. Period.

Not without demoting them from being administrators that is.

Again, what are you talking about?

About your claim that Comodo could restrict software being run under
your admin account.

Questions here is whether the fw can distinguish if an action is made
by user or a trojan.

That is one of the questions. It is by no means the only question. Even
if a program could distinguish between good and malicious actions (which
it can't): what good would that do, if malware could simply terminate
the program trying to detect malicious actions? Yes, programs running
with admin privileges can do that, whether you like that fact or not.

If ti tried to put itself on winxp startup it will tell me about
it and I block it, same way if it tries to inject data to another
proccess I will be notified and block it, or if it tries to use
windows services to abuse them and hide it self I will also be
notified to blcom it.

If the program were to intercept every possible kind of
communication a malware might abuse, you'd be flooded with
notifications, because other (legitimate) programs use the very
same mechanisms. That's simply not feasible.

I would be flooded with notification only by non-valid windows
component/applications tryign to perform trickery, legitimate
windows service wont be filling me with pop up alerts.

Since we already agreed that Comodo can't distinguish between what is
and isn't legitimate: of course you will. Otherwise you'll get false
negatives.

When did I agree that Comodo can't distinguish between what is and
what isn't legitimate?

Not only I agree, but I strongly disagree.

Oh, really? You may want to explain then, how Comodo might do that
trick.

Comodo know about which apps are windows components and has them on
white lists internally. It only asks questions fot all other apps
including trojans.

That true? Do you know how those whitelists are implemented? Do they go
by name? With or without path? Hash? Which algorithm? How do they deal
with updates? How do they protect against malicious "updates"? Not to
mention that Windows' system files are the least of your problems,
because they're digitally signed by Microsoft anyway, so you can simply
check their integrity yourself with sigverif.exe.

Did you ever notice that the majority of the programs installed on most
systems does not come from Microsoft, but some third party? Meaning that
you'd still be flooded with notifications.

Do you have even the slightest understanding of what's going on on your
system? Have you ever run Regmon or Filemon? Have you ever run TCPView
or netstat? Have you ever inspected actual network communication with a
protocol analyzer like Wireshark? Do you understand how IPC through
window messages works? Do you have anything but your religious belief
that Comodo will fix things for you?

I still aint convince of why CPF by itslef aint enough for protecting
me since it seems it can understand all the mechanism an app can use
to alter data on my system or to create communication paths.

For whatever reason you want to believe that.

Personally I feel pretty safe with CPF.

Feeling safe is not quite the same as being safe.

And how exactly do you distinguish between the two modes regarding your
security?

By avoiding risks in the first place. By taking an actual look at what's
going on on the system myself. From an admin account that is unlikely to
be compromised, because day-to-day work is done from an account with
limited rights. Or by booting a clean system to check the potentially
compromised system. By inspecting the network traffic (with some other
system) and deciding for myself what traffic is or isn't valid. A
program cannot make this decision for you.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
.

Quantcast