Re: How good is Comodo Internet Security?

Nik Gr <nikos1337@xxxxxxxxx> wrote:
"Ansgar -59cobalt- Wiechers" <usenet-2008@xxxxxxxxxxxxxxxx> wrote:
That is one of the questions. It is by no means the only question.
Even if a program could distinguish between good and malicious
actions (which it can't): what good would that do, if malware could
simply terminate the program trying to detect malicious actions? Yes,
programs running with admin privileges can do that, whether you like
that fact or not.

If what you say stands TRUE,

It's true under the condition that malware is run under an admin account
which has not been restricted in any significant way.

especially if malware could SIMPLY TERMINATE security products that's
gets into their way, then the majority of all computer users must be
really idiots or plain ignorant to start or continue using personal
firewalls including me.

Well, if you want to put it that way ...

Heck, we EXPECT from a damn good Firewall like CPF to protect its own
proccess and NOT to get shutdown by even the smartest malware.

Well, duh. You expecting something doesn't necessarily mean that your
expectations will be met.

Any administrative account can, by definition, do *anything* on the
system, and so can any software running with the same privileges. To
avoid that you have to reduce the account's privileges. The normal way
to achieve this is to create a normal user account (LUA) for normal work
and using the admin account only for admin tasks.

Some personal firewalls go a different route, because many people still
insist on doing their day-to-day work from an admin account. The PFWs
employ rootkit techniques to restrict administrators, so that even admin
accounts cannot tamper with the personal firewall. That is less than
desireable, because who will be the administrator on your machine when
the administrator account is not the administrator anymore? Even worse,
the rootkit functionality may be (ab)used by malware to disguise itself.
This has already happened in the case of the Sony rootkit [1].

[...]
And how exactly do you distinguish between the two modes regarding
your security?

By avoiding risks in the first place. By taking an actual look at
what's going on on the system myself. From an admin account that is
unlikely to be compromised, because day-to-day work is done from an
account with limited rights.

Or by booting a clean system to check the potentially compromised
system.

How are you accomplishing that? Is there a way to start windows clean
by cd/dvd to check if my installed system is altered from what it was
initially?

There's BartPE [2] for instance. You could also use a Linux live CD to
examine a Windows system.

By inspecting the network traffic (with some other
system) and deciding for myself what traffic is or isn't valid. A
program cannot make this decision for you.

I agree.
TCPView
WireShark
Proccess explorer I have.

Do I need something else?

First and foremost you need to understand what those programs are
telling you. Without that no tool will do you any good.

Other programs that may be helpful are Autoruns, Regmon/Filemon or
Process Monitor, rootkit detection tools like Rootkit Revealer or
Rootkit Hook Analyzer, Port Reporter, nmap, debuggers and many more.
There is no definitive list, though. Computer forensics is a quite
difficult and complex field.

But hell even ig I use all those monitoring stuff and firewall are
really no good I will still get infected , wont I?

You may get infected. There is no way to entirely protect your computer
from that risk if you want to keep using it. You can reduce this risk,
though, and one important step in that direction is to avoid using an
account with admin privileges, because malware running with reduced
privileges cannot compromise other accounts or the entire system.

Also, you don't want to restrict malware after your system was infected.
Instead you want to avoid getting infected in the first place. Keeping
your operating system and software up-to-date is crucial for that. Virus
scanners may also help if you keep in mind that they can only detect the
presence of malware, never the absence of malware. Another thing that
may help are Software Restriction Policies [3].

You said that you often try out new software. That does increase your
risk of getting infected. A way to mitigate this could be to try new
software on a separate system (e.g. a virtual machine) before using it
on your "live" system.

[1] http://en.wikipedia.org/wiki/2005_Sony_BMG_CD_copy_protection_scandal
[2] http://www.nu2.nu/pebuilder/
[3] http://technet.microsoft.com/en-us/library/bb457006.aspx

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
.

Relevant Pages

  • Re: registry hacked under XP limited account
    ... of preventing malware from creating problems by preventing the execution to ... You touch on some recommendations for software restrictions, ... Running as limited account does VERY LITTLE to stop ... >> Malware running as limited user can do anything that you can do. ...
    (microsoft.public.security)
  • Re: registry hacked under XP limited account
    ... >> The thing I want to know is that the registry can be modified ... Running as limited account does VERY LITTLE to stop ... running with administrative rights is a VERY BAD HABIT. ... This tactic will NOT be effective against future malware. ...
    (microsoft.public.security)
  • Re: Looking for user "Rock"
    ... For some reason my anti virus prog wasnt finding the malware, ... Login to the problem account. ... Here is a link for how to do do a repair install. ... go to the windows update site and install all the updates again. ...
    (microsoft.public.windowsxp.general)
  • RE: Microsoft Phishing Filter Add-in for MSN Search Toolbar
    ... Well,you need to remove it,to remove the rootkit. ... And I told you to zip the folder and send it for analyze to VirusTotal. ... They will scan it for malware with almost ALL antivirus softwares with the ... Panda TruPrevent - the most intelligent technology to combat unknown malware ...
    (microsoft.public.security)
  • Re: Alerting - Malicious software removal tool
    ... You describe a few instances of where users have gotten themselves infected with malware, which leads you to claim that the tool is completely useless. ... A chart on page 53 compares, by Windows type, the number of computers cleaned per 1000 MSRT executions. ... yet), used MS Works, had a single account, administrator level logon ... needed to install an application that she could not install from ...
    (microsoft.public.security.virus)