Okey, perhaps you want to tell me why and how will I keep being aware of what happenign to my system when a malware tries to compromise it, in case I get infected?
Routers and hardware firewalls wotn save my ass when windows get infected and malware nest in my system creating outgoing connection to download some more malstuff and update themselves.....
When running with admin priviles, any program can do anything on your system. Period. That's what administrative privileges mean. That includes of course terminating Comodo before doing anyting else. If the program can't do that, it doesn't have admin privileges anymore. And neither do you.
Stripping an admin account of its admin privileges instead of simply using an account with limited privileges is plain stupid.
Same answer as a): no.
You. Cannot. Restrict. Administrators. Period.
Not without demoting them from being administrators that is.
Since we already agreed that Comodo can't distinguish between what is and isn't legitimate: of course you will. Otherwise you'll get false negatives.
For whatever reason you want to believe that.
Feeling safe is not quite the same as being safe.
cu
59cobalt
It's very similar to Google's Toolbar and its "advanced" functions of PageRank and PageInfo. You have the option to disable those so your URL clicks don't have you going through their servers to track your use of Google's match results. I don't remember what the default setting was for their toolbar for these features. The default for Chrome is to track your searches. Many folks still use the Google Toolbar but those that realize the privacy implication of PageRank and PageInfo will turn those options off.
Yep, but the default after the IE8 install is OFF. I don't know if there is any warning regarding privacy considerations when the user chooses to turn this option on - but then there's Google searching (which can even be a bane at times to Google regarding their own products and intent).
I really doubt it. However, Mozilla does gets its funding from Google. Things could change.
Lynx (a highly simplistic text-only web browser). ;-> nyuk nyuk nyuk
You have to remember that Google didn't create Chrome to be the best or even a better web browser. They built it to accommodate their web apps. They needed Javascript to be faster (to compile it instead of interpret it) to make those webapps faster and more alluring. They needed multimedia content to render faster for the same reasons. Google's aim is not to replace FF or IE but to use their webapps to replace Microsoft's Office. Chrome gives Google a better platform for their webapps.
As for security, with their Google Earth and now with Google Chrome, Google has exhibited a dislike for software installation control over their own products. They want even limited users to be able to alter the software configuration of whatever host on which they are allowed to login. Both products "install" (copy) their files under the %userprofile% path where the user has full permissions, and that includes the Execute permission. So by dumping their files under the user's profile path they eliminate the restrictions imposed for normal software installs or access to the %programfiles% path. While it is possible to remove the Execute permission from your profile folder (and for all other account profiles) and propagate the reduction to all child folders under the assumption that %userprofile% should only be for data files (documents, configs, logs) and %programfiles% the default locale for programs, I'm not sure what the impact would be by doing so, plus if Google can't install there where they know the user has both read/write and execute permissions then they might just figure out some other locale to dump their files where the user does those same permissions (because %programfiles% may be restricted to that user write permission).
Google isn't the warm fuzzy companion you might think. They have their goals and are a business that wants to stay in business.
nik gr wrote:
Once infected, the firewall (and just the firewall) won't help you recover or protect your system. Firewalls are to regulate traffic between hosts, like prevented unsolicited intrusions. You can also use them with app rules to regulate which [good and many malware] apps can connect out from your host to where they can connect. Since they are software running on your host, they can be thwarted but most good software firewalls also have a kernel-level component to prevent most types of compromise. Don't expect a firewall to protect you from infection. After all, when you choose to download the file or execute it in an e-mail, your firewall is powerless. For an exploit that uses a buffer overrun to deliver a tiny payload (that then goes out to get the rest of the malware), you've already told your firewall in its app rules to allow the web browser to connect and transfer that payload. However, CFP is not just a firewall so the arguments against software firewalls, in general, is not directly applicable. CFP also has its SafeSurf (aka Comodo Memory Firewall) to guard against buffer overruns. It also contains its HIPS function that lets you regulate which file is allowed to load into memory and execute from there (whether you rely on their whitelist or go paranoid and make all decisions yourself). It includes heuristics for behavioral analysis to detect malicious behavior. It isn't JUST a firewall but its product name usually engenders the same staid arguments against old and simplistic firewalls and that they are NOT to protect against infection except merely as a consequence of your configuration of them with app rules which is only a simplistic form of protection itself (and why HIPS goes beyond just deciding which file can load to run but also what actions it is allow to perform). Alas, the problem with HIPS is that you, the user, have to understand what the prompts mean - so, again, it still comes down to the USER as the primary infection vector into a host. Also, while HIPS let you decide just what is allowed to load and what a process can do, that still doesn't equate to limiting privileges on that process (most actions that you regulate via HIPS are not exactly the same as what limiting privileges does although there can be quite a bit of overlap).
Perhaps Ansgar and Volker would like to elucidate on they DO use for security software on their own hosts. Not just what upstream appliances they may employ in a more-corporate-like environment but what, say, they use themselves at home or on their laptop (when it roams).
No it can't, because firewalls are there to block those actions. If you don't believe that then why don't you remove your firewall from your system? By your sayign its crap. Any malware with admin rights can shit it down as you say. Then why bother?
Perosnally I believe CPF has mechanisms to prevent this.
Who said anythign about stripping admin accounts from admin rights? How many drink did you have?
Again, what are you talking about? Questions here is whether the fw can distinguish if an action is made by user or a trojan.
When did I agree that Comodo can't distinguish between what is and what isn't legitimate?
Not only I agree, but I strongly disagree.
Comodo know about which apps are windows components and has them on white lists internally. It only asks questions fot all other apps including trojans.
And how exactly do you distinguish between the two modes regarding your security?
iam not expecting CPF to remove the infection from my host but I DO expect the malware within my system to be disfunctional because any action it migth want to execute thas messes with the OS I expect the fw to notify me about it and then I will block it.
So perhaps I will be infected by something but CPF wont allow it to make any hurm because I will block any strange attempt I'll see.
Volker just said "Tou don't need a fw" and that all?
No justification for his claim?
WELL SHOULD WE OR SHOULD WE NOT USE PERSONAL FIREWALLS?! OPINIONS DIFFER AS I SEE BUT ON THE OTHER HAND HARDWARE FIREWALLS ARENT EVERYTHING.
Again, they can't do that reliably.
Why would I remove something I haven't installed in the first place?
Exactly.
Security is not a religion. This is about knowing, not about believing. And I can assure you that Comodo cannot have mechanisms to prevent this, unless it strips your admin account of its admin privileges.
I did. Because that is the only way the program could ristrict software running with admin privileges from doing whatever it pleases.
Unlike you I happen to know what I'm talking about.
About your claim that Comodo could restrict software being run under your admin account.
That is one of the questions. It is by no means the only question. Even if a program could distinguish between good and malicious actions (which it can't): what good would that do, if malware could simply terminate the program trying to detect malicious actions? Yes, programs running with admin privileges can do that, whether you like that fact or not.
Oh, really? You may want to explain then, how Comodo might do that trick.
That true? Do you know how those whitelists are implemented? Do they go by name? With or without path? Hash? Which algorithm? How do they deal with updates? How do they protect against malicious "updates"? Not to mention that Windows' system files are the least of your problems, because they're digitally signed by Microsoft anyway, so you can simply check their integrity yourself with sigverif.exe.
Did you ever notice that the majority of the programs installed on most systems does not come from Microsoft, but some third party? Meaning that you'd still be flooded with notifications.
Do you have even the slightest understanding of what's going on on your system? Have you ever run Regmon or Filemon? Have you ever run TCPView or netstat? Have you ever inspected actual network communication with a protocol analyzer like Wireshark? Do you understand how IPC through window messages works? Do you have anything but your religious belief that Comodo will fix things for you?
By avoiding risks in the first place. By taking an actual look at what's going on on the system myself. From an admin account that is unlikely to be compromised, because day-to-day work is done from an account with limited rights. Or by booting a clean system to check the potentially compromised system. By inspecting the network traffic (with some other system) and deciding for myself what traffic is or isn't valid. A program cannot make this decision for you.
cu
59cobalt
I don't provide services I don't want to provide. I don't install software I don't trust. I use admin accounts only for admin tasks. I use normal user accounts for everything else. I keep all of the software on my systems up to date.
cu
59cobaltSo indeed security is a proccess not a product.
Also you don't use firewalls. And your opinion about using Antivirus products for ie Avast or Avira?!
Yes.
I don't use personal firewalls (because I don't see any need to do so). I do use firewalls to protect my networks from untrusted networks.
I think antivirus software can be helpful to some extent, because it may detect the presence of malware. I use the free version of AVG, mainly as an additional filter for scanning files that go into one of my systems. However, be aware of the fact that "no threat found" means exactly that: no threat found. It does not mean "no threat present", because the program may simply be lacking a signature for a virus.
Heuristics and behavior-based analysis methods try to work around the limitations of the traditional signature-based approach, but have the disadvantage of generating considerably more false positives (alerts when there isn't an actual virus). In my experience that leads to reduced awareness of the users, since they become accustomed to just OK-ing the warnings.
cu
59cobaltThe reason of you NOT wanting to use personal firewalls in admin accounts is because they:
a) They wont protect from being infected if you double click an infected executable that you just downloaded. b) In case you are infected malware will shut personal firewalls down and have their way into the system doing the hurm they were created to do just like when no firewall was installed?
So personal firewalls provide no layer of security? Should I uninstall CPF?
Whats the difference between heuristics and behavior-based analysis methods?
It depends on what the malware is actually doing, but they can't reliably protect from that. And it's not limited to the user double-clicking an executable. There are other ways a program can be executed (e.g. autorun from a CD).
Not "will", but "may". Like I said above, it depends on what the malware is actually doing.
There's another reasons why I don't use personal firewalls:
c) The personal firewall is additional code that may contain additional vulnerabilities, so running a personal firewall may even *create* a security breach that wouldn't exist without it. This has already happened ITW (see W32/Witty.worm).
They can provide a layer of security in some respects (e.g. when you can't unbind a service you need from the external interface, or when you want to use notebook in both trusted and untrusted networks, but don't want to have to go to the trouble of reconfiguring the services all the time). However, with the way Windows works, outbound control can never be done in a reliable way, so I wouldn't agree that personal firewalls provide a layer of security in that respect.
That is your decision. All I can say is that I seriously doubt its usefulness and wouldn't install it on my systems.
Behavior analysis is a subset of heuristics and usually means monitoring the interaction between program and system for suspicious behavior. There are other heuristics, though, like checking for self-modifying or self-decrypting code.
cu
59cobalt
???
At Least This Snake Oil Is Free.
Exploring the windows Firewall.
Managing the Windows Vista Firewall
(Don't be blinded by marketing!)
Yes, definitelly! E.g. a hacker needs a point of access to place viruses and other malware on a computer. No open ports, no points of access, firewall, or not. Ports are opened by services! Disable the services, and there are no open ports, no points of access; even without a firewall. No open ports = No potential vulnerabilities. Open ports + firewall = Two potential vulnerabilities. When you connect your browser to a web site, you give whatever access permissions are set in your browser to that web site, even with a firewall in place. Safe browsing depends upon a secure browser! But because the win f/w is an intergral part of os, keep it enabled, it won't do any harm.
Good advice, in the past. Crackers went after services connected to the internet, firewalls, shut that down. Then they went after Internet Explorer. People switched to more secure browsers and Micro$not started fixing their browser. Now crackers are going after the applications launched by the browser using malware infected data files. flash, pdf, gif, MP3, WMA, WMV, MP2,...
People slacked off downloading files from unknown sites. Crackers moved to infecting web sites. People resorted to safe browsing by only going to reputable web sites. Crackers went after ad servers and cross site scripting. Reputable web sites are no longer safe.
Av software improved. But were running about 6 weeks behind finding new malware and getting an update into the AV database.
Crackers bought AV software and when it detected the malware, they change the code to bypass AV scanner. That was expensive so they responded with malware which morphs it's signature every hour.
It is a wonder every M$ system is not infected with something.
What is the casual computer user to do. Change to a more secure operating system like linux.
Do not want to change OS? Install a Virtual machine like VirtualBox or VMware.
Create a guest machine for web browsing. Never use it for any site requiring a password. Always close the browser guest without saving, in case something gets in. Create another guest for each site, activity requiring a password.
Infection on the browser guest can not get any banking info from the bank guest. Never go anywhere but bank site in the bank guest. Close bank guest without saving.
Create separate guests for each email account. That keeps an infection from an email confined to data for that account only. Malware can not get other peoples email from the address book. Remember to export address book and any saved email onto the host before wiping email guest.
? "Bit Twister" ?????? ??? ?????? news: snipped-for-privacy@wm81.home.test...
Can a malware which is an executable file alter its own process in order to change its own siganture? Is this possible?
That would be best, but aint linuxs' and freebsds' also get infected the same manner? Whats makes them more safe than windows are?
You mean inside linux? or inside are actual installed windows? If you infect yourself why you are using a virtual machine the real windows system will remain intact? Cant malware jump outside the virtual machine to infect the host runnign the VM?
? "Kayman" ?????? ??? ?????? news:ma6sx9sgcu1d$.1g563bl3ugxtz$. snipped-for-privacy@40tude.net...
Thanks very much for the links they were enlighting.
I decided and already uninstalled since iam now convinced that any self-respectfull malware can trick or disable any running firewall a user might use.
Comodo might catch a malware executable the minute I try to double click to install it or it may not, depends on the malware.
Comodo claims that with the use of hips and behaviour-analysis can notify the user about any attempts an executable tries to perform but then again cant a malware work beneath the firewall so to shut it down?
What if we use a firewall within a LUA enviroment? Can malwares escape bring brough to surface as well?
But if they are so clevery designed what stop them to secretly log ogg the LUA enviroment and login as administrators? From what I hear malware can do just about everything. So maybe the wont only trick the firewall but even windows themselves?
Agreed by then again is we disable all our services then windows wont be funcitnal and handy any more would they?
Sure, but even if we disable the browsers outbound port then how will we broswe the web? or chat or email? Or if we run a sweb server and close port 80 how will ppl visit our webpage?
Yes open ports can be used both form our services but form malware too
firewall yes a threat too because is made out of code and it can contain security vulnerabilities as well.
??????
Sure can. Code runs once, makes copy, updates copy, set new copy to run, delete self from disk. You might be thinking a program has a signature. It does not. The signature is what the AV vendor has decided where something in the file identifies it enough to claim it as malware.
Heheheh, over 1 million malware programs for doze, less than 1,000 for linux and unix combined. What are your odds. :)
99.99% of those *nux/unix exploits were patched years ago.Think about it, black hats have no access to M$ source code but are generating malware at about a new one every 20 seconds. :(
With linux they have access to the source so why not a bunch of malware out there for linux.
FUD throwers would say not enough market share. Yeah, right. Red Hat has more than 1.5 million paying customers, Suse, more than 2 million. Not counting the free copies downloaded and installed, what Bot Herder would not want to have a bot net that large.
In a nutshell, you start out with two accounts, root and your user account. User account can only screw up their files in their account. Cannot do anything to system files. Only root can mess with system files. You do nothing but update files and system repair in the root account. Malware does not get a foot hold in the system unless root is stupid and surfing the net or installing software from untrusted sites.
Yes, check out
You install your OS of choice in the virtual machine guest lets call it "browser" and save it.
When ready to surf the net, click on the browser selection and a few seconds later you are setting inside the VM guest called browser. You start doing whatever you like. You get a infection, you may or may not know it.
No matter, when you quit the guest, everything goes into the bit bucket. Your host is not infected. If you do not save the current state of the guest, it is thrown away. Next click of guest, you start with a clean slate.
I have seen patches to VM to close those exploits which might allow that to happen. As a matter of fact, some fancy malware checks to see if it is running in a virtual machine and if so, play dead.
AV Vendors have spiders and whatnot crawling the web trying to catch a malware infection. Vendors are usually doing that from a VM guest. When they find malware, they load it into a test guest to see what/how it works. Then generate signature(s), plug those into database and see if scanner can manage/find/undo it.
YW.
Good!
Yes, makers of 3rd party firewall applications (PFW) do claim a lot...
The authors of malware are extremely clever!
That may be possible.
Well, it's a pc; Configure it safely the way you find most suitable. Thsi can be a trying and tedious exercise but will bear fruits eventually.
In addition to my post of 24-Dec-08 3:56:38 PM, check this: Configuring NT-services much more secure.
Right.
So you agree with me that a malware can run in a lower ring level than the opposed firewall, a ring level which the firewall its only a process for the malware to kill and nothing more.
Damn, cant 3rd party firewall vendors protect their products from something like that? They are aware of that case, so how they do counteract?
LUA WON'T protect us either?!!?!?
Cant it do the same thing with windows firewall as well? Then HOW stay safe?
Even if I try any possible type of configuration some ports MUST remain open in order for some must-run services to work.
I strongly believe that we , users are unprotectable since:
a) We have to open ports so our services communicate with the outer world, or even if we don't run services some local ports will always be opened for traffic to create listenign sockets. As we, users use them, so malware can use them too.
b) Firewalls DON'T help at all, not before infection, not afterwards. Its fruitless to sue them
c) LUA will fails us too since malware can escape even from a resticted enviroment as a standard user account is and then log in as admin themselves.
BOTTTOMLINE IS USERS ARE DOOMED TO BE INFECTED.
Nothing. That's just stupid superstition. Linux and the BSDs have better default settings than Windows, but once you changed the defaults (like, don't work with admin/root privileges, shut down services you don't want to provide, etc.), even Windows is reasonably secure.
The host operating system doesn't matter. Virtual machines can be used as sandboxes to confine suspicious software to the guest OS so that it won't be able to tamper with the host OS. Although they are not 100% escape-proof, they significantly raise the bar for the attacker.
Yes.
There are ways malware might break out of a VM. It's far more difficult than "simply" infecting the "normal" operating system, though.
cu
59cobaltCabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.