I still believe that identifying malicious software by comprehensive analysis of all behaviors is a better solution than just watching for isolated actions. When I tested ThreatFire 3 and Norton Anti-Bot, they did a great job of blocking real-world malware using this type of holistic analysis. And because they look at the program as a whole, they don't flag valid programs that happen to use some of the same techniques. But Comodo Firewall Pro's implementation of single-action behavior blocking is among the best I've seen, especially the option to switch into Installation mode.Malware writers use a variety of techniques to evade simple program control. Most of these involve either pretending to be a trusted application or getting a trusted application to do their dirty work. And virtually every such technique is covered by Defense+'s monitoring. When I tried running a dozen "leak test" programs that demonstrated these techniques, Comodo Firewall Pro blocked them all. Every single leak test triggered an orange alert reporting that iexplore.exe was launching an unknown program and asking whether to proceed. Since this warning would appear for absolutely any program not on the safe list, I always allowed it. And every time a leak test program tried to create a file or folder, it caused a red or orange alert. Here, too, I chose to allow the action. I blocked only those that actually sounded suspicious, like modifying a protected Registry key or trying to access iexplore.exe in memory.
To see how Comodo Firewall Pro handles innocuous but unknown programs, I installed a dozen PC Magazine utilities, selecting ones that hook deeply into Windows to accomplish their work. They generated quite a few Defense+ pop-ups; I recorded these in a list but allowed all of the reported actions. The results were somewhat surprising. Not counting repeats of the same type of warning (for example, multiple file creation alerts), the leak test programs averaged four alerts apiece, the majority of them orange.
While Comodo Firewall Pro's firewall module takes care of all the basic firewall tasks, Defense+ adds proactive prevention of behaviors that might indicate malware. It monitors a wide variety of system activities, such as interprocess memory access, installation of device drivers, and establishment of global Windows hooks. It watches for changes to specific sensitive files, Registry keys, and COM interfaces. And it detects programs that circumvent Windows for direct access physical memory, the screen, the keyboard, or disk drives. That's a lot to track! It doesn't need to monitor programs that are on the safe list, which takes some of the load off.
NEXT --- Advanced Settings of Comodo Firewall Pro 3.0
PREVIOUS ---Safe from Hacker Attack
0 comments:
Post a Comment