What THE GOOD, THE BAD and The Ugly Files

Understanding Today’s Threat Environment

For thirty years, most of us have relied on signature based antivirus products for protection that use their signature file (blacklist) to identify and respond to threats. Unfortunately, that means “legacy antivirus” must first detect the threat before it can be addressed.

With an estimated 50,000 new malware released each day, how can a blacklist system be always up to date? It can’t. We call these undetected threats “zero day malware”.

Legacy antivirus cannot deal effectively with zero day malware. If it could, you probably would not be reading this. They are based on a reactive model that can’t keep up with the speed in which malware can spread today.

The Good, the Bad, the Unknown3 states of an executable file

You cannot afford to allow unknown executables to live in your network with unfettered access. It is just not healthy! To deal with unknown files, you have to diagnose it as such. A file can have one of three states.

Known good: The file is known to be valid and not a risk,

Known bad: The file is a known threat and must be dealt with accordingly.

Unknown: The file is not on our lists of good or bad. It may be safe or it could be malicious. We just do not know.

➲ So why don’t we simply stop Unknown applications from executing? Solve the problem right? Yes it does, but then it creates a usability problem! Are you going to explain to your management why they can’t run this app or the other app they keep downloading? I’d rather not!

➲ Ok here is another idea: Why don’t we stop these unknown files, send them to a “sandbox” and check to see if it is malicious. If not, allow it Great! Unfortunately, you are still relying on “detection”. Have you heard of a “time bomb”?

➲ Here is how a malware time bomb works: I am a malware and I will sit pretty and do nothing malicious for 2 months. Then, on schedule I will unleash my evil! Moo wah ha ha!

➲ So how will you “detect “this in a sandbox? Wait for 2 months? Don’t forget, your management is also waiting on their download!! Waiting for 2 minutes is not acceptable for your CEO, never mind 2 months!!

Run-Time Automatic Threat Containment➲ First you need a containment technology. Something that you

can use to run something you don’t trust “unknown file” in without causing damage, if it turns out to be a bad file. First, Comodo built the world’s only Containment technology that has been battle tested by over 80 Million users! Second, the question is then when to use it. If you can identify a good file, then you don’t need to contain it, because it’s a good file. If you can identify a bad file, then you don’t contain it. Bad files need to be “quarantined” or deleted. It is the unknown files that must be contained.

➲ Comodo security includes a patented solution for containing unknown files in run time, automatically. RTACT is intelligent enough to weed out good and bad and contain only the unknown, hence creating a very efficient “Containment” technology. Of course, you can configure to run everything in our containment, but there simply is no need for that as it does not improve your secure posture

Comodo is the only company who classifies an executable file into 3 states, good, bad and unknown. Hence, Comodo can provide containment security technology with unprecedented efficiency and effectiveness. Only Comodo is able to zero in and deal with what truly matters in protection, the unknown files. Unknown files must only be executed within a container.

Comodo’s container solution offers zero friction for end user usability. This means the user who is executing the application continues to use the application without even realizing that this application is running in a container. Fast, efficient and zero user experience change!

What is Containment?

Containment is “the action of keeping something harmful under control or within limits”. A sandbox is a containment technology implemented by executing the software in a restricted operating system environment, thus controlling the resources. For example, the file descriptors, memory, file system space, etc. that a process may use. Examples of sandbox implementations include the following, from Wikipedia

A jail,Rule-based execution, Virtual machines, Sandboxing on native hosts,Capability systems ,Online judge systems,New-generation paste bins,Secure Computing Mode,HTML5

Denying the user use and execution of the application is not desirable. Run-Time Automatic Containment is the solution.

Containment technology must also defend itself against malware “jumping out” of the containment solution. A containment technology that cannot protect itself cannot contain the malware. Comodo is the most trusted containment technology.

Comodo Internet Security has ranked #1 for over three years in the ongoing Matousec Proactive Security Challenge 64. The challenge is a competition among 36 suites of internet security. Matousec's tests include the system’s ability to protect itself. What good would a body guard be if he cannot protect himself?

Comodo is one of only 4 of the competitors that have earned Matousec recommendation and the only available for free.

➲ Internal Research: the malicious program starts to looks into all the details of the organization that it is targeting on. It conducts a main research on the windows domain structure, trust relationships and the infrastructure that it the organization is connected to.

➲ Expansion of Control: Extends its control over the other workstations, servers and other components of infrastructure to steal data data from them.

➲ Maintain Presence: Persistent control and access of credentials of the infrastructure

➲ End of Mission: Withdraw stolen information from the targeted organization's network.

For more details: http://containment.comodo.com/

https://www.youtube.com/watch?v=Uq31kqKiQ4I