Understanding Security Alerts
Comodo Antivirus For Server alerts warn you about security related activities and requests at the
moment they occur. Each alert contains information about the
particular issue so you can make an informed decision about
whether to allow or block it. Alerts also let you specify how CAVS
should behave in future when it encounters activities of the same
type. The alerts also enable
you to reverse the changes made to your computer by the applications
that raised the security related event.
|
|
Type of Alert Can
be
Antivirus, HIPS, Sandbox |
|
|
Color indicates severity of the Alert HIPS and Sandbox alerts are color coded to indicate risk level |
|
|
||
Description of activity or connection attempt |
||||
High visibility icons quickly inform you which applications and techniques are involved in an alert. Clicking the name of the executables here opens a window containing more information about the application in question. |
||||
|
||||
Clicking the handle opens the alert description which contains advice about how to react to the alert |
||||
|
Click 'Show Activities' to open a list of activities performed by the process |
|||
|
Click these options to allow, block or otherwise handle the request |
|
||
Select this option to create a rule in respective module for the application in question to allow or block as per your choice. |
Comodo Antivirus for Servers alerts come in five main varieties, namely:
-
Antivirus Alerts - Shown whenever virus or virus-like activity is detected. AV alerts will be displayed only when Antivirus is enabled and the option 'Do not show antivirus alerts' is disabled in Real-time Scanner Settings.
-
HIPS Alerts - Shown whenever an application attempts an unauthorized action or tries to access protected areas. HIPS alerts will only be generated if HIPS is enabled and Do NOT show popup alerts is disabled.
-
Sandbox Alerts (including Elevated Privilege Alerts)- Shown whenever an application tries to modify the Operating System or related files and when the Defense+ automatically sandboxes an unrecognizable file. Sandbox Alerts will be displayed only if privilege elevation alerts is enabled under Sandbox Settings.
In each case, the alert may contain very important security warnings or may simply occur because you are running a certain application for the first time. Your reaction should depend on the information that is presented at the alert.
Note: This section is concerned only with the security alerts generated by the Antivirus, Firewall, HIPS and Auto-Sandbox components of CES. For other types of alert, see Comodo Message Center notifications, Notification Messages and Information Messages. |
The shield icons at the upper left of each alert are color coded according to the risk level presented by the activity or request. However, it cannot be stressed enough that you should still read the information in order to reach an informed decision on allowing or blocking the activity.
- Yellow Icons - Low Severity - In most cases, you can safely approve these requests. The 'Remember my answer' option is automatically pre-selected for safe requests
- Red Icons - High Severity - These alerts indicate highly suspicious behavior that is consistent with the activity of a Trojan horse, virus or other malware program. Carefully read the information provided when deciding whether to allow it to proceed.
- Orange Icons - Medium Severity - Carefully read the
information in the alert description area before making a decision.
These alerts could be the result of a harmless process or activity
by a trusted program or an indication of an attack by malware. If
you know the application to be safe, then it is usually okay to
allow the request. If you do not recognize the application
performing the activity or connection request then you should block
it.
Note: Antivirus alert is not ranked in this way. It always appears with a red icon. |
The description is a summary of the
nature of the alert and can be revealed by clicking the handle as
shown:
The description tells you the name of the software/executable that caused the alert; the action that it is attempting to perform and how that action could potentially affect your system. You can also find helpful advice about how you should respond.
Now that we've outlined the basic construction of an alert, lets look at how you should react to them.
Comodo Antivirus for Servers generates
an Antivirus alert whenever a virus or virus-like activity is
detected on your computer. The alert contains the name of the virus
detected and the location of the file or application infected by it.
Within the alert, you are also presented with response-options such
as 'Clean' or 'Ignore'.
Note: Antivirus alerts will be displayed only if the option 'Do not show antivirus alerts' is disabled. If this setting is enabled, antivirus notifications will be displayed. This option is found under 'Security Settings > Antivirus > Realtime Scan'. Refer to Real-time Scanner Settings for more details. |
The following response-options are available:
- Clean - Disinfects the file if a disinfection routine exists. If no routine exists for the file then it will be moved to Quarantine. If desired, you can submit the file/application to Comodo for analysis from the Quarantine interface. Refer to Manage Quarantined Items for more details on quarantined files.
- Ignore - Allows the process to run and does not attempt to clean the file or move it to quarantine. Only click 'Ignore' if you are absolutely sure the file is safe. Clicking 'Ignore' will open three further options:
- Ignore Once -The file is allowed to run this time only. If the file attempts to execute on future occasions, another antivirus alert is displayed.
- Ignore and Add to Exclusions - The file is allowed to run and is moved to the Exclusions list - effectively making this the 'Ignore Permanently' choice. No alert is generated if the same application runs again.
- Ignore and Report as a False Alert - If you are sure that the file is safe, select 'Ignore and Report as a False Alert'. CAVS will then submit this file to Comodo for analysis. If the false-positive is verified (and the file is trustworthy), it will be added to the Comodo safe list.
If CAVS detects a virus or other malware, it will immediately block it and provide you with instant on-screen notification:
Please note that these antivirus notifications will be displayed only when 'Do not show antivirus alerts' check box in Antivirus > Real-time Scan settings screen is selected and 'Show notification messages' check box is enabled in Advanced Settings > User Interface screen.
Answering HIPS AlertsComodo Antivirus for Servers generates a HIPS alert based on the behavior of applications and processes running on your system. Please read the following advice before answering a HIPS alert:
-
Carefully read the information displayed after clicking the handle under the alert description. Comodo Antivirus for Servers can recognize thousands of safe applications. If the application is known to be safe - it is written directly in the security considerations section along with advice that it is safe to proceed. Similarly, if the application is unknown and cannot be recognized, you are informed of this.
If it is one of your everyday applications and you simply want it to be allowed to continue then you should select Allow.
If you don't recognize the application then we recommend you select Block the application. You can choose to just block the connection, block & terminate or block, terminate and roll back any changes it may have already done.
-
If you are sure that it is one of your everyday applications and want to enforce a security policy (ruleset) to it, please use the 'Treat As' option. This applies a predefined HIPS ruleset to the target application.
Avoid using the Installer or Updater ruleset if you are not installing an application. This is because treating an application as an 'Installer or Updater' grants maximum possible privileges onto to an application - something that is not required by most 'already installed' applications. If you select 'Installer or Updater', you may consider using it temporarily with Remember My Answer left unchecked.
-
Pay special attention to Device Driver Installation and Physical Memory Access alerts. Again, not many legitimate applications would cause such an alert and this is usually a good indicator of malware / rootkit like behavior. Unless you know for a fact that the application performing the activity is legitimate, then Comodo recommends blocking these requests.
-
Protected Registry Key Alerts usually occur when you install a new application. If you haven't been installing a new program and do not recognize the application requesting the access, then a 'Protected Registry Key Alert' should be a cause for concern.
5. Protected File Alerts usually occur when you try to download or copy files or when you update an already installed application.
Were you installing new software or trying to download an application from the Internet? If you are downloading a file from the 'net, select Allow, without selecting Remember my answer option to cut down on the creation of unnecessary rules within the firewall.
If an application is trying to create an executable file in the Windows directory (or any of its subdirectories) then pay special attention. The Windows directory is a favorite target of malware applications. If you are not installing any new applications or updating Windows then make sure you recognize the application in question. If you don't, then click Block and choose Block Only from the options, without selecting Remember My answer option.
If an application is trying to create a new file with a random file name e.g. "hughbasd.dll" then it is probably a virus and you should block it permanently by clicking Treat As and choosing 'Isolated Application' from the options.
-
If a HIPS alert reports a malware behavior in the security considerations area then you should Block the request permanently by selecting Remember My Answer option. As this is probably a virus, you should also submit the application in question, to Comodo for analysis.
-
Unrecognized applications are not always bad. Your best loved applications may very well be safe but not yet included in the Comodo certified application database. If the security considerations section says "If xxx is one of your everyday applications, you can allow this request", you may allow the request permanently if you are sure it is not a virus. You may report it to Comodo for further analysis and inclusion in the certified application database.
-
If HIPS is in Clean PC Mode, you probably are seeing the alerts for any new applications introduced to the system - but not for the ones you have already installed. You may review the files with 'Unrecognized' rating in the 'File List' interface for your newly installed applications and remove them from the list for them to be considered as clean.
-
Avoid using Trusted Application or Windows System Application policies for you email clients, web browsers, IM or P2P applications. These applications do not need such powerful access rights.
Comodo Antivirus for Servers generates a Sandbox alert if an application or a process tries to perform certain modifications to the operating system, its related files or critical areas like Windows Registry and when it automatically sandboxes an unknown application.
Please read the following advice before answering a Sandbox alert:
-
Carefully read the information displayed after clicking the handle under the alert description. Comodo Antivirus for Servers can recognize thousands of safe applications. If the application is known to be safe - it is written directly in the security considerations section along with advice that it is safe to proceed. Similarly, if the application is unknown and cannot be recognized, you are informed of this.
-
If you are sure that the application is authentic and safe and you simply want it to be allowed to continue then you should select Run Unlimited. If you want the application not to be monitored in future, select 'Trust this application' checkbox. The application will be added to Files List with Trusted status.
-
If you are unsure of the safety of the software, then Comodo recommends that you run it with limited privileges and access to your system resources by clicking the 'Run Isolated' button. Refer to the section Unknown Files: The Scanning process for more explanations on applications run with limited privileges.
-
If you don't recognize the application then we recommend you select Block the application.
Run
with Elevated Privileges Alert
The Sandbox will display this kind of alert when the installer of an unknown application requires administrator, or elevated, privileges to run. An installer that is allowed to run with elevated privileges is permitted to make changes to important areas of your computer such as the registry.
- If you have good reason to trust the publisher of the software then you can click the 'Run Unlimited' button. This will grant the elevated privilege request and allow the installer to run.
- If you are unsure of the safety of the software, then Comodo recommends that you run it with restricted access to your system resources by clicking the 'Run Isolated' button.
- If this alert is unexpected then you should abort the installation by clicking the 'Block' button (for example, you have not proactively started to install an application and the executable does not belong to an updater program that you recognize)
- If you select 'Trust this application' then CAVS assign Trusted Status to this file in the 'Files List' and no future alerts will be generated when you run the same application.
Note: You will see this type of alert only if 'Detect installers and show privilege elevation alerts' is enabled. This can be found in 'Advanced Settings > Security Settings > Defense+ >Sandbox Settings' |
There
are two versions of this alert - one for unknown installers that are
not digitally signed and the second for unknown installers that are
digitally signed but the publisher of the software has not
yet been
white-listed (they are not yet a 'Trusted Software Vendor').
- Unknown and unsigned installers should be either isolated or blocked.
- Unknown but signed installers can be allowed to run if you trust the publisher, or may be isolated if you would like to evaluate the behavior of the application.
Also see:
- 'Unknown Files: The Scanning Processes' - to understand process behind how CES scans files
- 'Trusted Software Vendors' - for an explanation of digitally signed files and 'Trusted Software Vendors'.
The
Sandbox will display a notification whenever it auto-sandboxes
an unknown application:
The alert will show the name of the executable that has been auto-sandboxed. The application will be automatically added to the File List with the 'Unrecognized' rating.
- Clicking the name of the application will open the File List interface with the currently sandboxed application highlighted.
- Clicking Don't isolate it again assigns 'Trusted' status to the file in the File List, so that the application will not be auto-sandboxed in future. Choose this option if you are absolutely sure that the executable is safe.
Users are also reminded that they should submit such unknown applications to Comodo via the 'File List' interface. This will allow Comodo to analyze the executable and, if it is found to be safe, to add it to the global safe list. This will ensure that unknown but ultimately safe applications are quickly white-listed for all users.
Also see:
- 'Unknown
Files: The Scanning Processes'-
to understand process behind how CAVS scans files
- To
view the activities of the processes, click the Show
Activities link at the bottom right. The Process
Activities List dialog will open with a list of activities exhibited
by the process.
Column Descriptions
- Application Activities - Displays the activities of each of the processes run by the parent application.
- - File actions: The process performed a file-system operation (createmodifyrenamedelete file) which you might not be aware of.
- - Registry: The process performed a registry operation (created/modified a registry key) which might not be authorized.
- - Process: The process created a child process which you may not have authorized or have been aware of.
- - Network: The process attempted to establish a network connection that you may not have been aware of.
- If the process has been terminated, the activities will be indicated with gray text and will appear in the list until you view the 'Process Activities List' interface. If you close the interface and reopen the list within five minutes, the activities will appear in the list. Else, the terminated activities will not be displayed in the list.
- PID - Process Identification Number.
- Data - Displays the file affected by the action.