ＣＯＭＯＤＯ好象不校验文件的MD5？

dyzg

我用其他文件改成允许的文件名，可以运行，那ＣＯＭＯＤＯ只认文件名和路径吗？这样怕是谈不上安全

GBUser

有Defense+呢
EQ默认也是不进行校验的
不过觉得还是有校验比较好，多一层保护

羽音

http://bbs.kafan.cn/viewthread.php?tid=162302&extra=page%3D3

ubuntu

开发人员的思路是 FD 配合 My Pending Files 完全不用MD5；
如果对文件操作敏感，可以多注意 My Pending Files 的文件变化。

The Defense+ must have shown you the alerts before replacing the files. Once approved by the user or by the "Computer Security Policy" CFP will not ask about the already approved change again. These are cooperating systems. Even if Defense+ is deactivated, you will receive a file modification alert if an unknown program modifies an application *which has a firewall rule*.

However, if you say "I have replaced/renamed those files without any alerts from Defense+", this can be because :

"You may have a rule in Computer Security Policy which allows explorer.exe(assuming you used Windows Explorer to rename those files) to modify protected files" or you disabled file system protection completely.

All these hash keeping practices are to prevent malware hijacking the allowed applications. You need to keep hashes if you dont know what is going on in the file system. CFP 3 knows all these.

There is a leaktest in www.grc.com. LeakTest 1.2.exe. You can rename that application as firefox.exe and test.

So you have a guaranteed defense against malware tampering. Why would you need hashing?

Besides, CFP 3 allows you to use wildcard characters while defining the applications. In this case, hashing is just useless. You cant keep hashes for such a set of applications. Thats why, IMHO,  other firewalls do not have such a feature as wildcard based rules.


Hope this helps,
Egemen

30794

V3开发者的意思是即使关闭Defense+，被监控的文件改动还是会有警告，另外如果采用hash校验，就不方便设置有通配符的规则

V3的FD是靠patent pending来维系的，这个patent pending实际上就是cmdagent.exe
V3现在还有一些bug，是有空子可钻的，比如一些软件运行会导致cfp.exe出错自动退出，cfp.exe退出后，一些暴力工具运行就不会有警告，如冰刀，再用冰刀结果了cmdagent.exe，V3的保护就被终止了，当然patent pending也就没有了

至于规则通配符的问题也好办，有些HIPS也支持通配符，也有hash校验，可以这样设置，无通配符的规则采用hash校验，有通配符的规则不用，无通配符的规则优先于有通配符的规则

Oceanzd

貌似Comodo的FD还没有区分删除和修改

zerosu6652

反病毒会校验

夏春秋

这是comodo简化用户操作的一种尝试，V2就有MD5校验，是否合适当然见仁见智

sxingbai

也注意到了
删除时也提示是修改