If you have V3 why do you need an AV?

[Guest]

[Japo]

The answer is simple, there is no other scenario except the ones mentioned. We can phone Aristotle and ask him to confirm if you want. Either:

a) you purposedly disable Defense+;

b) or you make it allow attempts that it detected and could have been blocked;

c) or a vulnerability in CFP is found and exploited.

I'd dare say the probability of the latter is virtually zero, if only because hackers aren't trying hard against CFP, only against mainstream programs like Windows itself, major browsers, MS or Yahoo messenger, etcetera.

[WaterWall]

The answer is simple, there is no other scenario except the ones mentioned. We can phone Aristotle and ask him to confirm if you want. Either:

a) you purposedly disable Defense+;

b) or you make it allow attempts that it detected and could have been blocked;

c) or a vulnerability in CFP is found and exploited.

I'd dare say the probability of the latter is virtually zero, if only because hackers aren't trying hard against CFP, only against mainstream programs like Windows itself, major browsers, MS or Yahoo messenger, etcetera.

Yes. But CFP is gaining popularity and one day bad guys will begin cracking Comodo 

[Melih]

Yes. But CFP is gaining popularity and one day bad guys will begin cracking Comodo 

Nothing better to improve your product than having criminal minded people trying to break it!

we will be ready!

Melih

[MiguelAngelXP]

I would like to add my 2 cents to the discussion :

Let's assume that we all are dancing in a discotheque

The Firewall will play the role of the outdoor guard, at least here in Chile that how it works.

1.- I pay for the entrance ticket,  then the guard checks if I'm clean (Meaning: no drugs, no hidden bottles of liquor).
2.- Then I get into the discotheque, and then I sneak to the Men's Bathroom because I want to get stoned with a kind of drug that isn't smelly  that I hiding in my shoes, the outside guard WILL NEVER DARE TO ASK ME TO TAKE OFF MY SHOES
3.- Then just when I'm high I start to do havoc and there aren't nobody able to stop me. So the discotheque has a very security flaw at the inside. So they must be guards inside. Well in the real life all all the discotheques has indoor guards, so they play the role of the AV and/or Antispyware

Bottom line

We need what I call "Security Triangle", a firewall, an antivirus (in the past two weeks my AV discovered 2 trojan-dialers, fortunately the infected files were non-executables and we need at least 3 antispywares on demand, they are enough, but the AV must be resident (I have 6 antispywares) . And of course from time to time defrag our hard disks, clean the temp files and so on, so I agree with Rafel

Regards
MiguelAngelXP

 (B) (L)

[MrBrian]

Buffer overflow detection.  Antivirus can possibly detect poisoned data files if you allow your antivirus scanner to scan all files, not just executables.  I know this for a fact, because my antivirus program alerted me when I tried to run the proof of concept file that I discuss in my test of the separate product Comodo Memory Firewall (see the Comodo Memory Firewall forum for more details).

[Info-Sec]

If you have V3 and only execute Safe apps why would you need AV?

What other scenerios are there that having an AV on top of AV would be beneficial?

eg: A file that you feel you must execute but not in the safelist could be identified as a malware by an AV (if this file is a malware and the AV has the signature of this malware). (So in this scenerio we used AV for file identification)

What other scenerio if any, would having an AV on top of V3 would be beneficial?

Lets discuss this pls

thanks
Melih

I understand you took the stance on "Allow safe to run and all others under trepidation."  However, CPF dosn't actively filter/delete known viruses.  I love COMODO, but AV's can catch a virus/malicious program before it does damage.  How far does D+ go?  Quite deep into the OS and in the files yes, but there are viruses that can outsmart the system, or more probably the user.

[Melih]

I understand you took the stance on "Allow safe to run and all others under trepidation."  However, CPF dosn't actively filter/delete known viruses.  I love COMODO, but AV's can catch a virus/malicious program before it does damage.  How far does D+ go?  Quite deep into the OS and in the files yes, but there are viruses that can outsmart the system, or more probably the user.

The risk of something outsmarting CPF to cause a damage is much (MUCH) smaller than running an AV and allowing around 80% (according to some stats) all new malware in.

Lets look at the facts:

How many malware can you find that could outsmart CPF today? (as of today we know of none)

How many malware can you find that your AV wont' recognise? (hundreds of new malware a day!)

It is much easier to write a new application and hide it so that AV's dont' recognise than anaylsing and trying to find vulnerabilities in CPF to outsmart it.

Melih

[Chappy]

Here is a scenario which happened to me not more then 1 hour ago.
I went to download a product (superscan) so i switched to installation mode while downloading.
When the product was downloaded my av guard flaged it up as  possible malware which then gave me the option to allow/quarantine or delete.This made me think allthough i knew this was from an ok source i still had the layered protection which allerted me to a possible bed egg?
We are after all only human and if we try to download something we think is from a legit source but may not be, we still have a back up which may alert us to a malware program.

Nice 1 Matty

This is just a quick answer to "riggers" post.
SuperScan itself is a clean app and your d'load source is probably clean. Since SuperScan is a port scanning engine and port scanner engines are often integrated into many trojans/virus, they are most often flagged as "Possibly Unwanted Software" by virtually EVERY AV product made worth having. This is most likely what you recieved from your AV alert but simply failed to remember (or didn't know) that you have the alert to "Possibly Unwanted" and "Possibly Unsafe" software triggers enabled.
I've used SuperScan before and it's a decent Windows scanner and I also know that every good AV product will tag it simply because it IS a port scanner tool.

Dave

[JolietJake]

If you have V3 and only execute Safe apps why would you need AV?

What other scenerios are there that having an AV on top of AV would be beneficial?

eg: A file that you feel you must execute but not in the safelist could be identified as a malware by an AV (if this file is a malware and the AV has the signature of this malware). (So in this scenerio we used AV for file identification)

What other scenerio if any, would having an AV on top of V3 would be beneficial?

Lets discuss this pls

thanks
Melih

If some malware was designed to fool/bypass V3 perhaps a second layer AV would spot it.  It's maybe easier to target one application with malware than several different applications.

What about the Sony rootkit debacle? In order to play one of their CD's in your PC it sneakily installed a rootkit which could be exploited by naughty people.  Can all rootkits, especially one's which come via a 'trusted' company like Sony be detected?
Would Comodo go up against a big corporation like Sony and flag it's rootkit (which they have now ditched) when Sony would argue that it's a legitimate security device?

Just how quickly could Comodo respond to a threat like the example above which only came to light months after being released and installed on thousands of users computers?

On a more general note a scenario might be one of trust or belief amongst less knowledgeable users built up over many, many years that computers need AV's to be safe and secure.
To counter this would require a re-education of the masses, most of whom must quite fairly be considered computer security illiterate.

Not an easy job especially when AV's counter with their arguments via advertising etc!

[Melih]

That is the issue: Who will respond quicker.. other AV companies or Comodo. Bypassing CPF etc only matters if Comodo responds slower than others. If there is a specific attack against CPF, i would think we would know and act faster against it than others.. but of course we'll see in future

Melih

[Matty_R]

I would just like to say i personally feel better by not putting all my eggs in one basket.I know the whitelist and V3 are an excellant step in the right direction but how many differant executables are there out there?
There will allways be new products coming onto the market and as such there will allways be people willing to try these new products.Some may install them before Comodo has had the chance to look at them(i know this is running an unknown executable) but if your AV program picks it up you then have the choice of wether to allow it or not to remain on your system.
The whole ethos here is what you are most comfortable with,there will allways be a differance of opinion when this issue crops up and company A will allways say we will protect you better than company B,while some companys will just use there influence to get on peoples computers.

Some people are very careful of what and where they download stuff from,others are not,some know what warning signs to allow/some dont,it is a minefield out there full of good and bad and with the help of a lot of people it is becoming a much safer place.

So a big thank you to all the good guys 

Matty

[Melih]

Indeed Matty, the main time where you will need AV is when running uknown applications.

Melih

[Josh123]

I agree.

If you have CF3, and you don't use P2P (limewire, utorrent etc) and don't visit illegal sites or sites you don't know... Then CF3 is basically all you need...

but downloading unknown torrents and applications... an AV is needed on your machine.

Josh.

[malbeth]

Am I missing something big time here? V3 is FW+HIPS. A firewall can let malicious code through in an instant, e.g. you use your usual browser to visit a hacked legitimate site that successfully exploits browser's vulnerability. Thus it's either D+ protects you from any such code or you do need another security layer, which may just be an AV software. Theoretically an ideal HIPS makes AV redundant, since blocking malicious actions is a safer path than looking for signatures from a reactively updated list. However, D+ V3 is nowhere near an ideal HIPS (limited granularity, too much work left for user), which necessitates additional protection. Thus, my scenario for needing AV over V3 is everyday use.

[Joss]

All programs have leaks and bugs, even the best one's...One more protection isn't useless...

[Tags:]