Possible reason Melih will not allow CIS to be tested by non-AMTSO organization

[Guest]

[Chiron494]

I understand that CIS as a suite is much much more powerful than just the antivirus portion. This topic is merely concerned with the detection rate of the antivirus. I am sure that Melih does not believe that testing merely the antivirus portion of CAVS for on demand detection will result in a repeat of the test discussed here  http://forums.comodo.com/empty-t7015.0.html

I therefore must conclude that either the improvements for V4 are so profound that it would have been a waste of time to test CIS before V4 or that CAVS is built differently than most scanners.

I am basing this on my own experience and what people have said in the forum. CAVS seems to detect more malware when the malware attempts to run than is detected by an on-demand scan. I am therefore asking Melih if the engine and definitions for CAVS are designed specifically to protect the user against active malware and are aimed less at detecting inactive malware.

If this is it there are pros and cons, but I believe that the community deserves to know. What is the true philosophy for CAVS?

[Melih]

CAVS is built as a traditional AV.
Reason why you see it detecting while trying to run the application is merely for speed optimisation, so that we are not uncessearily scanning and costing CPU etc but still protecting the user at the end (on-access mode).

I really do not believe in the traditional AV as a solution to protect people. I mean AV was invented around 1987.... the reason for this invention was to "clean" virus infections...so..from 1987 to 2009....at which particular date did we start thinking that AV is NOT a cleaning tool but a prevention tool?

Anyway...CAVS has a very decent detection ratio. We have made huge improvements in the cleaning functionality of CAV in v4. Detection without cleaning is not good...

A computer exist in 2 state...(within context of this discussion)

1)Infected..
2)Clean

if your computer is infected, then u need cleaning (detection alone is not good enough).

If your computer is clean, then u want to keep it that way (which is what CIS does).

So till recently we focussed on keeping a clean computer stay clean. Now that we have achieved that, with v4 we will get much stronger cleaning functionality built in.

Melih

[devenroy]

Thanks Melih,
I m Excited to try new comodo internet security 4.
Cheers.

[AyeAyeCaptain]

I'm like a child again! Who wants to open his presents before christmas day...... 

[hammersmith]

CAVS is built as a traditional AV.
Reason why you see it detecting while trying to run the application is merely for speed optimisation, so that we are not uncessearily scanning and costing CPU etc but still protecting the user at the end (on-access mode).

I really do not believe in the traditional AV as a solution to protect people. I mean AV was invented around 1987.... the reason for this invention was to "clean" virus infections...so..from 1987 to 2009....at which particular date did we start thinking that AV is NOT a cleaning tool but a prevention tool?

Anyway...CAVS has a very decent detection ratio. We have made huge improvements in the cleaning functionality of CAV in v4. Detection without cleaning is not good...

A computer exist in 2 state...(within context of this discussion)

1)Infected..
2)Clean

if your computer is infected, then u need cleaning (detection alone is not good enough).

If your computer is clean, then u want to keep it that way (which is what CIS does).

So till recently we focussed on keeping a clean computer stay clean. Now that we have achieved that, with v4 we will get much stronger cleaning functionality built in.

Melih

Thank you Melih!!

I believe this was exactly the answer that could have settled the rather
acrimonious thread about "design philosophy",and "stand alone",etc.,
concerning the AV competent of CIS.

[Melih]

Thank you Melih!!

I believe this was exactly the answer that could have settled the rather
acrimonious thread about "design philosophy",and "stand alone",etc.,
concerning the AV competent of CIS.

pls feel free to copy and paste this into those threads in the interest of others.

thanks
Melih

[hammersmith]

Thank you,got it:

http://forums.comodo.com/feedbackcommentsannouncementsnews_cis/design_philosophy_for_comodo_antivirus-t46406.135.html

(page 10)

[RejZoR]

Sorry, but even if AV's were invented back in 1987, comparing that tech with the AV tech available today is like comparing a mice brain logic with human brain logic. It's just not comparable in any way.

[slangen]

Sorry, but even if AV's were invented back in 1987, comparing that tech with the AV tech available today is like comparing a mice brain logic with human brain logic. It's just not comparable in any way.

agreed - but comparing the malware in 87 with 2009 is like comparing a horse cart with a space rocket. You cannot compare the operating system either. Nor can you compare the number of total computer users and/or internet users. Nor can you compare anything - except how dumb people (me included) still are and will always be.

The "conflcker worm", while propagating cheaply (means easy to block methods) was using advanced MIT level math (for what purpose? - dont ask me. I read this off the wall street journal. i think it was the way it was generating different master domains or something.) which was in a paper presented by two math guys which was about 3-5 weeks old at that time). Malware authors are really intelligent people - social engineering is the ultimate con, but look how gullible the public still is. its amazing when you look how prolific malware is.

I dont buy Melih's logic either - but then he's a law unto himself.   

[panic]

OT but we all laughed. 

which was in a paper presented by two math guys which was about 3-5 weeks old at that time). Malware authors are really intelligent people

They might be intelligent but they don't stand a chance against those 3-5 week old math guys!

3-5 week old math guys presenting papers?? Most 3-5 week olds I know only present daipers.

[pc-pete]

Thanks for the explanation. A few clarifying questions.

CAVS is built as a traditional AV.
Reason why you see it detecting while trying to run the application is merely for speed optimisation, so that we are not uncessearily scanning and costing CPU etc but still protecting the user at the end (on-access mode).

So on-access scanning in CAV v3 scans files only when they are executed, not when they are cut/copied, written to disc?
Whitelisted files are not scanned?

In v4, non-whitelisted files will be "sandboxed" by default as a first defense?

I really do not believe in the traditional AV as a solution to protect people. I mean AV was invented around 1987.... the reason for this invention was to "clean" virus infections...so..from 1987 to 2009....at which particular date did we start thinking that AV is NOT a cleaning tool but a prevention tool?

Rest easy Melih, hardly anyone believes in the traditional AV you describe here. That's why no-one has been promoting them as adequate protection since about 1999 (I think that is the date you are looking for) when we started thinking of AV as a cleaning AND prevention tool, rather than as "NOT a cleaning tool but a prevention tool".

Anyway...CAVS has a very decent detection ratio. We have made huge improvements in the cleaning functionality of CAV in v4. Detection without cleaning is not good...

A computer exist in 2 state...(within context of this discussion)

1)Infected..
2)Clean

if your computer is infected, then u need cleaning (detection alone is not good enough).

If your computer is clean, then u want to keep it that way (which is what CIS does).

So till recently we focussed on keeping a clean computer stay clean. Now that we have achieved that, with v4 we will get much stronger cleaning functionality built in.

Melih

"Back to the future" for CIS then.

cheers,
Pete

[Melih]

Sorry, but even if AV's were invented back in 1987, comparing that tech with the AV tech available today is like comparing a mice brain logic with human brain logic. It's just not comparable in any way.

Actually, comparing Malware VS AV capability 1987 vs 2009, I would say AVs are WAAAY behind the Malware!!!! So I agree with you that you can't compare them, but comparing the capability of malware vs capability of AVs.... AVs lost the war and they should NOT be used as prevention tool, they simply can't keep a clean pc, clean!!!!

Melih

[slangen]

OT but we all laughed. 

They might be intelligent but they don't stand a chance against those 3-5 week old math guys!

3-5 week old math guys presenting papers?? Most 3-5 week olds I know only present daipers.

bro - you're making it a habit to totally misunderstand my posts. 

The MIT paper was presented by two people - a grad student and his doctoral guide. It was 3-5 weeks old (THE PAPER) when conflicker came out. Conflicker was/is using that stuff. Don't shoot the messanger - i read this in the wall street journal.

if you think that malware writers are not smart then you got one thing coming for you. NO i.e. ZERO company or individual has been able to combat this problem which is only getting larger. Yes there are a lot of 'script kiddies' but the number of intelligent people is also quite large. Another factor is that  lot of these programs are writting by people which deep pocket backings (i.e. rogue governement or organizations with nefarious intent).

just goto ANY crack/serial site and you'll find cracks/keygens/serials for almost any program. reverse engineering the executable is not an easy task  - it requires some brains. to develop worms is another tough task it requires great understanding of a lot of different computing concepts. as i said before, social engineering is the oldest con but people still fall for it - you gotta be smart to design it. I bet thesse guys could get a job in any marketing/PR outfit. My first and only experience with trojan horse was when 'netbus' came out. a 425KB program totally owned a 800MB Operating system - it still amazes me to this day.

[slangen]

Update to previous post -

I mentioned wall street journal - actually it was BusinessWeek.

The math they used was "The worm also took extraordinary measures to prevent each precious new bot from being cleaned up by Microsoft or any antivirus programs — or usurped by rival bot net controllers. SRI found, for instance, that Conficker’s creators used the freshly-written MIT MD6 algorithm published by MIT’s Dr. Ron Rivest last October."  - the MD6 algo which was developed only a few days ago - yeah anyone can use a algorithim but how many people (you/me everyone) is scouring the Internet for these papers, meaning the very act of paying attention and seeking out this kinda stuff implies a 'little' intelligence. 

postnote: obviously and surprisingly conficker didnt do much damage but it was interesting nonetheless. :-)

[panic]

bro - you're making it a habit to totally misunderstand my posts. 

Not misunderstanding, just seeing humour where none apparently exists. I was just kidding - ergo the smilie! I knew what you meant, it just read funny.

Ignoring script kiddies, some malware authors do unbelievably compact, concise coding with incredibly clever routines and methods. If only they would use their powers for good instead of evil, obviously evil pays better.

Cheers,
Ewen :-)

[Tags:]