White listing or black listing?

[Guest]

[solcroft]

Comodo is of the new breed of security firms; any post on Wilders about what Comodo can or cannot do is irrelevant and inconsequential.
 

It's a new breed of security firm all right, considering how the quality of CAVS has yet to climb out of the sewer after all this time.

Take a look at PC Tools' antivirus product, for instance. They're new, and they're improving quickly. Which is a hell lot more than I can say for Comodo.

[panic]

G'day solcroft,

Glad to see you stick your head round the door again.

Gotta agree - the detection rate of CAVS2 Beta has never been the best. I can't see it getting any better than it curently is as the primary develoment focus is now on CAVS3.

Just in case you were just about to say "LOL. Couldn't finish V3 and have started on V3" or similar, Comodo realised, after the release of CFP V3, that they needed to re-architect the CAVS product line to be able to co-operate with the new architecture used in CFP V3. As a consequence, the CAVS V3 development team has been greatly expanded and development work on CAVS V2 pretty much ground to a halt.

CAVS V3 is slated for a public beta towards the end of this month or early next month and should be worth at least a closer look.

[tongue in cheek mode on]
I'll get someone who's allowed to register at Wilders to let you know when it's out. (Only kidding, every attempt I've ever made to register at Wilders has failed for one reason ro another. Now, I just don't bother, but I do read there a lot.)
[/tongue in cheek mode off]

cheers,
Ewen :-)

It's a new breed of security firm all right, considering how the quality of CAVS has yet to climb out of the sewer after all this time.

Take a look at PC Tools' antivirus product, for instance. They're new, and they're improving quickly. Which is a hell lot more than I can say for Comodo.

[solcroft]

Glad to see you stick your head round the door again.

I stick around every now and then and pay attention. Hey, I'd be a happy user too if Comodo decides to get its act together and release a useable product.

[axl]

Which is a hell lot more than I can say for Comodo.

You may not have that much to say on this topic, but I have long been well aware of how much you have to say on other topics relating to Comodo, solcroft.

Regards,
axl.

[axl]

Gotta agree - the detection rate of CAVS2 Beta has never been the best. I can't see it getting any better than it curently is as the primary develoment focus is now on CAVS3.

Given a recent thread started by Melih, something about "If you have CFP 3, why do you need an AV", I was under the impression that Comodo believed blacklisting to have severe limitations compared to whitelisting, and this would explain why CAV has been on the backburner...

Is my impression incorrect, panic?
 

[solcroft]

You may not have that much to say on this topic

Actually, I do, but I just can't be bothered nowadays that its common knowledge.

[panic]

Given a recent thread started by Melih, something about "If you have CFP 3, why do you need an AV", I was under the impression that Comodo believed blacklisting to have severe limitations compared to whitelisting, and this would explain why CAV has been on the backburner...

Is my impression incorrect, panic?
 

Yes with an "if", no with a "but".

There are pros and cons to both sides of the blacklist / whitelist argument. Comodo have decided that the whitelisting is the better way to go and I'm inclined to agree with them. This is akin to saying trust no-one other than those I know (which is pretty much how real world security works).

The biggest downside to whitelisting is that everything is considered black unitl it is proven to be white. Who does the proving, and what are their credentials?

A lot of it comes down to trust. Some will, some won't. And I"ll bet you won't get them to agree.

Cheers,
Ewen :-)

[axl]

The Achilles heel of blacklisting is the reliance on a database; it can only get larger going forward.
Every AV has to keep signatures of viruses ten, fifteen years old, while the number of malwares grows exponentially.
Right now, both sides are somewhat balanced, so the debate regarding whitelisting vs blacklisting is sustainable, but the future of blacklisting as a defense mechanism is doomed.

AVs are dead, but they don't even know it yet.

Or maybe the AV companies do know it, but they are just not letting their customers know until they can find a viable alternative.

IMO users like solcroft are stuck in the past.

[solcroft]

The Achilles heel of blacklisting is the reliance on a database; it can only get larger going forward.
Every AV has to keep signatures of viruses ten, fifteen years old, while the number of malwares grows exponentially.
Right now, both sides are somewhat balanced, so the debate regarding whitelisting vs blacklisting is sustainable, but the future of blacklisting as a defense mechanism is doomed.

Sure. If we can't keep the blacklist current, let's try whitelisting instead, and try to keep up-to-date with a database at least a thousand times as large (and that's an optimistic estimate at best).

IMO some users are so keen to defend their biases that logic and facts take a back seat to the rhetoric they've been spoon-fed with. 

[panic]

Sure. If we can't keep the blacklist current, let's try whitelisting instead, and try to keep up-to-date with a database at least a thousand times as large (and that's an optimistic estimate at best).

IMO some users are so keen to defend their biases that logic and facts take a back seat to the rhetoric they've been spoon-fed with. 

What if the local whitelist database, rather than containing every whitelisted app known to man (and would indeed be a thousand times larger), only contained the known whitelisted apps that pre-existed on that particular PC? Then, as new apps got added to that PC, there was a lookup which cold add that app to the local whitelist DB. This would constrain the local DB down to the minimum size required to service the apps on that PC.

What think?
Ewen :-)

[axl]

Sure. If we can't keep the blacklist current, let's try whitelisting instead, and try to keep up-to-date with a database at least a thousand times as large (and that's an optimistic estimate at best).

IMO some users are so keen to defend their biases that logic and facts take a back seat to the rhetoric they've been spoon-fed with. 

solcroft, when I say whitelisting I am talking about behavior monitoring.
Any kind of database is ridiculous unless it is maintained by Microsoft, which is why I never use Comodo's trusted app database.
Get a grip.

[solcroft]

What if the local whitelist database, rather than containing every whitelisted app known to man (and would indeed be a thousand times larger), only contained the known whitelisted apps that pre-existed on that particular PC? Then, as new apps got added to that PC, there was a lookup which cold add that app to the local whitelist DB. This would constrain the local DB down to the minimum size required to service the apps on that PC.

What think?
Ewen :-)

I think there's no such thing as a "local whitelist".

A whitelist contains programs that have been approved by either the vendor or the user. If it is to be approved by the vendor, then the vendor has no choice but to whitelist every app known to man, unless they don't care about identification mistakes made by their software, or if their users only use a very limited subset of other software. And if the whitelist is to be approved by the end user, I think the problems are obvious.

And I think it's useless to debate the concepts of whitelisting and behavior monitoring with some users who clearly don't have a clue.

[axl]

What if the local whitelist database, rather than containing every whitelisted app known to man (and would indeed be a thousand times larger), only contained the known whitelisted apps that pre-existed on that particular PC? Then, as new apps got added to that PC, there was a lookup which cold add that app to the local whitelist DB. This would constrain the local DB down to the minimum size required to service the apps on that PC.

What think?
Ewen :-)

The entire database concept is ridiculous.
This is all because of the poor design of Windows.
I wouldn't be surprised given the current Vista fiasco that Microsoft makes a clean break with backward compability with the next version, ala Apple with OS/X.
Then the entire database argument will be moot, because we will finally have a properly functioning OS, and people like solcroft will understand why things are the way they are.

[axl]

And I think it's useless to debate the concepts of whitelisting and behavior monitoring with some users who clearly don't have a clue.

I guess that's why you are still waiting to exhale looking for AV solutions, while after having not had an infection in almost a decade I am wondering why I am still running one and looking to ditch AVs permanently....

[panic]

I think there's no such thing as a "local whitelist".

A whitelist contains programs that have been approved by either the vendor or the user. If it is to be approved by the vendor, then the vendor has no choice but to whitelist every app known to man, unless they don't care about identification mistakes made by their software, or if their users only use a very limited subset of other software. And if the whitelist is to be approved by the end user, I think the problems are obvious.

What I meant was - the vendor, remotely creates the "master" whitelist DB. When the application that's going to utilise this DB is installed, part of the installation process is to determine what apps are already on the PC. This "apps list" is then processed against the remote vendors master whitelist DB. The resulting matches then form the local whitelist DB which is what is downloaded to the local PC. As new apps are installed or executed, they are again compared to the remote master whitelist and subsequent matches are pushed back to the local PC to be incorporated into the local whitelist DB.

Please bear in mind the above is not a declaration of what categorically be included in a future Comodo release.

And I think it's useless to debate the concepts of whitelisting and behavior monitoring with some users who clearly don't have a clue.

Debates and discussions are encouraged on these forums, but disparaging, derogatory or personal remarks are not.

All users are supposed to treat all other users with the same respect and courtesy they expect to be shown to themselves. Please, everyone, every now and again, re-read the forum policies.

Ewen :-)

[Tags:]