Give all that for FREE!!! What's the Catch? How does Comodo Make Money?

[Guest]

[panic]

Hey Jim,

There are several sites that compare AV apps, but there is a fundamental issue with this type of testing being done on CAVS.

Traditional AVs relied on a two pronged attack - detection and removal, whereas CAVS introduces a third layer - prevention. The rationale behind this is that if a PC doesn't get infected in the first place, the onus shifts away from the detection/removal process, and traditional tests revolve around the assumption that the device IS infected in the first place.

How can you accurately measure the detection/removal capabilities on an AV if the same AV is also designed to prevent the infection occuring in the first place?

There will need to be a change in the testing methods before CAVS can be accurately assesed by these sites. This isn't to say that their testing methods are invalid for AV apps that rely on the two pronged method, just that it doesn't really apply to CAVS as they fail to include prevention as part of an AV apps capabilities. IMHO this will change as more and more security vendors become focussed on prevention (whether it be AV, AS or HIPS/IDS) technologies.

Have a great break - see you when you get back.

Cheers,
Ewen :-)

[jharris1993]

Hey Jim,

There are several sites that compare AV apps, but there is a fundamental issue with this type of testing being done on CAVS.

Traditional AVs relied on a two pronged attack - detection and removal, whereas CAVS introduces a third layer - prevention. The rationale behind this is that if a PC doesn't get infected in the first place, the onus shifts away from the detection/removal process, and traditional tests revolve around the assumption that the device IS infected in the first place.

How can you accurately measure the detection/removal capabilities on an AV if the same AV is also designed to prevent the infection occuring in the first place?

Ewen,

Greetings from "the other side of the earth" (quite literally!) as I am not only in the other hemisphere, but on the other side as well - essentially diagonally opposite you folks "down there" - and I gotta get down there some day...

I disagree.  ("Oh boy, here he goes again! )

If you have a test situation - exposure to malware - then the test is just fine. (and I am making the (eek!) assumption that this is what these testers do)

If you have 3 machines, running products "a", "b", and "c"(omodo - giggle!)
AND
all three machines are exposed to a whole host of evil and nasty things.

OK...

"a" detects and removes (assume again) all of them after infection.
"b" detects and removes (    ditto  ditto  ) all of them after infection.
"c"  alerts and blocks the infection in the first place...

You tell me...

I am also assuming that they have a "sterile" environment where the testers can deliberately "inject" nasties into the machines - then see what happens.

I am assuming that Comodo's AV product can detect, and remove, an existing malware incursion - right?

So why won't these tests be valid?

Jim

[Melih]

Ewen,

Greetings from "the other side of the earth" (quite literally!) as I am not only in the other hemisphere, but on the other side as well - essentially diagonally opposite you folks "down there" - and I gotta get down there some day...

I disagree.  ("Oh boy, here he goes again! )

If you have a test situation - exposure to malware - then the test is just fine. (and I am making the (eek!) assumption that this is what these testers do)

If you have 3 machines, running products "a", "b", and "c"(omodo - giggle!)
AND
all three machines are exposed to a whole host of evil and nasty things.

OK...

"a" detects and removes (assume again) all of them after infection.
"b" detects and removes (    ditto  ditto  ) all of them after infection.
"c"  alerts and blocks the infection in the first place...

You tell me...

I am also assuming that they have a "sterile" environment where the testers can deliberately "inject" nasties into the machines - then see what happens.

I am assuming that Comodo's AV product can detect, and remove, an existing malware incursion - right?

So why won't these tests be valid?

Jim

Jim

At high level I agree with you.
However, the testing carried out by these people/organisation is much simpler than that.

They simply put all their malware in a folder.. and scan it. Then check how many of the malware was detected.

for prevention.. they have to actually execute (or try to) the malware to see whether it will cause a damage or not. I don't believe they have the infrastructure, yet..i hope they do soon though..

Melih

[jharris1993]

Jim

At high level I agree with you.
However, the testing carried out by these people/organisation is much simpler than that.

They simply put all their malware in a folder.. and scan it. Then check how many of the malware was detected.

for prevention.. they have to actually execute (or try to) the malware to see whether it will cause a damage or not. I don't believe they have the infrastructure, yet..i hope they do soon though..

Melih

OK, I'm game...

How does that prevent CAV from being tested?  Can't your stuff find malware?  Or am I REALLY MISSING SOMETHING here?

Jim

[Melih]

OK, I'm game...

How does that prevent CAV from being tested?  Can't your stuff find malware?  Or am I REALLY MISSING SOMETHING here?

Jim

Because CAV stops execution, that means in order to test malware has to be executed so that the tester can see that CAV stops the malware from executing.

Melih

[panic]

OK, I'm game...

How does that prevent CAV from being tested?  Can't your stuff find malware?  Or am I REALLY MISSING SOMETHING here?

Jim

Hey Jim,

CAVS certainly can find malware, but....

The way I ended up explaining it to my son was to use car tests as an analogy (he's a bit of a revhead and equates most things back to cars).

If you were testing a handful of cars by driving from point A to point B, how would you factor in a teleportation device? The end result is the same - you've ended up at point B, but the test parameters applied to the traditional cars don't apply to the teleporter - fuel efficiency, driver comfort etc. Same with CAVS - you (hopefully) end up with no malware on your system, but the mothod of reaching that state isn't evaluated by the test.

The test methods would have to change to include the download attempt (which IMHO is a more valid, real world way of testing) which would be blocked by CAVS.

Hope this helps,
Ewen :-)

[jharris1993]

Hey Jim,

CAVS certainly can find malware, but....

The way I ended up explaining it to my son was to use car tests as an analogy (he's a bit of a revhead and equates most things back to cars).

If you were testing a handful of cars by driving from point A to point B, how would you factor in a teleportation device? The end result is the same - you've ended up at point B, but the test parameters applied to the traditional cars don't apply to the teleporter - fuel efficiency, driver comfort etc. Same with CAVS - you (hopefully) end up with no malware on your system, but the mothod of reaching that state isn't evaluated by the test.

The test methods would have to change to include the download attempt (which IMHO is a more valid, real world way of testing) which would be blocked by CAVS.

Hope this helps,
Ewen :-)

OK, but explain to me why this is different than - for example - the McAfee product I currently use?  It also blocks malware - I was on a, (God's honest truth!), bird-watching newsgroup and downloaded a bunch of bird-pix for my son in Russia - and darn if there wasn't a snake in the grass!

McAfee jumped all over it like ants on ice-cream on a hot summer sidewalk.

I'm just not seeing the delta here.  Maybe - and I suspect this is true - you're assuming product knowlege about CAV and how it functions that I do not yet have.

This leads me to my next musical question:  How does it tell the sheep from the goats?

Every now and then - not often, but occasionally - I'll end up with a piece of software that I know darn well is as clean as a wistle - or a JPG, or whatever - that some virus scanner flat-out INSISTS is a "virus" - usually caused by (ask God why!) a particular series of bytes in the picture file that "looks" like a virus signature - even though in this case, it's just JPEG encoded color picture data.

If I assume that CAV won't even let it off the network card, so to speak, how do I
(a)  know what happened

--- and ---

(b)  Tell it to "buzz off!" with respect to this object?

Since you're a moderator here - I'm temted to suggest you send me a "throw-away" (if you're paranoid!) e-mail address, and I'll send you my phone number and you can call... oh rots!  That's right.  You're in Aussie-Land, right?  Fuzz that idea.

No, DON'T fuzz that idea - *I* can call *YOU* - my VoIP provider (Galaxy Voice here in Ma.) consideres certain international locations - among them Australia - as "local, untimed, calls" w/o extra charges. (!!)

Jim

[Little Mac]

CAVS is a multi-faceted piece of work, Jim, as Ewen has stated.  It seems like your question is geared around how the HIPS would allow you to open the JPG.  Allow me to 'splain it to you...

With CAVS, you have definitions (DATs) just like any other AV or AS.  You have an On-Access/real-time file scanner.  So there's no real difference there, as compared to other products (not comparing programming, just usage).

The difference comes in with HIPS.  CAVS has an application-based HIPS which can be tailored to sensitivity, etc.  If you look at Spyware Terminator, you'll have the basic idea.  The HIPS will not trigger a "false-positive" based on a signature file.  If an application/component/etc attempts to run, but is not on the Safelist, the HIPS will prompt you to allow or deny.  It's not an automatic denial.

If I recall aright, the HIPS fill fire prior to the AV side of CAVS.  Either way, you'd still get an alert from the AV if it felt there was a virus.  If you have auto-quarantine on, then the file goes to jail.  You can give it a pardon, though, and permanently exclude that file from On-Access scans, or On-Demand scans as well.  Each scanner has its own controls.

Hope that helps. 

LM

PS:  Hope you get this before you go...

[jharris1993]

The difference comes in with HIPS.  CAVS has an application-based HIPS which can be tailored to sensitivity, etc.  If you look at Spyware Terminator, you'll have the basic idea.  The HIPS will not trigger a "false-positive" based on a signature file.  If an application/component/etc attempts to run, but is not on the Safelist, the HIPS will prompt you to allow or deny.  It's not an automatic denial.

If I recall aright, the HIPS fill fire prior to the AV side of CAVS.  Either way, you'd still get an alert from the AV if it felt there was a virus.  If you have auto-quarantine on, then the file goes to jail.  You can give it a pardon, though, and permanently exclude that file from On-Access scans, or On-Demand scans as well.  Each scanner has its own controls.

Hope that helps. 

LM

PS:  Hope you get this before you go...

HIPS?  Gosh, I'm not THAT fat!

OK, ya got me.  Maybe I AM that fat.... (it's been a LONG TIME since I've been a 32" waist...)

Based on context, I'm assuming that "HIPS" is some kind of Heurestic scanner.

But... this leads me back to my original question:

I had originally started rambling about CAVS going up against the "big boys" in tests - and Panic said that - because of the way CAVS works, preventing the stuff from getting into your machine in the first place instead of stomping it when it arrives - implying that there was a huge paradigm shift here from the other products with "on access" scans - and I was puzzled.

So far, everything both Panic and yourself have said makes me think that (in essence) it works in a manner very similar to McAfee, Trend Micro, CA, ad nauseum.

Which brings me back to my original $64,000. question:  What prevents someone like PC Mag, et. al. from including it in their tests?

It would be real nice to see this beastie go up against some of the other heavyweights and see how it does.

Jim

p.s.  If I'm TOTALLY addled here, forgive my ignorance.

[panic]

Hey Jim,

In a nutshell, most AVs operate at the file system level, where something has to be written, or attempt to be written, to the FS. HIPS (Host Intruder Prevention System) captures and examines at the interface level (i.e. before it gets written anywhere).

The way most test suites work is to disable the AV temporarily, dump a whole pile of stuff onto an unprotected system and then re-activate the AV and let it scan the system. There is naturally a lot more to it than that, but at its broadest sense, that's how file system scanning tests work.

Now, if nothing is detected in the file system (as would happen if HIPS is functioning correctly), does that mean the scanner is deficient or that the HIPS component is really good?

The proof of the pudding will be when CFP V3 with full HIPS is released and CAVS is updated to co-operatively utilise it, and KM's expertise from BOClean is wedged into the mix. Then, it's game on ....

Before any purists object, I realise I have taken great liberties in condensing AV testing methodologies to a single sentence. This was done solely for reasons of conciseness and is not intended in any way to diminish the accuracy, thoroughness or integrity of the testing methods.

Cheers,
Ewen :-)

[dropbear]

Hi there,

I have looked through quite a few posts on this board but could not find any definitive answer to my question whether or not CPF is free for commercial use -- at least not given by one of Comodo's staff members.

So please excuse me if I ask this question again, but would anyone please confirm that CFG is free for commercial use as well?

Thanks and regards,
Dropbear

[N.T.T.W.]

http://forums.comodo.com/index.php/topic,764.msg21266.html#msg21266

The link is for a post from Melih:

To quote:

We have chosen to forgo the Desktop security market in return for brand awareness. Simply put we will make money from enterprises selling them Central management products that manages our free desktop security products. Of course if enterprises want to have no central management and just free desktop security, they are more than welcome to it, for free.

 

[Little Mac]

So please excuse me if I ask this question again, but would anyone please confirm that CFG is free for commercial use as well?

Dropbear, in addition to Anderow's post, here's another link where Melih specifically answers a user's question about using CPF in a business setting:  http://forums.comodo.com/index.php/topic,1276.msg8539.html#msg8539

Hope that helps answer your question,

LM

[pdh12783]

HI,

     I really like the explanation by the CEO from comodo as to why it is free that is a good humour side on the explanation,,,, at the end i can say you have really done it to give your message to the community as to why the software is free.


   Cheersssssss to you man and keep it Up... .Best of luck Comodo..........

  I will try my best to refer this wonderful software to refer to my friends thanksssssss.....

Thanks ,

Prashant Hirapara

[JayCub]

Hi Melih
Even though i have been on the forums a short time...i realise the product you are giving away is a step ahead of the competition....is it possible that Comodo have shot themselves in the foot as it's free for life...i reckon if it was a paid for product it would be out of my reach....money for me is tight and to honest even i would have found the money to for a subscription...maybe a premium addition is the way to go or make and sell a browser..as you know what your buying with Comodo...surley you guys could design a better or should i say safer one than ie7(yes i am a microsoft fan) and use your own unique brand of security especially as the net can be hazzardous to the wallet (shopping online) as i have little or no faith buying online...or your own e mail client...Just have a problem getting my head around the way top products are free to use even after reading your explanation... i have dowloaded dozens of products and been dissapointed with many...the only trialware i bought was TuneUp utillties..and two others...don't get me wrong i am greatful to Comodo and have read alot of reviews online and posted my own.. i also know BOClean is a real gem and i like the way the forums are run with a wealth of knowledge whatever user experience....

 (R)

[Tags:]