Is The Anti-Virus Even Necessary ?

[The Zodiac]

Ok, I know this may seem a stupid question but here me out.

First, all Anti-Virus software is signature based in essence & some have built in "zero-day" capabilities, & heuristic analysis.

Now I did a test yesterday. I downloaded a key generator, which we all know 99.9% of the time is infected. I know can hear you say, "wtf would you risk it for"? But I had no fear thanks to the CIS sandbox feature, which is one of my points.

Now I scanned the keygen with Comodo Virus Scan. The scan came back clean. Wtf? I then scanned the keygen with the Hitman Pro cloud scanner, which flagged the keygen.exe as "malware". Hmm. So to prove a point I ran the keygen.exe & Comodo (as I figured) sandboxed it, which is good. No harm, no foul.

My question here is this. With Comodo's Sandbox feature, even without an anti-virus, you are protected from harm from the infected file. So why do we even need the anti-virus at all ? I love my CIS software & wouldn't want to be without it, but the anti-virus portion seems to be a little "useless". Especially when it didn't recognize what should of been an "easy mark" for most AVs.

I am no security guru, so perhaps I am missing something here, which is why I am posting this thread --- to be perhaps enlightened on why the AV in CIS is needed. The obvious response (i would think) is that even though CIS sandboxed the "malware".exe, you are not made aware that it is indeed "malware", so the potential for someone with less security experience to think the .exe is safe & to run it outside the sandbox is fairly high ---- which could be dangerous. But if the Comodo AV didn't recognize in the first place it doesn't seem to matter much.

Again, I am not bashing CIS, as I use it, & love it. I would just like to hear some informative responses that could set me straight on why the Comodo AV is a part of CIS, if it seems to be a little ineffective in "catching" malware in the "act".

Thanks

[Syl]

The AV reduces the amount of popups.

[Tech]

My question here is this. With Comodo's Sandbox feature, even without an anti-virus, you are protected from harm from the infected file. So why do we even need the anti-virus at all ?

1. Usability: reduces popups.
2. The decision is taken by experts (and not by the user).
3. Reduce the probability of the user to allow running it.
4. Cleaning operations in an infected computer.

But if the Comodo AV didn't recognize in the first place it doesn't seem to matter much.

Improve the AV part of the suite then...

[Melih]

for security...no..
for usability...yes..

[JamesFrance]

Many of us would run the Comodo firewall with defense+ without any antivirus in the past and never got infected.   You just needed to check out the many alerts carefully before allowing something.

Since CIS was launched about 2 years ago the pop-ups have been steadily reducing as the av and now the sandbox make alerts less needed.   If you were to use another av than Comodo av you would probably be alerted by both that and Defense+, so not really a good idea if you are interested in usability.

[knk2006]

for security...no..
for usability...yes..

+1   

I like the posts of this guy  he's awesome 

[John Buchanan]

I tested this.  Some were flagged by the AV, some were stopped by the sandbox or D+.
So maybe the signature just needs to be added to the database?
I deleted the files so I cannot send them myself.

[SG65]

  If you were to use another av than Comodo av you would probably be alerted by both that and Defense+, so not really a good idea if you are interested in usability.

From my experience MSE jumps before D+ (and only MSE, no D+ as well).
I wouldn't use Comodo's AV; I just don't trust it.

[The Zodiac]

I still am not sure how the AV reduces pop ups. The reason I say this is that I have yet to see the AV in Comodo flag a single malware. Which also leads me to wonder, how could it remove an infection if it doesn't find one.

Personally I don't really care about the AV, since Defense + is my "bodyguard" against malware. I was just curious to hear what others had to say on this subject.

[languy99]

it reduced pop ups by stopping the malware before it gets to D+, instead of having to answer 5 questions about the program in D+ you only answer one with the AV.

Also I don't know how much research you do concerning CAV detection ratios, but I find malware everyday and it does find a significant amount of malware, maybe you have just not checked enough of them.

[Josh™]

AV for Usability...

Like others have said already, the AV Updates both blacklist and whitelist so the number of Alerts or sandboxed notifications you need to see are minimal.

The security/protection aspect is obviously Defense+ and Sandbox. AV is there for usability.

Josh

[Siketa]

it reduced pop ups by stopping the malware before it gets to D+, instead of having to answer 5 questions about the program in D+ you only answer one with the AV.

Languy,

I agree with you but also there are lots of cases when I get three pop-ups while testing CIS against malware.
First the sandbox appears then CAV with its delayed detection and Defense+ with Buffer Overflow warning at the end.

[The Zodiac]

.....maybe you have just not checked enough of them.

Perhaps you are right. I guess it could also mean that I simply do not run into any malware during my daily usage. The first time I went looking for malware to test, CAV didn't recognize it, so it was a little presumptuous of me to "rate" the CAV on that single instance.

[SiberLynx]

Hi  The Zodiac,

It was discussed before here & in other places few (if not many) times
Having AV in place I haven't used  full scan for about 4 years ever
(only for testing purposes sometimes)

Comodo's AV was created for a “convenience”/ “usability”,  as Melih said,  for  having a Suite
Whatever “usability” means... For me – it means nothing – use other AV that has much better detection rate & less FPs, or don't use any

Having decent  Behavioral Blocker is more efficient anyway

But in this case Comodo was most likely correct – not a malware

According to my research more than 80- (90%?) of “keygens” are never malware
a bit less % , but the same with cracks – many are as clean as well filtered water!
As it was pointed  - the vendors just go into P2P sites;  gathering them  and adding to the signatures

I'm not saying that you cannot catch the bad one” - risky stuff ! It is your choice whether you wanna research

The contributors are not only hackers/crackers, but the major players – the big companies that are protecting their Software.
They are substituting downloads of perfectly made cracks. Believe me – they have special forces / agencies for doing that.

That doesn't mean that  I am supporting piracy … do not get me wrong, but just collecting anything out there and adding to the signatures doesn't do any good as well

Sure languy99 is right

...Also I don't know how much research you do concerning CAV detection ratios, but I find malware everyday and it does find a significant amount of malware, maybe you have just not checked enough of them.

Please check if you want … but check thoroughly
If you are advantageous  enough... you will find out that what was flagged by many security as a malware (especially keygens) will work perfectly after you would a set up the Software.
Password protect cracks/keygens & test the System & Software after the installation... how may “Trojans” and nasties  you will find ?
 

From my experience MSE jumps before D+ (and only MSE, no D+ as well).
I wouldn't use Comodo's AV; I just don't trust it.

Well ... I am not using neither MSE nor Comodos AV ... but if you are talking abut trust - I would rather use Comodo's Av than MSE

Cheers!

p.s. using  abbreviations like"WTF" is not nice thing to post...
anyway... recently here in the forum the "decision" was made that WTF stands for "Wondershare Time Freeze" virtualization Software  

[Tech]

Comodo's AV was created for a “convenience”/ “usability”,  as Melih said,  for  having a Suite
Whatever “usability” means... For me – it means nothing – use other AV that has much better detection rate & less FPs, or don't use any

Having decent  Behavioral Blocker is more efficient anyway

avast is going for that.
http://forum.avast.com/index.php?topic=64382.msg546016#msg546016