Well as Josh said, Prevention, Detection, Cure.
If a hacker discovers a vulnerability or a way to fool the firewall (no software is completely invulnerable) the antivirus must be present to detect a virus that the hacker may upload to the computer.
Hackers are always developing new techniques that we do not know of and as they develop new ways to compromise a computer system and the antivirus software is simply there as a backup.
This isn’t exactly a scenario but it is a general idea.
ok let me plays devils advocate to the scenerios so far 
Stanr’s post:
Well what you are saying is user might switch off our product and not the AV. Hence should have AV. Even though its a fair point, but that user might also forget to turn on AV.
Ganda’s point
no matter how an executable comes to your pc, it can’t cause harm without V3 being aware and giving you the option. Nothing happens without V3’s consent! I think what you are saying is: you want to execute an uknown application no matter what, and you think AV might provide some information about it. Which is the scenerio i outlined above.
But then again you make a statement saying you still execute and rely on Defense+ for alerting you. If that is the case, why do you need AV? Just rely on Defense+.
Justin’s post.
we are looking for scenerios where you would need AV on top of v3. We are trying to identify when and under which scenerio one would need an additional AV on top of V3 we have…
FYI: The argument is that: If you have V3 and do not execute anything not in the whitelist you don’t need an AV. (there are many people who don’t install 100s of applications a day and only stick to popular programs which are already in our safelist, for those people running V3 on its own without AV is sufficient IMO).
Another possible scenerio one could argue is: Somehow hackers finding a weakness in v3 and writing malware to exploit it.
Again this is a fair assumption, however this assumes that
1)A weakness in our own product will be observed by a 3rd party AV company before we do
2)a 3rd party AV company will do a fix by creating the sig, and we won’t (actually comodo will do both create the sig for the inbuilt scanner in V3 (out shortly ) as well fix the weakness.
lets keep discussing this pls… very useful point of views eminating from this.
thanks
Melih
Melih,
Please check this news article:
Is this the sort of scenario you are looking for?
interesting read. however the scenerio here is the person has physicall access to target machine.
so they can pretty much do anything they like. They were using legitimate programs, which wouldn’t be raised as suspicious by AVs anyway…
Good scenerio Darth Trader: Insider Attacks
however, AV doesn’t add any more in this scenerio.
thanks
Melih
Okay, here is another scenario. You install a game from Mattel for your children. Unbeknownst to you, the game comes bundled with an badware thingy called DSSAgent, which slows down your computer. This happened to a friend of mine!
Maybe this can be possible scenario:
Will it have “disable permanently” option for those who use other AV scanners?
Another scenario.
I’m sorry Melih, but prevention isn’t the only way. In home PC, when we run a lot of programs and files frome anywhere, we need preventtion, but too detection and cure.
Here is a scenario which happened to me not more then 1 hour ago.
I went to download a product (superscan) so i switched to installation mode while downloading.
When the product was downloaded my av guard flaged it up as possible malware which then gave me the option to allow/quarantine or delete.This made me think allthough i knew this was from an ok source i still had the layered protection which allerted me to a possible bed egg?
We are after all only human and if we try to download something we think is from a legit source but may not be, we still have a back up which may alert us to a malware program.
Nice 1 Matty
I’m tired so I haven’t read all posts, but here’s “my” scenario:
I’m looking for a freeware program to convert media files. I find one on a site that distributes many freeware/shareware programs, and download it.
I run the file, with CFP in installation mode or with D+ disabled. All of a sudden, strange things happen to my system, and I find some unknown process running. I look it up on the net, and on PrevX’s website I see that this is MALWARE! And I did allow it because I thought it was a freeware media program installer. Instead of taking any risks I reinstall Windows.
This scenario is not only hypothetical, because it DID happen to me half a year ago, except that I had CFP 2.4 at that time. I actually don’t remember if I had any AV. If I had, I believe it was avast, and if so avast missed it.
Today I run without AV, I only have CFP 3, but this is ONLY because I ONLY download files that I’m at least 99% certain they are safe, and I surf with NoScript so nothing can get into my system via the browser (Firefox). I’m OK with taking the risk that even files from Filehippo (which is more or less the only site I download from except for authors’ own sites) are infected, because I think the risk is minimal.
LA
excellent point (once again ).
So this again comes down to this application being in our whitelist or not. If this was in our whitelist, then our processes (in theory) should catch it before we put it in our whitelist that it has a malware in it. But you raise an important point that, Our safelist could be corrupt.
So far the issues raised are:
keep’em coming.
thanks
Hi Rafel
this discussion is not to prove a point but to invite discussion and exploration of scenerios as to when we would need an AV on top of V3. This discussion, hopefully, will help us visualise the scenerios where CAV3 and CFPv3 will work together in harmony. coming to your points
your point 1: Giving control to others: with V3 you can lock it so that other people can’t answer alerts and cause issues. Afterall, if they don’t know they can be dangerous and why are you making the assumption that the malware your sister will install will be recognised by AV products?
Your point 2: Again the issue of running apps not in the safelist.
So I would say you have a good point about allowing/disallowing control to the Protection software as a scenerio.
thanks
Melih
hi Riggers,
thanks for that.
this falls into the Executing Uknown application scenerio.
thanks
Melih
I can’t think of any more in this very moment, but I think #1 is a reason enough for many, many people to need an AV… or will every unknown .exe on the internet show up in the TC database? That should depend on the people. But let’s say, 36 people download something they think is a little handy application. They run it, but it turns out to be malware. Then TC should register all those 36 people’s attempts as “allow”, providing hazardous info for anyone who tries to run this malware .exe?
LA
You see LA, you are removing the running unknown files risk hence not needing AV. Thanks for that.
Melih
Excellent point! But we have solutions
Melih
Melih, you are correct and it was my error for not adding that the same holds true regarding an AV, if it’s off I have CFP3. If both are off, well , I’m ■■■■■■■.
Perhaps it’s overkill to have both but, in my case, better safe then sorry.
I would tend to agree with you that if only whitelist items are run on a given computer and those programs never change then an AV may not be necessary. However, whitelisted programs do connect to the internet and they are therefore, to some degree, open to change by updates or file sharing as in instant messeging programs.
What if one of the whitelisted programs were changed? I just recently updated Opera, it was on the whitelist and CFP3 was silent about the update, with the exception of the newly updated files in the pending list. This leads me to believe that if malware were to alter a program on the whitelist CFP3 will pass it through without question. I may be way off base here, remember my tendancy to be an idiot from time to time.
s.
Then it comes down to a discussion often forgotten (if you ask me) in general security discussions: people’s behavior and computer education! Many are interested and willing to learn (like most of the forum visitors, I’d say), but even more people don’t care. They don’t know anything of security, or carefulness… I believe it’s impossible for those to make it without an AV. Eventually they will get infected despite the power of CFP 3. 
The secrets of TC I suppose.
I’m sure we’ll know what you mean, in early February.
LA
Scenerios so far
These are the scenerios so far where one could argue having an AV would be useful. So far the main scenerio is the 1st one where running an uknown application. Having an AV gives the comfort factor of knowing (sometimes as according to studies around 50% of the new malware goes undetected, but then again one could argue saying, hey, 50% is better than nothing) that an uknown application is a malware.
But then we have kind of people, who don’t install apps all the time and LA gave an example of not running AV because unless he is confident about a file he doesn’t run it so he doesn’t see the need to run AV.
So far, it seems as if, the protection you should deploy seems to be dependant on what you do (which makes sense really). If you don’t keep downloading unknown apps in general, then the argument about having an AV is not as strong.
So, pls keep this discussion going with your suggestions… its turning out to be a very valuable discussion that will help us identify what we need and when.
thank you
Melih
you keep coming up with brilliant points!!! thank you!
If i may, i would like to propose 2 suggestions building on yours.
A) Because we trust the publisher and allow an already whitelisted application to update, what if the intention of the publisher change and now they turn their whitelisted application into a malware.
B) possibility of malware injection into an already whitelisted application
i will add these to the list. (however B: we protect against any file modifications by 3rd parties), but for A, there is a theoritical possibility but then again, the issue is who will notice and catch it faster Comodo’s team or others, if its Comodo’s team then it will be removed from whitelist immediately and put into blacklist, but nevertheless as you rightly pointed out the theoritcal threat is there.
Melih
Scenerios so far
keep them coming pls everyone…
thank you
Melih