I can’t think of any more in this very moment, but I think #1 is a reason enough for many, many people to need an AV… or will every unknown .exe on the internet show up in the TC database? That should depend on the people. But let’s say, 36 people download something they think is a little handy application. They run it, but it turns out to be malware. Then TC should register all those 36 people’s attempts as “allow”, providing hazardous info for anyone who tries to run this malware .exe?
LA
You see LA, you are removing the running unknown files risk hence not needing AV. Thanks for that.
Melih
Excellent point! But we have solutions 
Melih
Melih, you are correct and it was my error for not adding that the same holds true regarding an AV, if it’s off I have CFP3. If both are off, well , I’m ■■■■■■■.
Perhaps it’s overkill to have both but, in my case, better safe then sorry.
I would tend to agree with you that if only whitelist items are run on a given computer and those programs never change then an AV may not be necessary. However, whitelisted programs do connect to the internet and they are therefore, to some degree, open to change by updates or file sharing as in instant messeging programs.
What if one of the whitelisted programs were changed? I just recently updated Opera, it was on the whitelist and CFP3 was silent about the update, with the exception of the newly updated files in the pending list. This leads me to believe that if malware were to alter a program on the whitelist CFP3 will pass it through without question. I may be way off base here, remember my tendancy to be an idiot from time to time.
s.
Then it comes down to a discussion often forgotten (if you ask me) in general security discussions: people’s behavior and computer education! Many are interested and willing to learn (like most of the forum visitors, I’d say), but even more people don’t care. They don’t know anything of security, or carefulness… I believe it’s impossible for those to make it without an AV. Eventually they will get infected despite the power of CFP 3. 
The secrets of TC I suppose.
I’m sure we’ll know what you mean, in early February.
LA
Scenerios so far
These are the scenerios so far where one could argue having an AV would be useful. So far the main scenerio is the 1st one where running an uknown application. Having an AV gives the comfort factor of knowing (sometimes as according to studies around 50% of the new malware goes undetected, but then again one could argue saying, hey, 50% is better than nothing) that an uknown application is a malware.
But then we have kind of people, who don’t install apps all the time and LA gave an example of not running AV because unless he is confident about a file he doesn’t run it so he doesn’t see the need to run AV.
So far, it seems as if, the protection you should deploy seems to be dependant on what you do (which makes sense really). If you don’t keep downloading unknown apps in general, then the argument about having an AV is not as strong.
So, pls keep this discussion going with your suggestions… its turning out to be a very valuable discussion that will help us identify what we need and when.
thank you
Melih
you keep coming up with brilliant points!!! thank you!
If i may, i would like to propose 2 suggestions building on yours.
A) Because we trust the publisher and allow an already whitelisted application to update, what if the intention of the publisher change and now they turn their whitelisted application into a malware.
B) possibility of malware injection into an already whitelisted application
i will add these to the list. (however B: we protect against any file modifications by 3rd parties), but for A, there is a theoritical possibility but then again, the issue is who will notice and catch it faster Comodo’s team or others, if its Comodo’s team then it will be removed from whitelist immediately and put into blacklist, but nevertheless as you rightly pointed out the theoritcal threat is there.
Melih
Scenerios so far
keep them coming pls everyone…
thank you
Melih
Okay, here’s another scenario:
http://www.cs.washington.edu/research/security/web-tripwire.html
Bugs and Vulnerabilities We found that many in-flight changes inadvertently broke web pages. For example, both CA Personal Firewall and some ISP-based changes caused a JavaScript stack overflow error when the scripts they inserted interfered with the code on our page. CA Personal Firewall also interfered with many web forums, including MySpace. MySpace users would post blog entries and comments, and they would find popup blocking code (i.e., "_popupControl()") inadvertently injected into their post.Worse than this, we found several types of page changes that caused our page to become vulnerable to a cross site scripting (XSS) attack. Products such as Ad Muncher and the Sidki and Grypen filter sets for Proxomitron introduced code that was vulnerable to attack. These vulnerabilities were significant because they affected most or all of the web pages that a user visited. In the case of Proxomitron (but not Ad Muncher), the vulnerabilities could affect HTTPS traffic as well. This type of problem is analogous to a root exploit for an operating system, because it can potentially affect all pages that a user visits.
In these cases, an attacker could convince a user to follow a link that injected script code into almost any web page. This script code could steal a user’s session cookie (e.g., on Facebook), modify login forms to steal passwords (e.g., on many banks), or manipulate the contents of any page (e.g., search results on Google).
We have reported the vulnerabilities we found, and the developers have released versions that fix the vulnerabilities as of Fall 2007. If you are using older versions of the products above, be sure to update as soon as possible.
Overall, these problems indicate that web page rewriting software can have dangerous consequences if it is not carefully analyzed. Users should understand these consequences when using web proxies.
I use Proxomitron with sidki’s filter set and was very surprised to find it was vulnerable to anything! If I surf without Prox, Avira will alert me to viruses if I am visiting risky sites. :-[
All these attacks would be caught on your desktop cos no new executable could execute or no protected file could be modified without you knowing about it.
Melih
One of the main problems the Security industry needs to deal with is the lack of vigilance, lack of understanding, and often lack of interest of the consumer. One of our largest classes of CFP complaints is all the popups CFP gives out and the files to review. Firewalls are particularly mysterious because they deal with protocols and connections, not data. So a popup that says “xxx is accessing the internet” doesn’t cause much alarm-there are constantly things in the background doing updates, phoning home, … so the user pretty often just does whatever is necessary to stop the popups. If the user has a good antivirus, at least he gets a big red honking popup that says “this is a virus, dummy; don’t run it”, sometimes with flashing and sound. There are a few proxy related firewall issues discussed in some of the threads that cause some concern, but again, protecting the software baseline is the issue. And I think the “unknown to Comodo” files will continue to be a driver for adding an antivirus with a constant signature upgrade infrastructure. Unfortunately as others have mentioned even files considered safe may do bad things for a while. Do all the nice programs offering to give you nice adware toolbars and other nice add ons if you are not careful numb the user to real security issues in their downloads? ??? Knowledgeable disciplined users with a fixed software baseline can probably do pretty well without an AV, but what about the rest of us? 
I have actually found some interesting problems by noticing the Avast! icon spinning when it shouldn’t be, so I’m not willing to give it up.
Are you saying we can get rid of things like NoScript and Proxomitron as long as we have CPF? ???
pretty much. but it is my understanding that those products do an analysis at a higher level than where the CPF operates. But either way, i can’t see a website injecting a new executable into your machine to cause any harm as long as u have cpf.
You see, CPF takes over all Execution points of the CPU. So no application/program could execute without us knowing about it.
Melih
Does this include cross-site scripting which takes you to a fake login page to steal usernames and passwords? :THNK
this is not about introducing malware to your machine as such.
the above is a social engineering attack, where it convinces the user to go a site, making them think that its a legitimate site and ask the user to enter their confidential information. This is phishing attack and a different kind of product is required to protect you. XSS is not the only way to mount a phishing attack, if i remember correctly there was a phishing attack using google adwords to drive users to their fraud site.
thanks
Melih
I have this scenario (it actually happened):
My dad wanted me to download pictures from his digital camera and have them recorded onto a CD. When I inserted the SD RAM into my PC (via a USB card reader), Avast pop up with a warning of virus/trojan detected wit some kind of VBS script on the memory stick and prompted for action. Now, at that point of time my alertness wasn’t quite there, as I was caught by surprise: what? virus/trojan from a digital camera?? you’ve gotta be kidding me! So I just tell Avast to ignore it, thinking that it may be some driver or setting that was required to read the memory stick. and before I could take a second breath, whola!! the trojan was all over my 6 HDD partitions!!! Only later then CFP3 did pop-up and warns of a program trying to phone home! The point here (I feel) is, FW and D+ are doing their job fine but they can’t (which is not their job to) stop virus/trojan from landing in your PC . So a good AV with high detection rate is still very much needed. (:KWL)
*/ I was low on my alertness then simply because it just didn’t occurs to me that dad did send his digital camera to photo developing shop to print pictures and his memory stick must have been infected by that shop’s PC. (:NRD)
very valuable feedbacak Foxman… thanks…
Scripts indeed…
Scenerios so far
keep them coming pls everyone…
thank you
Melih
Could CFP crash without the user noticing, after which he/she runs a malware infected file without knowing that CFP isn’t there any more? Analog to have seat belts as the only safety equipment in your car, but they stop working? - The vulnerability of only having one layer of security, independent of the layer’s strength.
LA
Scenerios so far
keep them coming pls everyone…
thank you
Melih
I get that CFP is not intended for stopping phishing attacks, but is a traditional AV intended to block that?
Have I got this right: Defense+ would stop everything that tries to “sneak out” of the browser, but not stuff that goes on within the browser? (disabling scripts or using NoScript is the only way?)
LA