CVA missing updates/vulnerability Opera and Filezilla Server - PSI detects

[Ronny]

Scan results from 7 - march - 2009 PSI and CVA both updated.
Running on Vista SP1, Enterprise, x32.

[attachment deleted by admin]

[valldemossa]

CVA consistently appears to be well behind other sites. I tend to use filehippo to find and update to the latest level. Running CVA the next day usually reports to Comodo my new updates.

I would question the necessity for such software as a quick glance on the filehippo site tends to tell me everything I need. Far quicker than running the program and most software is there in one place.

CVA tends not to detect (or rather display update information) regarding the more obscure software anyway.

Questionable commitment to this project???
Another project left to flounder as it's no longer part of Comodo's bigger picture???

Dave

[Ronny]

I don't think so, having software up2date is one of the most important things to do besides not running all day in "administrator" mode, that will prevent over 90% of all infections anyway.

I think priorities are a bit low for this at the moment, but i don't think it will be out of the picture...

[Toxteth O'Grady]

Comodo should integrate a database that is generated by the users of CVA. That would make the program far more effective in detecting available updates: faster update info available and "knowledge of" many more obscure programs as well. The more users CVA has, the better the system works.

This could be done the way SUMo works; by reading the version info from files:
http://www.kcsoftwares.com/index.php?sumo

What could be more simple?

[Ronny]

There is an option to generate an "unknown application list" you can send to comodo.
It's build in CVA, Edit, Options, Generate unrecognized product reports.

[Toxteth O'Grady]

That's not what I meant. That way updating the database still has to be done by Comodo.

SUMo updates its database by using info provided by the users; each time the program is run, it checks file versions against the online database. If you happen to have a new version that is not yet in the database, the DB is updated based on the new file version you just "provided".

Ergo, the DB is always as up-to-date as the fastest user (hopefully this phrasing makes any sense  ). The system is brilliant in its simplicity and very effective. And, last but not least, it is maintenance free for every supported file (not all program files include version numbers). Comodo won't have to do anything any more for these files.

[Ronny]

Yes but that would also make it vulnerable to abuse i guess..... I don't mind if they review it first 
Having the latest version is only important if the previous was exploitable vulnerable if you want instant alerts.
And vulnerabilities have to be reviewed by experts anyway...

[slg123]

Yes but that would also make it vulnerable to abuse i guess..... I don't mind if they review it first 
Having the latest version is only important if the previous was exploitable vulnerable if you want instant alerts.
And vulnerabilities have to be reviewed by experts anyway...

Thats exactly the point. I believe that CVA covers softwares prioritized on vulnerabilities.
Its not an updater and I don't want it to be one.
In my opinion its a nice little piece of application.
Kudos to Comodo and CVA team.

[Toxteth O'Grady]

Yes but that would also make it vulnerable to abuse i guess..... I don't mind if they review it first 
Having the latest version is only important if the previous was exploitable vulnerable if you want instant alerts.
And vulnerabilities have to be reviewed by experts anyway...

You don't care about updating in case of bug fixes or new features? Only about fixing vulnerabilities?
And how do you mean, vulnerable? Would someone modify an exe file to mislead the system, because that's the only way it could be done.

So what? After the alert, you go to the website of the "updated" program and find there is no new version... What does the bad guy have to gain by going through this trouble? Nothing, so there is no risk.

Anyway, the current system depends on the work of people at Comodo. Which programs do they monitor, there is no list. You could be using, for example, an alternative pdf-reader or a media player (for streaming audio) that is not on their list. Who knows.

[Ronny]

You don't care about updating in case of bug fixes or new features? Only about fixing vulnerabilities?

Oh yes i do but i don't care if it takes a day or 2 before i get notified

And how do you mean, vulnerable? Would someone modify an exe file to mislead the system, because that's the only way it could be done.

So what? After the alert, you go to the website of the "updated" program and find there is no new version... What does the bad guy have to gain by going through this trouble? Nothing, so there is no risk.

Okay true checking the site official site will result in "oops there is no new version"

Anyway, the current system depends on the work of people at Comodo. Which programs do they monitor, there is no list. You could be using, for example, an alternative pdf-reader or a media player (for streaming audio) that is not on their list. Who knows.

I don't agree with this, if you upload your list of unrecognized programs found on your system they will become part of their monitoring system and become part of the update list. As for the applications i have they all get detected now, and not in the beginning of this project so i have to assume they put all those apps on the database...

[Toxteth O'Grady]

So, you DO want CVA to act as an updater, not just alert you about potential risks to some software.

Then what is there to gain by having someone at Comodo "analyse" the... whatever it is that is done? And, by the way, do they actually do that? Is every update to every program on the list actually "tested" or "examined"? Or do they simply keep track of available updates and report these?

I don't understand what needs to be analysed anyway.That would suggest some updates are deemed to be unimportant and therefore are not added to the CVA list of updates. What good would that do? An update is an update and it's always released for good reasons, be it new features, bug fixing, security risks, or whatever. I, for one, am perfectly capable of judging whether it is worth updating a program or not. I don't need someone working for Comodo to do that for me.

[Ronny]

That's the exact reason that they have 3 tabs
- Update available
- Vulnerable
- End of Life

As far as i know they put all software on the database that is submitted back to them so for updates there is nothing to analyze, but before a product get's marked as vulnerable there has to be some sort of verification.
That's what they have to do.