Comodo Cloud AV Test Results & Reviews

[qmarius]

[at]Jon79, It's not malicious. That's why.

[Jon79]

Does anyone know if there is a test of CCAV vs. wannacry ransomware? I have only found a test about cfw
https://malwaretips.com/threads/comodo-firewall-10-vs-wannacry-ransomware.71403/

[Yousername]

I could not find a test of CCAV vs. wannacry, but I don't see why it wouldn't be blocked.

[Jon79]

I could not find a test of CCAV vs. wannacry, but I don't see why it wouldn't be blocked.

I agree, but it would be nice to see more tests about CCAV

[Yousername]

I would be interesting to see if valkyrie could detect unknown ransomware. When browsing valkyrie I saw additional details which I didn't see before, particularly activity and screenshots (see attachments).

A lot of ransomware do indeed modify desktop background. Very excited to see the maturation of valkyrie.

[futuretech]

I would be interesting to see if valkyrie could detect unknown ransomware. When browsing valkyrie I saw additional details which I didn't see before, particularly activity and screenshots (see attachments).

A lot of ransomware do indeed modify desktop background. Very excited to see the maturation of valkyrie.

For now killchain is for any submission detected as malware.
https://forums.comodo.com/comodo-valkyrie-fls/new-kill-chain-report-section-rereedit-t119280.0.html;msg857660#msg857660

[Yousername]

Thanks for the clarification. I'm assuming this is to test it first and make revisions as necessary until they have the required infrastructure to analyze all unknown files, obviously that will take considerable resources.

[Melih]

Thanks for the clarification. I'm assuming this is to test it first and make revisions as necessary until they have the required infrastructure to analyze all unknown files, obviously that will take considerable resources.

All unknowns are analyzed...
Killchain is only applied to malware files...if after analysis we find that its malware, we create the killchain report of it.
This killchain report is unique and companies pay a lot of money to have this kind of intelligence....so enjoy it

[Yousername]

Ah, so I guess all unknown files are analyzed in the same manner, the killchain report is only generated after malware detection is added. Based on what futuretech said, I thought that the killchain was a different detection system applied only to already detected malware. In the past all unknowns were analyzed with CAMAS, so it makes sense that the same goes for Valkyrie. Therefore Valkyrie should have the ability to detect unknown ransomware and block it in CCAV, or at least eventually remove it (it is taking a while to detect the samples in my testing).

[qmarius]

[...]
...if after analysis we find that its malware, we create the killchain report of it.
[...]

human analysis? it's a bit unclear.

[Yousername]

 I'm almost entirely sure they are automated based on the reports I have seen, it's similar in function to hybrid-analysis at https://www.reverse.it/. COMODO probably also uses sandboxes within server farms to evaluate application behavior. I'm guessing that even before human verdict classifies the file as malware, they already have the killchain report for malware analysts to view once the automated analysis is done, which in turn facilitates the process of providing safe or malicious file verdicts. Hopefully COMODO will clarify this.

[Jon79]

https://avlab.pl/sites/default/files/68files/avlab_drive_by_download_test_en.pdf

On page 23 they wrote: "Software provider Comodo quickly implemented appropriate security rules for scripts and applications run by a PowerShell interpreter"

Any more info about this? Is it the new "block incoming/outgoing connections of sandboxed apps" feature?

[Melih]

human analysis? it's a bit unclear.

To analyze a malware is a mixture of automated systems and human analysis.
not every file can be analyzed by automated means. It will fail if you did that.
A percentage of the files must be analyzed by hand...human analysts digging into the code, analyzing it.

[Yousername]

Yes, in addition to automated analysis human analysis must be done for accurate detection. Automated systems usually blacklist malware if the file is malicious with a high level of certainty. For the rest which are not high certainty and for unknown files in general human analysts come into play. Human analysis alone is not feasible because they would have to analyze and blacklist 300,000+ malware files every day and provide verdict for safe files.

[at]Jon79 that is related to the embedded code detection for interpreters such as powershell, wscript, cscript, etc, for sandboxing of so called "fileless" malware.

[pio]

To analyze a malware is a mixture of automated systems and human analysis.
not every file can be analyzed by automated means. It will fail if you did that.
A percentage of the files must be analyzed by hand...human analysts digging into the code, analyzing it.