The Father of Computer Science wrote a paper called the "Halting Problem" in 1936.. (here is an explanation of it
https://enterprise.comodo.com/whitepaper/Impossibility_of_Virus_Detection_WP.pdf )
We had to take a totally different approach .... chasing our tail like everyone else looked very tiring with no result!
So the AHA! moment was when we thought....what does malware need to cause damage?
Why not simply take those stuff that malware needs away from them!
just like you don't give kids sharp knives, just in case....why are we giving Malware big sharp sword???
That's when we figured what the Malware needs to cause damage in the main was
1-Write privilege to hard disk
2-write privilege to the Registry
3-write privilege to the COM interface
Write privilege means: the right/ability to write to hard disk...why would you want a brand new untrusted app to start writing to your hard disk??? It could simply overwrite your own good files.....yep...Ransomware....
So when a new executable file comes in if its never seen before by Comodo...we say "hey kiddo...here is a really good plastic knife"
Lets say a Ransomware makes it to your computer because the user clicks anything shiny on the web...
this ransomware is now running in RAM....and says....I want to "READ" hard disk....
Comodo says:...hmm.."READ" privilege..its ok...go ahead and read it....
then
Ransomware says:...I want to "encrypt" this file that I just read...
Comodo says: hmm....just messing around inside RAM...no damage done...go ahead....
Ransomware says: Now I have an encrypted file...I want to delete your original file and overwrite it with just encrypted....
Comodo says:...say what?? you want to have a "WRITE PRIVILEGE" to hard disk...Don't think so....here is a "Virtual Write Privilige to a Fake Hard disk" .....
Ransomware says: oh thank you, let me write there....
All the while Ransomware is writing to a "fake hard disk" where user's original files are untouched and safe on the hard disk.
here is a video of the explanation
https://youtu.be/ScIyNihELko some might say, how about stealing information while still operating in RAM etc....Comodo has policy settings where any unknown application running in RAM can be prevented from enumerating your Hard disk and send them to internet...why would you want an unknown app to come and take stuff and send it to some place in the internet anyway!!!
Time to Re-Think Cyber Security.