The Good, The Bad and The UGLY (ugly because its unknown!!)

[Chiron]

I think the difficulty here is letting the user know in an alert whether it is likely malware or likely safe.

The problem is that (other than Defense+ malware heuristics) I don't know how this can be accomplished. Perhaps the Behavioral Blocker will fill this role, but at this point I'm not sure.

[languy99]

did the kaspersky he used had an outbound firewall?
what other alerts does he get? (are they sandbox information alerts or others?)

thanks
Melih

yes it had an outbound firewall, but it never asked a question. Also when he used utorrent it worked automatically I had to create a rule for it to work on CIS.

He told me that he is getting lots of firewall inbound alerts. He said that he is getting an inbound firewall alert about a computer wanting to connect to his computer even though he is the only one on the network. He told me he will send some screen shots to me. No sandbox alerts.

[Tech]

How is that different when I receive a malware warning from a legacy AV, when, as you said:
It is exactly the same scenerio.....

You're right. Both could have automatic actions set, the antimalware to send to Quarantine and Defense+ to Sandbox.
It'll be a matter of trust. I need to trust in Comodo AV or, saying better, I wish Comodo has a better AV and my antivirus to have, at least, a decent HIPS.

So as far as comodo's usability is concerned.

Manage the popups is a must have.

I think the difficulty here is letting the user know in an alert whether it is likely malware or likely safe.

Exactly. For me, if we can trust in the judgment of a better antivirus, with trustable detection rates, well, we could have a previous judgment of the nature of the file.

[Chiron]

Exactly. For me, if we can trust in the judgment of a better antivirus, with trustable detection rates, well, we could have a previous judgment of the nature of the file.

So maybe if the Defense+ alerts had an option to also see what other AV's think of this file.

It would be very nice if you could get a verdict like you get from virustotal. Perhaps an option to automatically send the file to virustotal (or a similar site) to be checked.

Thus the advanced user understands what the file is doing, but the ordinary user can merely rely on whether any other AV detects it before allowing. The user would still be protected from zero-day malware (although they still may allow it), but for malware that is already known they will be protected because they can check the results and then make their choice.

I hope I have been clear. I think this may be a good balance between Default Deny and the traditional AV protection. What do you think?

[Tech]

So maybe if the Defense+ alerts had an option to also see what other AV's think of this file.

Well... it will be a link to www.virustotal.com, but, in my opinion, this won't make it better. The user won't check each file (.exe), or library (.dll), or installer (.msi)... A better and fast response from the product is needed.

Thus the advanced user understands what the file is doing, but the ordinary user can merely rely on whether any other AV detects it before allowing. The user would still be protected from zero-day malware (although they still may allow it), but for malware that is already known they will be protected because they can check the results and then make their choice.

A better CAV will make a good approach, don't you think?

I hope I have been clear. I think this may be a good balance between Default Deny and the traditional AV protection. What do you think?

Any approach is making it better and more secure.
But you can't lose performance or making the user lose that much time, or difficult tasks to be done... But I agree with you, we could have a better approach...

[Chiron]

A better CAV will make a good approach, don't you think?

No, one lab is not as good as being able to compare the results of several. The detection rate is much higher and the ability to diagnose a false positive is much improved if you use several different labs.

Maybe Comodo could do something like run the file past Comodo, Avira, Kaspersky, Avast, Microsoft, ... (or any combination). Maybe 5 or so AV's. Also, pass on any suspicious files to these companies for analysis. In this way the users of Defense+ get the ability to better investigate a file while doing less work and the AV companies will have improved detection rates. Essentially the Comodo community becomes a honeypot for the AV's and everyone benefits.

By the way, I'm envisioning this as another tab in Defense+ that gives the results of this analysis. Maybe something like the way Hitman Pro works.

Do you think that giving the user this type of information would make it much more likely for them to distinguish between the good files and bad files when making a decision? I think this would go a long way.

Tell me if you don't think it's possible or there's a flaw in my logic.

[Tech]

Tell me if you don't think it's possible or there's a flaw in my logic.

I submit myself all "unknown" files I use/install to Virus Total.
I would be glad if it could be done by the interface directly.
But you will have to convince the company (and the antivirus companies) to work like that.
The honeypot is giving the community... the antivirus, the work for detection.
I think the paid antivirus won't like the solution

[Tech]

It is exactly the same scenerio.

A common complain of antivirus is the lack of detection.
Another one is the speed of updates and the improvement of the database.

What can we say of Comodo speed?

1. Correction of false positives: https://forums.comodo.com/beta-corner-ccs/how-to-easy-report-ccs-false-positives-t58390.0.html;msg408997#msg408997
2. Update the database: https://forums.comodo.com/news-announcements-feedback-cis/cis-and-avcomparativesorg-t58274.0.html;msg410243#msg410243

Room for improvement?

[Melih]

Room for improvement?

Does perfection exist?

If not...there is always room for improvement

melih

[Tech]

Ok, but there is improvement from 9.5 to 10 and from 1.0 to 9.5...
The response time is much away from a tolerate margin to the user and to the company image.