3.8 such a disaster than I may be forced to abandon CIS [CLOSED]

Thought about doing that, but also getting too many false positives that’s aren’t heuristic. >:(

The latest is an Internet Explorer cache problem that can’t be fixed by ordinary users because it takes manual configuration of a blanket exclusion rule that they have no idea how to do. :stuck_out_tongue:

John

Oh I thought that was a heuristics problem…

Well, we’ll just have to wait for a solution I guess, I don’t like the situation like this either…

Xan

I’m not going to be able to wait very long – I’m getting too much grief from clients and friends.

John

I would say, for now, disable the heuristics. And resend the FP over e-mail…

Xan

Thanks for the suggestion, but dealing with all the False Positives has been and continues to be way too much grief (including the hassles of documenting and emailing them), and disabling heuristics doesn’t solve the problem while reducing security. (Did you miss what I wrote about the Internet Explorer cache problem?!) I’m dead serious when I say 3.8 is such a disaster than I may be forced to dump CIS.

John >:(

Comodo is trying to fix all FPs in 2 days from reporting from now on.
Sad to hear you and your clients are having troubles. =/ I see you have done some major FPs reporting. But simply reporting all of them will make sure it gets fixed! :o just posting in the forum and attaching the file should do it! (if you mention “file attached”).

Well, it seems they don’t make it… It has been reported several times before

27th february

27th february

etc

Xan

kk. :-\ :-
Thats no good ='(

That’s nice, but isn’t always happening, and does not solve the problem even when it does.
My clients and friends are sick and tired of all the False Positives. Me too.

You’re apparently making an assumption that I don’t think is valid, that there’s just a finite and relatively small number of False Positives to work through.

  • I think the anti-virus component got fundamentally broken.
  • It’s alarming to me as well as my clients and friends that COMODO would release something so flawed.
  • What happened is exactly the opposite of the objective of reducing unnecessary alerts.
  • I have no confidence it won’t happen again.
  • My professional experience is that you can’t test quality into a product. Bug fixing after the fact is an endless loop.

John >:(
p.s. If I sound ■■■■■■, it’s because I am.

FP have to be fixed, because not everyone knows how to analyze suspicious files, even using virustotal or camas. Is there any other way to fix FP by devs, or we just have to send samples first? I scanned my pc 2 days ago with heuristics set to High and I didn’t get any FP, but different people have installed different software that can cause false alarms. Comodo is building database very fast so FP are inevitable…for now.

[To: JNavas, a great guy ;)]
You are correct, there is almost a endless of files online, and no finite number. :-\

What I meant was that there would still be problem for people, but sending them could solve your and your clients problems hopefully. But you are correct if you mean that new FPs might arise and its not a very good solution.

COMODO has to do it possible some other way I guess…

:-\ :-\

You seem to be making assumptions that I don’t think are valid, that False Positives can be eliminated with a better database. The problem isn’t the database, it’s an anti-virus system that isn’t smart enough to distinguish “new” malware from “new” safe software. That can only be fixed by making the anti-virus smarter, not by the never-ending and impossible task of trying to classify all of an endless stream of “new” software.

The database approach to anti-virus doesn’t work. It can’t be done fast enough. Bad guys will always have the upper hand.

John

Yep, You’re right, AV engine has to be improved…

Yes, unfortunately each DB update seems to bring a slew of more FP’s. Scan one day and all is well, then tomorrows update brings more headaches. Or, FP’s you’ve reported aren’t fixed or turn up again with another name…

I personally haven’t been seeing huge numbers of false positives, but definitely more than any other AV I’ve used. But I understand that CAV is still young.

I don’t know if I’d be professionally recommending something so young, but that’s just me I guess…

Lol @ AV engine needs to be fixed, it was Melih himself that did not like the AV engine in CAVS beta, so this new one was built in it’s place. I think he should of kept the old one at least there was no FP’s. Yep I am suffering from FP’s as well. I think their so called whitelist needs to have more programs added to it.

That same Melih also said he would need 12 Months to create a good AV… those 12 months are not over yet.

Signature false positives are nothing and are actually not that problematic.
Like i haven’t been like saying even before 3.8 entered the final phase. Packer detection is just not for home environment. Unless you want to annoy users with trilions of false positives. Packer detection should be optional and completelly separate option from heuristics. And heuristics option shouldn’t even be there until they add CIMA heuristics in it. Just don’t say i haven’t warned you ppl. But hey, you all live in a wonderland where Comodo is the best there is. Someone here needs a reality check, seriously…

It’s not like i made this up. I’ve seen many antiviruses with packer detection approach and they all failed misserably.
QuickHeal, Fortinet, SOPHOS, Panda in some cases… But i forgive Fortinet and SOPHOS because they are meant for corporate environments where packers aren’t the problem on gateways and servers.
But for home usage, packers are a complete no go. And even if you do you packer detection, it shouldn’t be just a raw packer detection but some form of more sophisticated packer detection that can also compare other characteristics and warn user when all meet characteristics usually found in malware (exotic packer, small file size, suspicious file extensions, double extensions, whitespaces etc). And even at that point i’d want this darn thing to be optional. AVIRA has this done nicely. Heuristics on it’s own, packer (PCK) detection as separate, selectable feature that is disabled by default. This is the right way.
But if you want to flood yourself with meaningless false positives and annoy users, then packer detection should be like it currently is in CIS.

Point taken, and I may well have made a mistake, although I don’t know that it’s a matter of age. My initial assessment was based on the mature and solid Firewall component, the impressive and valuable HIPS component (Defense+), and good A-V results with the prior release. 3.8 is unexpectedly worse. I’ve seen similar problems with much more mature products. That 3.8 got out the door as a regular release raises concerns about quality at COMODO.

John

Unfortunately, whitelisting won’t really solve the False Positive problem, because it’s essentially infinite – there will always be a stream of new things that can only be whitelisted after the fact. Case in point is the Internet Explorer cache problem I documented today, for which the only apparent work-around is a global exclusion rule. The only real solution is smarter anti-virus.

John

Fair enough, but that doesn’t explain why and how it got worse, rather than better.

John