AV Database Progress - 4/11/10

An update to this post has been posted here.

The reason why the definition count is decreasing: Comodo is making each definition more efficient at detecting malware; therefore, less definitions are needed to detect each malware variant. Comodo is adding new detections regularly (see update page), so Comodo’s ability to detect malware is increasing even though the number of definitions is decreasing.

Note: When applied to malware, the terms “definition” and “signature” mean the same thing: a rule that detects one or more malware items. The number of definitions does NOT correlate with the number of detections. A single definition may detect hundreds or thousands of malware variants.

I would define efficiency as “performing with the least waste of time and effort.” Having fewer malware definitions (each of which detects more malware) allows Comodo to use less resources (i.e. it applies fewer definitions to catch a given malware; thus, it uses less time and “effort”).

False positives have little to do with efficiency and more to do with accuracy. I define accuracy as “absence of errors.” So, a signature may be very efficient at detecting a given malware (e.g. it detects 95 of the 100 known variants), but it may not be accurate if it also detects 100 false positives.

I do not know the false positive rate for Comodo. My experience is that there are few false positives (although the number of false positives seems to increase when heuristics is set to high). Comodo is working on increasing true positive detections, minimizing false positive detections, and improving efficiency. Submitting false positives will help Comodo continue to improve their antimalware definitions.

How to submit a false positive - currrently there are 4 ways:
[ol]- Through the CIS interface using “submit files” under the antivirus tab. (You can submit a file from quarantine, but you cannot designate a file as a false positive when submitting via quarantine).

  • Using the Comodo submit webpage.
  • Using the Comodo forums.
  • By e-mail. Compress the false positive file using an archive tool (such as winzip,winrar, etc). Protect the file using the password ‘infected’ (without the quotes) and email it to falsepositive[at]avlab.comodo.com. Use the title “FALSE POSITIVE” on the subject line of the e-mail. If possible, please include the name and ID of the malware that was erroneously detected (for example, BACKDOOR.WIN32.XXXXX.XX (ID = XXXXXX)]. Attaching a screen shot would be very helpful. [/ol]

Size of the Definition File: You can find the definition file (bases.cav) in the following folder: “C:\Program Files\COMODO\COMODO Internet Security\scanners”. Right-click on “bases.cav” and select “properties” to see the file size in megabytes. As the number of definitons decline, the size of bases.cav should slowly decrease.

Definition of Malware: The term malware (short for malicious software) usually refers to any file that intentionally alters your computer (usually without your permission) in order to impair functionality, control your system, breach your privacy, advertise, or produce some other unwanted behavior. Malware is a general term that encompasses many types of malicious programs, including viruses, trojan horses (“trojans”), rogues, spyware, keyloggers, worms, rootkits, dialers, backdoors, etc. There is a good explanation of malware on wikipedia.

Does Comodo Scan for All Types of Malware? - Yes.
Currently, most scanning programs check for all types of malware regardless of the term used their name. For example, Comodo antivirus scans for all types of malware, even though its name is “antivirus”. Superantispyware checks for trojans, rootkits, rogues, keyloggers, spyware, etc. even though its name is “antispyware”.

[attachment deleted by admin]

The # of defs has dropped by approximately 70,000 in the last 2 weeks. Although shrinking of the def databased has slowed, a lot of new detections are being added lately.

As always thanks for the graph/information Whoop-dee-doo.