AV Database Progress - 5/1/10

This thread has been updated. Please see this thread for the new information.

The reason why the definition count is decreasing: Comodo is making each definition more efficient at detecting malware; therefore, less definitions are needed to detect each malware variant. Comodo is adding new detections regularly (see update page), so Comodo’s ability to detect malware is increasing even though the number of definitions is decreasing.

Note: When applied to malware, the terms “definition” and “signature” mean the same thing: a rule that detects one or more malware items. The number of definitions does NOT correlate with the number of detections. A single definition may detect hundreds or thousands of malware variants.

I would define efficiency as “performing with the least waste of time and effort.” Having fewer malware definitions (each of which detects more malware) allows Comodo to use less resources (i.e. it applies fewer definitions to catch a given malware; thus, it uses less time and “effort”).

False positives have little to do with efficiency and more to do with accuracy. I define accuracy as “absence of errors.” So, a signature may be very efficient at detecting a given malware (e.g. it detects 95 of the 100 known variants), but it may not be accurate if it also detects 100 false positives.

I do not know the false positive rate for Comodo. My experience is that there are few false positives (although the number of false positives seems to increase when heuristics is set to high). Comodo is working on increasing true positive detections, minimizing false positive detections, and improving efficiency. Submitting false positives will help Comodo continue to improve their antimalware definitions.

How to submit a false positive - currrently there are 4 ways:
[ol]- Through the CIS interface using “submit files” under the antivirus tab. (You can submit a file from quarantine, but you cannot designate a file as a false positive when submitting via quarantine).

  • Using the Comodo submit webpage.
  • Using the Comodo forums.
  • By e-mail. Compress the false positive file using an archive tool (such as winzip,winrar, etc). Protect the file using the password ‘infected’ (without the quotes) and email it to falsepositive[at]avlab.comodo.com. Use the title “FALSE POSITIVE” on the subject line of the e-mail. If possible, please include the name and ID of the malware that was erroneously detected (for example, BACKDOOR.WIN32.XXXXX.XX (ID = XXXXXX)]. Attaching a screen shot would be very helpful. [/ol]

Size of the Definition File: You can find the definition file (bases.cav) in the following folder: “C:\Program Files\COMODO\COMODO Internet Security\scanners”. Right-click on “bases.cav” and select “properties” to see the file size in megabytes. As the number of definitons decline, the size of bases.cav should slowly decrease.

Definition of Malware: The term malware (short for malicious software) usually refers to any file that intentionally alters your computer (usually without your permission) in order to impair functionality, control your system, breach your privacy, advertise, or produce some other unwanted behavior. Malware is a general term that encompasses many types of malicious programs, including viruses, trojan horses (“trojans”), rogues, spyware, keyloggers, worms, rootkits, dialers, backdoors, etc. There is a good explanation of malware on wikipedia.

Does Comodo Scan for All Types of Malware? - Yes.
Currently, most scanning programs check for all types of malware regardless of the term used their name. For example, Comodo antivirus scans for all types of malware, even though its name is “antivirus”. Superantispyware checks for trojans, rootkits, rogues, keyloggers, spyware, etc. even though its name is “antispyware”.

[attachment deleted by admin]

For an explanation of why the definition count has not made much progress lately, Umesh posted the following comment:

Whoop-dee-doo, thanks for the graphs.

That’s good work, keep it up guys.

I think what I would appreciate, and perhaps many others is the following info:

  1. visibility of some high level AV database project milestones so that we can be much clearer of progress towards whatever the stated goal, and when will you get there?

  2. When will comodo release to us results of its own AV testing?

  3. When will Comodo start to participate its AV in tests such as VB100 and other reputable ones?

It is important for the users to know this because many have decided to use an alternative AV to Comodo AV until the quality is “acceptable”. It is for each person to decide what is “acceptable” and so we need to see test results, even if they are relatively poor for now. We need to plan our IT work and when we will install Comodo AV etc. Otherwise we are guessing and having to potentially waste money on other AV licences.

Yes prevention is most important, but sometimes D+ and firewall do let things slip through, or the user inadvertantly o stupidly allows it, and so we need dang fine AV / malware signature detection as well please.

Looking forward to some more info. If it is on another thread please let me know and apologies for troubling you. Cheers. :■■■■