CIS 4 security efficiency test

Ok, today i had some time to check it out properly. Unfortunately i don’t have any video like Matt does the tests and i also don’t have any specific numbers to support the claim. I’ll just tell wat i noticed during the test.

So, i’ve used Windows XP SP3 inside VirtualPC 2007 SP1. CIS4 was installed and fully updated, antivirus part disabled so i could test the Sandbox efficiency. Default settings used except heuristics were set to High for file scanner. 60 pretty latest threats were involved.

And results verdict? It’s: “Impressive!”

Loads of them were cought during shellcode injections aka Buffer overflows and all the other were prevented by Sandbox restrictions. Only thing that got through was 1 fakeAV. But technically, it’s not malicious as it is, so restricting it from doing nothing is very hard. Malware processes were active but nothing was apparently done to the system. Enabled antivirus part and did a full scan. It removed many stuff that was still running in memory but was sandboxed. Then i restarted the virtual PC and did the scan again. No process was running anymore, even fakeAV was dead.

I’ve just ran NOD32 and BitDefender right now and all they found were files that were dropped to the system but were not running at all. I still have a pending scan with DrWeb CureIt and Kaspersky, but it doesn’t look like anything was left on system and was still running.
There were like 4 or 5 popups from Defense+ stating there was a heuristic detection involved and 2 COM interface popups. Just that! Everything else were just Sandbox notifications that don’t require any intervention.
CIS4 is what CIS3 should be in the first place and i’m really impressed by Comodo for the first time ever.

Next test will be a parasitic file infector test and i’ll be using Virut and Sality for the task, the most annoying viruses out there to see how it does against these two. I’ve had pretty good experience with CIS3 and i’m really interested to see how CIS4 will deal with them.

I’ll let you know how it went with file infectors when i test that. Stay tuned!

That is certainly excellent.

But what do you mean by “the fake AV got through”, are you saying that the sandbox was unable to contain it? Because, I don’t think the fake AV being able to run is getting through, if that is what happened.

Well, fakeAV started and was running in tray bar next to the clock. It was also poping up annoying popups.
That might confuse some, but after reboot, it was not running.

I also tried file infectors and so far it’s looking great. None got through. I’m running Kaspersky over for verification now but everything seems to be in order. So, another humbs up for CIS4.
This is for the first time that i cannot decide what to use, CIS4 or avast! Antivirus. Other times it was very simple choice, but now, it’s hard to decide. avast! scanner is certainly much faster, but CIS4 seems to be slightly more security overall. But causes a slight lag on everything that i run.

Yep, it’s all clean. The sandbox prevented ALL kinds of malware, even file infectors from affecting the system. It’s really impressive and i’m really shocked to see it perform so well after years of almost empty promises.

Hello RejZoR. I too have been impressed by Cis 4 in the tests i have done with zero day malware, nothing got past it. What really impresses me is the Av itself caught most of these and in the past it mostly was D+ as the data base was small in comparison to others and the sgnatures were all over the place… The recent improvements to the av detection wise, and reducing the data base by converting signatures generically, has really worked. I cant wait until 4.1 when Cima is introduced and Cis gets its behavior blocker.These improvements and the promised acid like cleaning will i am sure see some worried looks from other vendors as all this will be free!.

I have seen a lot of ups and downs with Cis but i really feel its getting there and even the likes of the odd fake av getting in is being dealt with shortly via a fix to the sandbox as has been reported on the forums.

Regards
Dave1234.

we really appreciate the time you guys have taken to test CIS 4.

We have worked very hard to provide a “Default Deny” protection thats “silent”. Also for the AV scanning speed, in our research we found out that “on access” scanning is heavily used compared to “on demand” hence we optimized the speed for “on access”. We believe our “on access” scanning speed for our AV is pretty good.

As to our Detection rates: Indeed, we have worked our backsides off last 12 months. Not only did we add many unpacker support, we also added generic signatures and a stronger engine that handle polymorphic viruses.

But as always, Prevention is the key. Between D+ and Sandboxing we can offer silent prevention backed up by BO protection and AV, you get a pretty decent protection against any malware out there (known or unknown). Of course, as always, we ain’t stopping here :wink:

Our Daisy (Artificial Intelligence) is working hard and improving our generic signatures. We are going to be adding Behaviour Blocker in the upcoming versions. CIMA is being improved to handle more file types (at the moment it handles .exe and will handle .dll soon) and so on.

I believe with v4 we have created a gap between our competitors and us. And we intend to extend this gap with each version.

Again, thank you for your time and look forward to your continued feedback to improve CIS further.

Melih

Thank you for testing Rejzor and being the bringer of good news and showing how strong CIS v4 is at the moment :-TU

Hi All,

I have a question on CIS4.

Does CIS4 detect rootkits? I never tested any security apps before, but I thought I will give it a try for CIS4. I installed Windows XP SP3 in Sun XVM Virtual box, installed CIS4 and updated it. Installed all windows updates and tried couples of urls from please no links to malware Most of them were caught by Antivirus. When I tested a rootkit url, it was caught by sandbox and I allowed it to run out of the sandbox. I saw BSOD immediately followed by windows reboot.

I scanned the system with Sophos antirootkit and rootkit revealer, but both did not find anything.

My question is : Will the AV part of CIS4 detects rootkits?

One good thing is that the rootkit was caught and sandboxed as an unknown application.

Thanks,
Balaji.

Certainly. I think in some time (few days), AV will get update and that rootkit detection :wink:
This is because unknown files are automatically sent to analysis, as far as I am aware.

pnbalaji, please do not post links to malware or domains that might contain malware. This is a security forum, this is not something that is tolerated.
Consider this a warning, please refrain from doing similar.

Thanks,
Matt

Sorry for my mistake. Going forward I will make sure not to include any malware related websites in my post.

Thanks,
Balaji.

Looks good Rejzor. My hope is that CIS will become the mainstream of security for the “average” computer user. Looks like Comodo are nearing that goal with version 4!

Kudos to Melih, egemen and their team for that. (:CLP) (:NRD) :■■■■