CIS 5 failed to detect probable malware, while other antivirus detected it.

Good morning all,
I downloaded CIS 5, i heard about its cloud system for detecting newest malwares quickly, i wanted to test it myself, i went to website downloaded a probable malware file “file.exe”, surprised to see CIS didnt alerted me, so i uploaded it to to see the results 17/34 antivirus softwares detected it as malware, following is a link of result

Comodo did not detected it as malware, i was surprised to see it.
When i tried to open this exe file, it got isolated into sandbox by CIS.
But still the question remain why didnt comodo antivirus detected it when other 17 antivirus can detect it as malware? :o

because no single anti-virus can detect everything that is why in CIS the AV is used to really prevent pop-ups from D+, not at a necessary defense line, you could run without the AV and still be fine but could you do that in other suites, no. Don’t even try.

So if there was no antivirus at all, would Comodo’s Defense+ protect against 100% of viruses?

even if you removed the AV you would still have D+, sandbox, Cloud AV, Cloud behavior blocker

the question is: Did CIS fail to protect the system?

the answer will be No it didn’t.

we must look beyond a 23 year old technology called detection guys.


Melih, I agree that CIS protected system.
My point is comodo with its cloud detection failed to detect it as malware, i m talking about point “detection getting stronger in CIS 5 with cloud antivirus”.
When i uploaded same file to it says file is “Suspcious++” but then why did comodo antivirus failed to detect it as suspicious malware file?

well if you would have left it in the sandbox the cloud bb would have caught it. you even proved it by uploading it to camas which is what the cloud bb is

It seems to take more than 15 minutes for the cloud to return a result… that may be why…

Even with cloud things take time… :wink:

Ty Eric :slight_smile: that explains alot, lets hope we get that response time interval to be like 5-10 min or even less than that.

Ty Syl for post your post also was helpful.

:-TU that’s why so many people DO NOT understand.

@ OP: you’ve not been with comodo long… ;D I’ve been with it since v2.4. Since v3, it has never failed (except in suspicious videos :a0) , why? coz its got a failure proof (not dumbo proof) thing called d+.

Think of the AV as Coast Guard. They patrol and try and stop infiltrations.
Think of Firewall as Air-craft carrier/Destroyer. They search out the enemy and stop it or chase it down.
Think of Defense+ (of which sandbox is a part) as your capital ship, the armed nuclear submarine. You don’t know where or how it will strike, but its strike will be absolute - no exceptions (unless you, yourself hit the wrong target).

Sure, slangen

that’s why they “do not understand”,
but what many people do not understand?
… that is:

  • “this” sandbox implementation is completely wrong
  • none of exiting AVs can protect you 100%
  • “this” or “that” cloud?/ "CIMA? /trusted Apps? (that can be tampered & signatures can be faked) / & so on & so forth are not really working
    You gotta be kidding yourself, man

forgot to add. the only thing Comodo needs now, to add to its arsenal, is an Intelligence wing… ala Norton DNS. Why go there when you know there’s danger?


  • even I thought that the sandbox implementation of CIS was wrong, but over the months I think the sandbox implementation is not only correct, it is the only way it should be done.
  • AVs can’t, on their own, protect you 100%, yes - but they do a decent job of protecting people who are NOT searching for malware. :slight_smile: it all depends on how you use the internet.
  • signatures faked/tampered or a trusted software provider going rogue big grin, can be avoided if a conservative approach towards signatures is taken - which as it stands is not really happening.
    Examples: include only those companies signatures that
  1. are in the top 150 traded on the nasdaq.
  2. or are in the top 150 downloads on
  3. or are in the fortune 1000.
    4.etc etc
  1. do not rely on AV alone
  2. Defense+ settings security mode–>Paranoid, uncheck “create rules for safe applications”.
  3. Sandbox setting, uncheck “autmatically trust files from trusted installers”.

It doesn’t get much more secure than that.

Still no excuse to have a weakness in the AV part imo.

Is COMODO telling us that its AV is no good and we should only rely on the D+, Sandbox and Firewall?

If yes why bother with the AV in the first place?

An all round security doesn’t mean toleration on one facet being on the weak side so that it could be handled with another.

AV is important since it gives you a clear indication that a malware is indeed a malware while D+ gives you no such indication especially to the average users.

The problem with default deny is that it treats each unknown file as if a malware and most often in the nonexistent of more information forces the user to either treat it as such and run it half heartedly ‘sandboxed’ or wait until it’s analyzed before running it.

The thing is I’m really confused on what sandbox actually does and doesn’t
I see no virtualization of the system files and folders on my C:/sandbox
and I see no registry virtualization either in it.

When I ran certain app in it defense+ registered it it in fact it did change some system files and it did create a save file just as if it hadn’t been sandboxed.

Can somebody offer me explanation. I never could understand CIS sandboxing feature since version 4.

It all depends what you want, do you want to secure your computer.

Or do you just want to know what is malware.


this will explain it all for you i hope

You will understand the role of AV (blacklisting), Whitelisting and Automatic Sandboxing…

AV and Whitelisting simply reduces the no of apps that goes into Sandbox…They are like pre-filters, rather than the protection… Protection is D+ with Automatic Sandboxing…by why sandbox if you know its bad or good :wink:


Anyway this would be fine:

0 files dropped, or the ability to remove them after the program is closed.

I think that the comodo developer team should try to improve the sandbox a bit more.

Could you tell us what is the next thing that is going to be added to Comodo that is going to improve the detection? (this is a rumor that languy said) please :a0

The automatic sandboxing of unknown program does not apply virtualisation. When you manually have a file sandboxed it will get virtualised.

When I ran certain app in it defense+ registered it it in fact it did change some system files and it did create a save file just as if it hadn't been sandboxed.

Can somebody offer me explanation. I never could understand CIS sandboxing feature since version 4.

Can you be more specific about what file and what changes to what system files were made?

The problem is the name, Comodo sandbox is not a sandbox like sandboxie.
And the people should know that they have to restart the computer to remove most of the things that the sandboxed app has left.