CIS AV would not have protected me :(

Hi,

I just bought a new hard disk which was tested at the store by the ‘brilliant’ computer technician who copied a bunch of files onto it. When I plugged the external HD into my notebook at home, the virus scanner went crazy with about half a dozen beeps and warnings, as I was about to delete the files >:( Thus I just experienced a vivid illustration of what it means to run a virus scanner with an excellent detection rate.

On my notebook I have CIS 3.9 Firewall/Defense+, which I appreciate as a very good firewall/HIPS solution. But I have always suspected that the admittedly low detection rates of CIS AV, which scores badly in all published AV comparisons might bite me one day. Thus I installed Avira AV Personal instead.

I was curious, whether the detected virus was a false positive, and if it would have been found by CIS anti-virus. Thus I uploaded the file to VirusTotal [1] (against the annoying protest beeps of Avira), and saw that 34 out of 41 engines recognize it as the ‘Sality’ virus. Its a memory resident virus which would try to disable the PCs security. Then I scanned the same file on my desktop computer which only runs the full CIS suite including AV. CIS did not recognize this virus; neither on the desktop nor on VirusTotal.

This leads me to conclude, that the low detection rates of CIS AV is not merely academical or due to bad methodology of the AV testers, as some have alleged. Also its weakness is not merely limited to 0-day viruses, as 34 other engines did detect this virus. A virus in the wild siince 2007, which was found in about 10 files certainly should have raised alarms by CIS AV. Low detection rates in an AV product makes it useless as a standalone product. This is only partially mitigated by the excellent HIPS protection of CIS Defense+. I did not try to execute the virus file to see, if Defense+ would have prevented any damage :wink: , but I submitted the file to Comodo for analysis.

In my opinion, CIS AV is not yet ready to replace the established and proven virus scanners and I would recommend to everyone to combine the excellent HIPS firewall functionality of CIS with a proven virus scanner like Avira or Nod32. I hope Comodo’s anti-virus will one day be as good as the others.

Has anyone here experienced similar weaknesses in CIS AV with viruses in the wild?

Peter

PS: I wonder, what virus scanner the computer technician at the store was running - (if any)!?

[1] http://www.virustotal.com/analisis/22e5791c213bdf25ea9846001bdea8d7246ffaa2a5a6dc67d6b64ef0ed420d4a-1247323367

Give it sometime, I don’t remember(or maybe is just me) comodo ever saying the AV is ready for any advance AV tester yet, and I’m sure the AV of comodo is sure will be one of the awesome AV sooner or later

Lol. On the contrary, this site ( http://malwareresearchgroup.com/?page_id=2 ) has tested everything and CIS 3.9, not 3.10, has gotten a remarkable high 97.1%, not the best, but beats your definition of POOR and BAD. Just scroll down.

I’m not a techie, nor am I anyway that knowledgeble in AV software, but why don’t the Comodo devs copy the already established virus defs from Avira, Nod32 and Symantec? I don’t mean use their modules, but can’t they inspect them to get a good starting base for further development of the CIS database? If they had, this problem would have already been in their DB, because the virus has been present since 2007.

CIS AV is young, give it time…

other than being illegal I think the main reason is that each av vendor encodes their DB to make it impossible to look at it. But this of course is just what I think.

No AV company can guarantee to catch ALL viruses.

This by definition means EVERY AV company will miss “some” (Guaranteed!)

So the question is: how big is that “some”?

Reality is: You will never know…

why?

Because there is no single testing organisation who has ALL malware in its db!

The point is: Even if we had the best detection in the world (dunno how you would reliable measure that (btw: people pls spare me by not pointing to avcomparitives etc… thank you… :slight_smile: )), the above scenerio you described by getting an infected HD from a source could still happen. Cos there will always be “some” malware that AV cannot detect…Even if you used Every AV in the world to check the HD, you still will have (Guaranteed by the way) have some malware in it that none detected! You simply cannot avoid this scenerio. But you were lucky that you had an AV that did in this scenerio…

Melih

Hello. Whilst i can understand the posters frustration at Cavs not detecting the virus, i also have say no av detects 100%. Avira, Nod32 and Symantec for example may be more established but all have “real time guards” which have been proven to have more holes than a collander.This can be confirmed by looking at the likes of av-comparitives where Avira would “let in” 29% of zero day and Symantec around 59% of the same malware.

This may explain why Comodo chose to utilize a classical hips instead and has yet to fail me in god knows how many personal tests.Before anyone spouts up, i am aware that 2 of the vendors mentioned have betas with " cloud and behavoir type protection" to come. Could this be that finally they recognise the inferiority of existing technology?.

i will also say that in recent forum posts Cavs has been shown to detect viruses/Spyware that many other vendors do not. In a real time situation the D+ part of Cis layered defence would i am sure, have alerted of the Virus trying to execute. This exactly is the point of Cis and its layered approach. If one method misses the the other hits!.

I however state that Cis aint perfect and the improvements continue to develop, in particular the av which as we know is undergoing gradual reduction in signatures which will address the false positive problem and and also, increase detection.I for one eagerly await tests on 3.10 when the size of the db finally is reduced to 25mb which i believe is the devs target.At that stage i think we Cavs will surprise a few doubters out there.

It only confirms to me, that the only way to give malware a run for its money is to use a combination of different layers and in my humble opinion that is why i will continue to place my trust in Cis as a solution which will in V4 i am sure to quote Melihs words " be the beginning of the end for other vendors avs" via the improvements to come.

Regards Dave1234.

Yea I advertised CIS to a friend and he told me CIS AV was no good since it couldn’t detect this sality virus at all. Avira would detect some of the virus variety while Kapersky Internet Security that he was using would detect all sality virus.

And he also mentioned another virus which CIS couldn’t detect. The virus would mess with the registry every other minute!

So much for my attempt to advertise CIS :-X though I tried to defend CIS with it defense+ feature

All AV vendors should get together and combine their resources to create one continuously updated universal virus db. All AV programs would then have much higher detection rates, with the programs differentiated by their other features (e.g. ease of use, speed, support).

I don’t thing they’d ever be able to agree on any sort of a standard…

Sad part is really that this virus has been previously reported as not detected, most recently as June 1 and Comodo has still not created a definition to detect it. I do not exepct 100% detection, and Comodo is far better at prevention, but I would expect a fix to be created after 6 weeks of a reported virus not detected. Zero day threats are one thing, but 6 weeks later it should no longer be an issue.

mikecz

I recently reinstalled CIS after my subscription to ESET smart security expired. I remember ages ago that the firewall was superb so I thought I’d give it a go.

I too am a bit iffy with the AV part of CIS with several concerns.

Comparing it to ESET and using the eicar test file. CIS does not block eicar test file if its in a zip when first downloaded. Even though it does detect it and deny access to execute it, I still think its a concern that it is able to reside after being downloaded. ESET however pops up a window and you are able to click terminate and the download doesn’t complete.

I think the heuristics also is a bit harsh. I have made a few virtual applications using Vmware thinapp. There was no virus contained within them and ESET never had a problem with them either. It just quarantined them and labeled it as “Heur.Packed.Unkown.”

I know that the Comodo AV is young and its a work in progress, but Comodo really needs to make their AV more effective some time soon. :slight_smile:

Hi mikecz,

Can you please tell us how you reported this malware to us? If you submitted via forum, can you please point to link?

Thanks
-umesh

Umesh,
The SALITY virus was actually posted by another user (drakeboy) on the 10th of June and the thread reported it as corrected. I hope I did not offend anyone by referencing the the other user’s name.
As the problem of the AV missing this virus occured again, it appears that there is still an outstanding issue detecting this or one of its variants. I do use the total CIS product so I have a vested interest in the AV not missing viruses. I’ll take a FP versus a dead system anyday. I have not figured out how to post the link to the original thread, but a search on SALITY gets you there.

Again, if I offended anyone by referencing the original post user, I apologize. I am trying to get Umesh the info he requested the best way I can.

Mikecz

Malware sitting inert on your HDD isn’t a security risk. As long as it’s detected on access should be the only concern.

Mh - I prefer the real time scanner to scan only files, which get executed. Unpacking archives to check the contained files is only a waste of resources in my eyes.
If you run a manual scan after downloading the file (and the manual scanner is set up to scan archives) the eicar test archive is detected. I prefer consequently manual scanning of downloaded/received files, but having the system a bit faster because of the real time scanner is scanning only the real critical files.