Here why virtualization is not THE solution
https://www.vmray.com/blog/sandbox-evasion-techniques-part-1/
https://www.vmray.com/blog/sandbox-evasion-techniques-part-2/
https://www.vmray.com/blog/sandbox-evasion-techniques-part-3/
https://www.vmray.com/blog/sandbox-evasion-techniques-part-4/
You are confusing analyzing malware in a VM vs Virtualizating an executable.
they are different.
The operating principle of a sandbox is simple – determine if a file is malicious or not based on its observed behavior in a controlled environment
This is not what Comodo Sandbox is supposed to do?
Simple answer No.
Comodo Sandbox is there to protect you from malware, not to decide if it is or not.
Edit Same principal applies to sandboxie, if you use it .
I thought the current sandbox is just a step, the final goal is to integrate Valkyrie to have a final verdict…
If a malware can be aware of the sandbox environment and show only benign behavior, then the verdict could be “safe” and next time the file can run unsandboxed…
Comodo Containment (Sandbox) is a Virtualized environment. Executable file runs in there period. The verdict is NOT given while running inside Comodo Containment. The file is sent to the cloud to Valkyrie for a verdict.
Comodo Containment (sandbox) is a Virtualized environment where the unknown file simply runs in.
The way I understand it on current use of valkyrie doesn’t determine if an unknown is safe, only if its malicious or not. It is only if comodo does the human analysis on the unknown will they mark the verdict as safe if it is found to be truly safe. I have seen unknowns that don’t exhibit malicious behavior get a verdict as no threat found but will still be rated as unknown. So no threat found does not automatically make it safe until the human analysis is able to determine such verdict.
Valkyrie is a name given to the “whole process” that includes human analysts…
In about 95% the cases Valkyrie with good confidence level can determine good or bad…remaining 5% has to be done manually…we call the whole thing “Valkyrie”.
Wise man indeed! 
Thank you Melih for always educating us the proper way and for providing us with great solutions.
There is still one additional problem remaining to be solved (although not as big as the first problem already mentioned):
Whitelisted (trusted) Malware/Vendor: A good code that does malicious things automatically allowed to run with unfettered access.
How to solve that problem, if the end-user is the one who did not allow it?
give you an ability to modify/edit the whitelisted vendors.
We are talking about users not knowing they have a whitelisted/trusted malware… unexperienced users will not even know how to edit the WL vendors. How can COMODO help in this cases?
One of many scenarios:
What can be done to stop a scenario like that? And most importantly, how to revert detect the damage?
It’s more problematic if the (malicious) file is not digitally signed and it is whitelisted in my opinion.
if this was to happen, we would create a cleaning signature.
This is very true.
The above its been happening for some time now :embarassed:
What would be the solution?
Another file criteria should be added : publisher. Example rules with Auto-Sandbox: block files that are not digitally signed, treat vendor W as restricted, etc.
More over, there is an increase thanks to Valkyrie.
no, always have another antivirus…
in fact multiple virus checks say comodo has sadly one of the worse detection and removal rates… best firewall don’t get me wrong, used the firewall since … well so many years i can’t remember, but worst antivirus ratings on many tests.
besides. no matter what anvirus you use, always use a standalone scanner (dont have more then one antivirus in realtime - but have more then one scanner) you never know a virus could slip through or disable dection for one antivirus but the other catches it (if you remember to scan)
i have used comodo internet security with antivirus on… came across major issues one time… installed a free antivirus that got 1st and 2nd places on independent antivirus testing sites… it cound 184 infections from 4 viruses…
malware bytes also helps get some hiding out as well…
CIS layered defense approach does make AntiVirus (I assume signature based detection) seem less important. Containment just laughs at ransomware, and malware is contained and jailed from the system. In case of a malware that attempts to steal data, Firewall can be used to block the outgoing connection so data collected is not sent to the criminals. The HIPS can be used additional granular control of apps, and still works in the background even when turned off.
If you are defining the AntiVirus as signatures, then, to an certain extent, CIS does make it less necessary because of it’s effective layered defense. However, I feel that signatures still plays an important role in delivering file verdicts for determining whether an app is safe to use. It is the first line of defense, so if signatures catch something, then you usually don’t need to even bother sandboxing the app and analyzing it through valkyrie, virusscope, virustotal, etc. It saves a lot of time, so the user doesn’t need to take additional steps to deliver a file verdict. Admittedly, CIS signatures are currently questionable at best, so additional steps to determine file verdict need to be taken more frequently.
how many % should the detection should be for it to be acceptable?
Well, the acceptable detection is lower for comodo compared to traditional av’s. The current detection is already “acceptable”, because end protection remains 100% anyways. However, it would be nice to see improved detection as long as usability and false positives stay at a low rate (CIS got 6.0 in usability which is great to see.)
what %age should we improve it to? According to AV -Test industry average is 99%.