COMODO IS Premium VS. Malwarebytes

Protected_PC · July 31, 2017, 2:09am

Does anyone know which of the 2 is Stronger & Better?
Btw, I didn’t know where else to post this question, that’s why I posted it here.

Yousername · July 31, 2017, 3:30am

Here’s my honest opinion: if you want an unbiased response, the answer to your question on where to post is simple: nowhere on this forum. This is the Comodo Forum, what do you think people will say?

Also if I’m not mistaken you have MB running alongside CIS, you already have the best of both worlds. So I don’t know why you bother to ask this question in the first place.

Yousername · July 31, 2017, 4:07am

If you insist however, I will say the same as anyone else who may respond to this thread: of course CIS is better.

Malwarebytes is just another traditional AV, and it isn’t even one of the better ones in it’s class.

I feel that there has been enough talk about default-deny vs default-allow, so I will leave it as this. Hope this helps.

BlueTesta · July 31, 2017, 9:50am

:-TU

you can try on

Tried to be as unbiased as possible, as a CIS/CCAV and Malwarebytes v1-2 user. 88)
Dont have any malware or security program education, so this is my opinion based on my limited knowledge. :embarassed:
(Talking about the shields individually)

Malwarebytes
MalwareBytes Signature: signature is a cat and mouse game, signature will be made after the the malware had time to infect people.

MalwareBytes Web shield:
also like signature, cat an mouse game. (better then CIS web filter)

MalwareBytes Anti-Ransomware:
like all anti-ransomware are bad to keep up with all the new ransomware, check any brand anti-ransomware video on youtube most of them let some ransomware pass.

MalwareBytes Anti-Exploit:

CIS
COMODO Signature:
signature is a cat and mouse game, signature will be made after the the malware had time to infect people.

COMODO Web shield:
also like signature, cat an mouse game. but is bad.

COMODO Sandbox:
will sandbox any unkonwn (all unknown are found to be “guilty” and will put into virtual jail)
“If” COMODO accidentally would white list a bad file, it will not be sandboxd. (in that case a “good” AV that put their money into signature (“usually faster to detect. common malware anyway”) and a Behavior Blocker) could “hopefully” detect that malicious file that COMODO white listed.

COMODO Firewall:
Will allow any file to connect to internet (with default settings, even unknown)
you can configure Firewall to only allow white listed to connect to internet and block or ask for unknown.
You can even change the firewall to Custum, so it will ask you for any program (bad, unknown and trusted)
e.g if you use Firewall in custom mode, you can block Key-logger, banking trojan etc even it would be accidentally white listed.

COMODO HIPS:

COMODO Viruscope

CCAV
COMODO Signature: signature is a cat and mouse game, signature will be made after the the malware had time to infect people.

COMODO Sandbox: will sandbox any unkonwn (all unknown are found to be “guilty” and will put into virtual jail)
“If” COMODO accidentally would white list a bad file, it will not be sandboxd. (in that case a “good” AV that put their money into signature (“usually faster to detect. common malware anyway”) and a Behavior Blocker) could “hopefully” detect that malicious file that COMODO white listed.

COMODO Net Traffic control over Sandboxed apps
Will allow you to block any unknown that are running inside the sandbox from receiving or sending any data, but only for TCP traffic.
unknown running outside the sandbox (added exclusions by user) or accidentally white listed malware will not be blocked.

COMODO Viruscope

Melih · July 31, 2017, 3:13pm

good fair assessment of the differences. thank you BlueTesla.

So to summarize…

Risk of using Comodo is: we whitelist a malware.
Risk of using Others: any new malware they don’t have a way to detect causes infection.

BlueTesta · July 31, 2017, 3:54pm

Thanks

Protected_PC · July 31, 2017, 4:01pm

Thanks Melih, I haven’t got a reply from you in a long time. Thanks again. I hope you & your workers find a way to fix CIS whitelisting malware.

Melih · July 31, 2017, 4:58pm

well…some PUA maybe…in the past…nothing major… Risk vs Reward Comodo vs Others is simply unbeatable.

Protected_PC · July 31, 2017, 5:03pm

Thanks Melih. Keep up the unbeatable work of making COMODO IS the most unbeatable security software around. :-TU

BlueTesta · July 31, 2017, 5:18pm

:-TU

oOeagleOo · July 31, 2017, 5:55pm

i can’t remember, if a malware is whitelisted, and we stumble upon it, does it still infect the machine if there is a signature for it?

qmarius · July 31, 2017, 6:26pm

Not sure if obvious enough for the readers… others might as well whitelist malware.

BlueTesta · July 31, 2017, 6:27pm

No, CIS/CCAV will quarantine the file if signature exist.

Yousername · July 31, 2017, 6:44pm

To be precise, if the file is in the trusted vendors list, Comodo will not detect it even if it has a signature for it, this is shown here: https://forums.comodo.com/wishlist-cis/fully-cloud-support-for-cis-or-lightly-av-scans-also-for-trusted-files-t119886.0.html

umesh has responded and they are considering a solution to that problem.

But if it is not in the trusted vendors list and it is detected, Comodo will quarantine it.

lordraiden · August 13, 2017, 10:04am

Try comodo, and if you can live with all the annoyances of auto sandboxing:

a good apps opens inside the sandbox
1a) Sometimes if it’s a complex app it may block your computer so you have to do a hard reset.
the app is unusable because is restricted, you can’t use it, or save changes, etc.
you close the app
you manually add the app to the trusted apps
you open the app again.

If not, as most people around who find the auto-sanboxing useless, use MBAM or anything else. If you want to open an app you are going to open it yes or yes so it doesn’t matter if the app is sandboxed or not, it’s totally noneffective.

Of course in the test it looks wonderful, you are running apps in a restricted sandbox, but this is nothing new you can do it as well with sandboxie, or with many other av’s that includes sandboxing functionality, and you can use it on demand for files you don’t trust.
Autosandbox concept is broken because the whitelist will never be big enough to not to be a pain for the user experience, but it provides a very good marketing plot

The best they can do with CIS is include the cloud AV on it, and leave it as light AV (second opinion in real time).
In the past the HIPS was the best thing in the world and default deny, bla bla bla, now the HIPS is disable by default and the sandbox act as a default deny, but the usability with the sandbox in my opinion is worse than with the HIPS, with the HIPS you just needed to answer 1 popup, with the sandbox you go over a 5 step process.
In the future the sandbox will be disable by default, and it will be used on demand… you will see.

Yousername · August 13, 2017, 3:34pm

lordraiden post:15:

Try comodo, and if you can live with all the annoyances of auto sandboxing:

a good apps opens inside the sandbox
1a) Sometimes if it’s a complex app it may block your computer so you have to do a hard reset.

the app is unusable because is restricted, you can’t use it, or save changes, etc.

you close the app

you manually add the app to the trusted apps

you open the app again.

If not, as most people around who find the auto-sanboxing useless, use MBAM or anything else. If you want to open an app you are going to open it yes or yes so it doesn’t matter if the app is sandboxed or not, it’s totally noneffective.

Of course in the test it looks wonderful, you are running apps in a restricted sandbox, but this is nothing new you can do it as well with sandboxie, or with many other av’s that includes sandboxing functionality, and you can use it on demand for files you don’t trust.
Autosandbox concept is broken because the whitelist will never be big enough to not to be a pain for the user experience, but it provides a very good marketing plot

The best they can do with CIS is include the cloud AV on it, and leave it as light AV (second opinion in real time).
In the past the HIPS was the best thing in the world and default deny, bla bla bla, now the HIPS is disable by default and the sandbox act as a default deny, but the usability with the sandbox in my opinion is worse than with the HIPS, with the HIPS you just needed to answer 1 popup, with the sandbox you go over a 5 step process.
In the future the sandbox will be disable by default, and it will be used on demand… you will see.

IMO the protection offered by the fully virtualized sandbox is much higher than using the HIPS/VirusScope alone. And the risk of the average user making the wrong decision/getting used to clicking the allow button when presented with a HIPS alert is high. There’s a reason why comodo and products like Malwarebytes have opted to be mostly automatic rather than user dependent, both were heavily user dependent in the past but that has changed. The HIPS, while it is a very important feature which complements the sandbox, is not the best on it’s own. The HIPS is really like a behavior blocker, and a behavior blocker + sigs alone has much more loopholes for bypass than a fully virtualized sandbox. Back in the days of Comodo version 5.x the main reason of bypasses were due to malware finding loopholes in the BB + partially limited restriction, they allowed changes to be done on the real filesystem and some system resources/behaviors can be exploited.

I would much rather all the changes made by malware just be nullified rather than Comodo trying to find ways to patch loopholes in the behavior blocker over and over again, all while having to take usability into account for legit apps. Legit apps can share lots of behaviors with malware, it is too hard to balance usability and protection because of that, so the fully virtualized sandbox strongly mitigates that problem.

In conclusion, looking at the security point of view, the sandbox offers much better protection than the HIPS/BB alone. With default-deny, there must be a sacrifice of usability for protection.

Even in terms of usability, the HIPS usability over sandbox is also debatable. IMO an average user would be pretty confused when he/she sees that a program is trying to modify a protected COM interface.

lordraiden · August 13, 2017, 7:11pm

Yousername post:16:

IMO the protection offered by the fully virtualized sandbox is much higher than using the HIPS/VirusScope alone. And the risk of the average user making the wrong decision/getting used to clicking the allow button when presented with a HIPS alert is high. There’s a reason why comodo and products like Malwarebytes have opted to be mostly automatic rather than user dependent, both were heavily user dependent in the past but that has changed. The HIPS, while it is a very important feature which complements the sandbox, is not the best on it’s own. The HIPS is really like a behavior blocker, and a behavior blocker + sigs alone has much more loopholes for bypass than a fully virtualized sandbox. Back in the days of Comodo version 5.x the main reason of bypasses were due to malware finding loopholes in the BB + partially limited restriction, they allowed changes to be done on the real filesystem and some system resources/behaviors can be exploited.

I would much rather all the changes made by malware just be nullified rather than Comodo trying to find ways to patch loopholes in the behavior blocker over and over again, all while having to take usability into account for legit apps. Legit apps can share lots of behaviors with malware, it is too hard to balance usability and protection because of that, so the fully virtualized sandbox strongly mitigates that problem.

In conclusion, looking at the security point of view, the sandbox offers much better protection than the HIPS/BB alone. With default-deny, there must be a sacrifice of usability for protection.

Even in terms of usability, the HIPS usability over sandbox is also debatable. IMO an average user would be pretty confused when he/she sees that a program is trying to modify a protected COM interface.

A HIPS (anti-exe) is safer than a sandbox, execute a file inside a sandbox is not safer than not execute the file at all.
You are assuming that the user will run the unrecognized files by comodo always in the sandbox, which is totally false because most apps don’t run well in the sandbox, what they do is to manually trust the files that they want to run properly, and the use of the sandbox is minimal, is not safer, it doesn’t improve protection or detection either. The user end up taking a decision of what files he want to trust, similar to the HIPS.
I am talking of using the HIPS as an antiexe as it was CIS when it didn’t have any auto-sandbox, so the user doesn’t need to deal with complex popups.

In a real world scenario the user will decide if he want to run the file trust or not, so at the end it doesn’t matter if you are using the autosandbox or the Antiexe (HIPS) both offer the same, a default deny function, the difference is that the auto-sandbox is less user friendly.

Runing the file in the sandbox won’t tell you that is malware, if the file does nothing visual, it can be even expected taking into account that many legit software doesn’t run well in the sandbox, you are just wasting your time.

Yousername · August 13, 2017, 10:03pm

lordraiden post:17:

A HIPS (anti-exe) is safer than a sandbox, execute a file inside a sandbox is not safer than not execute the file at all.
You are assuming that the user will run the unrecognized files by comodo always in the sandbox, which is totally false because most apps don’t run well in the sandbox, what they do is to manually trust the files that they want to run properly, and the use of the sandbox is minimal, is not safer, it doesn’t improve protection or detection either. The user end up taking a decision of what files he want to trust, similar to the HIPS.
I am talking of using the HIPS as an antiexe as it was CIS when it didn’t have any auto-sandbox, so the user doesn’t need to deal with complex popups.

In a real world scenario the user will decide if he want to run the file trust or not, so at the end it doesn’t matter if you are using the autosandbox or the Antiexe (HIPS) both offer the same, a default deny function, the difference is that the auto-sandbox is less user friendly.

Runing the file in the sandbox won’t tell you that is malware, if the file does nothing visual, it can be even expected taking into account that many legit software doesn’t run well in the sandbox, you are just wasting your time.

An “anti-exe” approach (misnomer because Comodo also covers scripts) won’t tell the user more information about the file than running it in the sandbox. The sandbox doesn’t have perfect compatibility by any means, but you can sometimes evaluate programs running inside it. If a ransom note appears, you know it’s malicious. But, you are protected due to the automated sandbox.
That extra information gained by the sandbox for post-execution analysis may save a user in many cases, I agree that it isn’t perfect, but a black and white approach you are mentioning with using the HIPS as a strict allow/block approach is much riskier IMO.

fatih.orhan · August 14, 2017, 2:34am

Hi guys

we have a weekly update of our labs findings: https://vimeo.com/229278128

You may refer to it for unknowns number, which is over 9M for this week.

Melih · August 14, 2017, 7:14pm

6% of all unknown files we found, turned out to be malware…
so last week alone Containment protected our users 565,000 times from a day zero malware…