Design philosophy for Comodo Antivirus

No it means developers. :wink:

Surely you jest, Sir.
How could I have been that much misguided by my own reason.
My deepest apologies to that brave race of present times, the software developers.

Whenever AV are involved is usually looks like people are waiting for an epochal shift toward a 103++% detection rate granted by an appropriate blend of heuristic and generic signatures able to detect even an additional percentage of forthcoming threats the tester has yet to get.

That or self-evolving digital AV analyst able to examine on the fly any unknown samples hitting the enduser machine and output its unwavering verdict (either :-TU or :-TD) and additionally adapt to user-made criteria and take completely autonomous decisions.

Sure there would be no need of firewalls, sandboxing, virtualization, restriction policies and rollback systems as there would be no match for such type of default-allow approach.

The AV will give it’s own popup (if there is a signature for the malware), which would be more familiar in structure to average users. The AV popup would come before any D+ popup and if the virus was quarantined or removed by the AV, then there never would be a D+ popup which only occur when something tries to execute. When you try to access the Eicar test file what pops up first? The CAV window flagging it as malware. You never see a D+ popup because CAV took care of it. This enhances usability for the average user who is familiar with AV alerts but who might find a D+ popup confusing.

To clarify, standalone means out of the structure of CIS. The whole question is whether CAV is meant to be strictly a component of CIS or a full fledged AV that can compete with others when not coupled with the rest of the package. Whatever else might be used with it is irrelevant. Certainly in this day and age, nobody would be on the web without some kind of firewall, even if only the Windows one. Therefore my question is still unanswered.

This also has absolutely nothing to do with any products I used in the past. I am not criticizing CIS in any way here, I’m simply asking a question about CAV. It is the part of CIS that is most often criticized elsewhere and usually it’s because it is not as full featured as other AV’s. I personally feel that ,within the stucture of the whole CIS package, it does it’s job very well and doesn’t have to do a lot of the things that other AV’s do. I’m just wondering if the intent of the developers is to make it competitive with other offerings when not coupled with D+ and the firewall, or just to keep it as part of the full package where it doesn’t need to have the extra features.

Melih seems to have big plans for the AV as well that could make it a powerful standalone AV as well I assume.


The following is just my personal opinion.

CAV + CFP + Defense+ = Very satisfied

CAV + Any good firewall + Any good HIPS = Satisfied

Any good AV + Any good firewall + Any good HIPS = Satisfied

CAV + CFP (but with no HIPS) = Unstaisfied

CAV + Any good firewall (but with no HIPS) = Unsatisfied

CAV + Defense+ (but no firewall) = Unsatisfied

CAV + Any good HIPS (but no firewall) = Unsatisfied

CAV on its own = Unsatisfied

Any AV on its own = Unsatisfied

I think you need to use all three aspects - a firewall to control data ingress and egress, a HIPS to control internal execution and an AV to do any mopping up.

Secure the perimeter - firewall
Control the internal - HIPS
Mopping up - AV

Removing one of the three lowers the overall effectiveness. Relying on just one just isn’t enough.

Please note that my comments, while they concern CAV’s abilities as a standalone AV, are equally applicable to any AV used in isolation. Yes, some AV may be slightly better than CAV at detection, but no AV knows everything. This is where the perimeter and internal control mechanisms come into play. These two additional controls also filter “junk” before the AV even gets a chance to do it’s stuff.

Again, just MHO. :slight_smile:

Ewen :slight_smile:

Here is something that Egemen posted when they first added the AV to CIS v3.5:


Our philosophy, as you well know, is about “Prevention” being your first line of defense. CIS now has an AV component however this AV component is there to make Prevention more usable. We believe in a Layered Security Architecture where Prevention - Detection - Cure (in that order) is the components needed for a good security. Of course Prevention being the first line of defense, CIS does not compromise on this philosophy and continues to prevent malware from infecting the PC in the first place. And with the help of the detection technology (AV) built in CIS we can now offer easier to use security technology that has “prevention” as its first line of defense.

He is basically saying that the AV is there to enchant usability and not to offer some superb protection on its own (even tho Iam sure Melih wants the AV to be as good as it can, hence adding a lot of stuff to it in version 4)… As it is now a user may chose to run the AV alone and combine it with something, but comodos approatch is (according to Melihs blog) “Use layers, default deny” the other won’t work that well, at least not according to pages such as where they have statistic that shows how almost every piece of malwares is missed by one or more scanners… Also this is something interesting for those who think their AV is super and will eat every piece of baddie…

The question is:

What do you want to do with a malware that noone detects when it hits your computer?

choices are:

1)Keep your AV, nice and silent and no popups (no popup cos it doesn’t recognise the malware :slight_smile: )
2)Pretend your AV catches 100% of all known or uknown malware and continue to use your slowly dying pc, while whistling My AV catches it all song
3)Use prevention/CIS so that at least you get a chance at answering a popup with a yes/no


The modifications are the malwares attempts to get into your system. The HIPS has prevented this. The malware is has not affected your system in any way at this point. Sure, the installer can be sitting in your temporary internet files inert. This is not a security risk. If the malware were to have to wait until the AV was able to detect it, this would not be the case. As likely by the time it is picked up by the AV, it has already done damage to your system. At this point, it is a cleanup effort instead of a simple modification denial…

The Eicar files aren’t a good case in point because they are special cases and aren’t treated as most files in CAV. The AV in CIS is an on demand scanner. By definition, this means a file is not scanned until it is accessed. This means that downloads in general aren’t scanned until the file is accessed. The Eicar files don’t follow this procedure however, and are scanned on download. Why this happens I can only assume is from all of the files of people screaming that Eicar isn’t detected when they download it.

So to recap, Eicar hasn’t actually tried to do anything on your machine, which would alert D+. Instead, Eicar seems to belong to a unique subset of file types that are in fact scanned on download instead of the normal on-access method.

I totally agree with that Melih but that was not my question. We all know how great CIS is at protecting us, and I personally feel that CAV, even in it’s present state, is good within the framework of CIS. I’m simply asking if the direction of CAV is to be an integral part of the suite and only a layer of protection or to become the best product at doing what AV’s do, even outside of the whole package of CIS and therefore be rated higher on testing sites that only test traditional AV technologies. When you visit other forums and people bring up Comodo they most often will say , “Great Firewall but the AV sucks”. My opinion is that you don’t need to install a different AV with Comodo’s Firewall because CAV works fine within the structure of the suite. Many people seem to think that CAV is not good enough, even as part of the package. My real intention here is to have something I can use in defending Comodo against the questions I get as to why I keep using it.

Our philosophy, as you well know, is about “Prevention” being your first line of defense. CIS now has an AV component however this AV component is there to [b]make Prevention more usable[/b]. We believe in a Layered Security Architecture where Prevention - Detection - Cure (in that order) is the components needed for a good security. Of course Prevention being the first line of defense, CIS does not compromise on this philosophy and continues to prevent malware from infecting the PC in the first place. And [b]with the help of the detection technology (AV) built in CIS we can now offer easier to use security technology [/b] that has “prevention” as its first line of defense.

I had never seen that before , but, it kind of validates the impression I had of what CAV was meant to do. It seems to say that the AV is there to make a default deny approach more palatable to the average or novice user.

Melih isn’t good at answering questions ;D
Maybe wait a few more pages… if at all.

It really looks like the that people who are not aware that a reply about “design philosophy” was provided since the beginning are beating the bush and “waiting”.

It doesn’t matter how many instances of such “Design philosophy” they came to read as it wasn’t what they are solely focused on.

By now it should be obvious, it wasn’t really matter of “design philosophy” whenever it looks years of AV marketing still take their toll and there are people who assume that x0-xn AV can be “self-standing” even without using them.

Some other have rephrased the original query in a way they can still look at protection the way they have come to believe (AV), even accounting multi layered approach.

As such, AV-centric comments don’t even look aware that Comodo Antivirus does include D+ (yep obviously they didn’t really mean “CAV”).

Nevertheless by most ongoing comments, isn’t much clear what a “self-standing” AV category would be actually technically defined though related comments do claim that CAV isn’t part of that “category” (thus somewhat vague about what are the criteria to fit into that “category”)

Probably this also mean the they will eventually let everybody know when CAV get to fit such “category” when it will be (if their undisclosed specification of such category didn’t change meanwhile) while keeping everybody updated in that regard for the time being.

Whenever polls the likes what’s AV you use are not uncommon, this topic “design” was meant solely focused on Comodo.

Indeed regardless of “design philosophies” or protection approaches it even looks few would like to brag about CAV whereas they let everybody know they feel ATM they can’t, while others skip anecdotal premises to rehash their criticism and tell everybody they are “waiting”…

Hi Melih

Could you define what you meant by standalone AV? I think such a definition is essential to our discussion.



If anybody still wonders a layered protection philosophy acknowledge that protection is to be necessarily archived compounding different layers.

As such “standalone” would be something that all those members commenting on CAV ought to explain due to the peculiar use made in the context of this topic.

Because even if Comodo Antivirus endorse a layered protection approach it should still be clarified by what criteria the 3rd party AVs insofar mentioned match in order to fit that “standalone” category.

Once those criteria are unambiguously specified it will be possible to know when any AV does or will match them (and not that, for example, that only CAV does not)

nice one :wink: …as you’ve probably already figured out, the argument that a standalone AV is useless (yeah…detection…prevention etc…) is just there to avoid answering the OP’s question, and remain as quiet as possible about the “potential” of CAV, apart from granting it some sort of layered protection abilities (? >>>> less pop ups with Def + 88) ) when it’s basically just there to allow Comodo to rebrand CFP to CIS, and pretend there’s a full security solution there, which as everyone knows is not the case, the anti-virus component (again 88) ) being what I just said, a useless add-on to CFP.
Say you’d want to pick up a single component in CIS, and choose other providers for the rest. You could pick up Def+ and have a fantastic standalone HIPS, you could pick up the firewall and have a brilliant stand alone firewall. But you couldn’t pick up CAV…no need to elaborate there, the existence of this thread speaks for itself.

Before anybody get lured to have this topic take the shortcut of pro-CAV against-CAV oversimplification it would be obvious that there would be no meaningful purpose without clarifying the criteria to match the so far ambiguous “standalone” category.

That is as long comments are made under a constructive purpose and especially if supposedly meant to point out possible areas of improvement.

you’re welcome to start living up to your constructive ambitions and suggest “possible”…improvements, if any comes to mind ;D

It wouldn’t help adding other aspects before having the previously pending ones unclarified, this obviously would include you previous comment as well.

Do just tell what you implied CAV do not have when you classed it as “useless add-on”.

Will you actually do that or leave it pending like the others, leaving the “useless” remark as the fulfilling purpose of your comment? :-La