Does CAV detection work by HASH identification?

Don’t worry Siva.

Once Valkyrie is released, you will have not to worry about HASH identification. :wink:

I know that. But, Generic & Heuristic signatures are more efficient compared to Hash signatures.

Hash detection can be a quick temporary solution, but a persistent hash detection even after continuous submission of similar samples (which are in fact bypassing the very strength of CIS i.e., automatic sandbox) is not something acceptable at the stature of Comodo.

On the other hand, one can see in the virustotal reports that every other AV detects them as specific malware except COMODO, and still, Comodo Analysts have not yet looked in to it…that makes me crazy…

Lately, as you can see in the previous posts, there are other samples which also come in to the same case. So, I wish COMODO devs improve their AV detection technologies.

Awaiting that for a long time.

By the way, Valkyrie does not scan “.vbe” files fyi.

Recently I found that CIS 6 has got different detection and cleaning technologies compared to CIS 5.

Wasji6 has kindly tested some samples sent by me (not these) and showed that the detection differs from CIS 5.

I have sent these samples to him. I am waiting to see his results. I hope I can find something better there.

with every release we aim to improve

Security
Usability
Resource usage

Melih

That’s why we admire you BOSS.

I constantly bring up issues, only because they can be eliminated ASAP and Comodo becomes more and more secure.

@Melih
By the way, no dev has yet commented any thing on this. Can you please ask anybody to look in to this issue.

they already are…i sent them all the details couple of days ago when i saw your post…

Thanks a lot…

Hi Siva,

As far as i understand some autorun script malware is executed and cis doesnt sandbox this even despite its commandline parsing etc.

It is not something expected. Can you provide me this script and its autorun.inf file?

@Egemen
I sent you a mail and PM.

Siva,

Is this type of detection also the reason for recurring FPs?

Alas a Dev came aboard…but he didn’t replied if CAV detection work by HASH identification [The point is all the AV’s detect the original & slightly modified/modified malware samples as the same detection thats the correct way, why Comodo doesn’t? (Comodo detects original & misses slightly modified/modified)]

Did you got Wasji6’s response on the malware sent?

Not yet, he is busy in school. He replied that he would test them as soon as he gets a chance to.

Wasji6 checked the samples and told that the behaviour is same with CIS6 too.

I sent the samples to Egemen, he is yet to comment on this.

I thought so otherwise Melih would have mentioned here in his post that CIS 6 will make a difference. But it seems AV detection way of version 5 & 6 are same.

And I think Egemen will comment on the samples but not on the detection way of Comodo AV.

And I think Comodo AV detection work by HASH identification & thats not good. They need to make the detection flexible.

I dont understand how Valkyrie will solve this as someone has mentioned. Valkyrie is heuristics & other analyzers & definitely it will increase the protection/detection.

But here we are talking of signature detection which should be flexible instead of based only on HASH.

I have been hoping for a long time since Valkyrie was born, that CAV signatures for zero day malware could be created based on Valkyrie detection. (no comments on this yet from any devs of course)

Only, if that happens can we think that Valkyrie improves CAV signature strength.

(By the way, as I already mentioned, valkyrie does not yet support script scanning)

All AVs work with multiple detection techniques from generic signatures to a single file signature.

But why Comodo AV doesn’t detects the same malware if it is slightly modified?

Other AV’s detect the modified malware.

that means that specific file is being detected by a file sig rather than generic signature. there could be instances that comodo detects a file based on a generic sig and others detect it on file based…its all about timing as it takes time to generate a generic sig, but its automatic to create a file sig.

OK.

I am not that expert so dont know much about this.

Lets see what Siva has to say on this as he is also the OP.

I agree with what Melih says, and in fact I find from the Database updates thread that COMODO is producing generic signatures at a higher pace now, there by reducing the number of signatures every day.

But, I am still surprised why they are always late in doing so, compared to the other companies. (May the other AVs only concentrate on detection part and CIS concentrates more on D+, again may be…)

(Even today, I am very much surprised by the way ESET manages their signatures, the total bases are just 40 MB in size, yet it is a very strong signature base…)

Again, about the particular samples I have sent to Egemen, I am still waiting for his response.