Eighty percent of new malware defeats antivirus????!!!!


Interesting reading.

The point that is being raised in this news article is that people use AV mostly and anti spyware is yet to penetrate the market.

One of the major reasons why Anti-Spyware products come as a seperate product is because vendors are looking for ways to charge extra for this. At Comodo we decided to turn our AV engine to also catch spyware hence we called it CAVS (Comodo Anti Virus/Spyware). Hence I believe our strategy is right and our strategy will help fight malware better, cos majority of people still think just AV will be enough and don’t bother with Anti spyware.

Read the article and let me know your thoughts please.


Based on that article, I think we should keep CAVS very quiet & not tell any more people about it.

Hmm… I believe there’s a slight flaw in that thinking. ::slight_smile:

Seriously, I think your strategy is correct & certainly is best for the user.

But, the article does make a valid point. The more popular any product becomes, then there more likely it will be that virus/trojan/malware writers test their latest thing against that product. That is, as the article indicates, indeed a worrying trend.

Hi Melih,

It certainly sounds to be a wise course of action alright, to integrate antispyware and antivirus together; and scanning in such a way, so as 1) first and foremost, as much as possible, prevent same from entering one’s system, 2) should it enter, catch same before it does harm, and 3) preferably clean/disinfect/eradicate it once found; barring that, at least quarantine suspicious files.

And from what I read on rootkits it sounds like they remain a real problem and growing concern. I am hopeful that CAVS, combined with a successful firewall (such as CPF), eventually proves itself to be up to the task of protecting those who use computers and traverse the Internet, providing end users with that warm and fuzzy feeling which can come from truly knowing that one is being protected by the best.

So, continue to press on, making our CAVS (and other Comodo products of course) the very best there is, and then we won’t have to be numbered among that 80 %. :wink:


Yes worrying indeed!
Blacklisting technologies that work on signatures and algorithms that detect behaviour are always there to be broken. This is why at Comodo we supplement all these technologies with safelisting approaches which is not susceptible to what the author has described.


That article has some truth but it makes me wonder why he don’t give any information about the programs he used and/or at least a catalog of the malware that he used for the test. It sure lacks of credibility since it just throw some percentuals and nothing more (not a number of the malware, not types of malware, etc.)

ps. This information is not new. It reminds me of blaster ( I think it was him), 2 years ago, that the first thing he did when infected a system was to disable the AV engine of the most known antivirus (norton,mcafee,etc.) and the second was to mutate his signature. It gave a great headache at the AV companies for more than 8 months.

80% sounds very high…like possible exageration. I have been using Spyware Blaster up until now. Can I safely switch this off with CAVS in use? I noticed that on my previous PC I had Spyware Blaster and Spybot both loaded. Spybot had fewer updates and since its scans never detected any intruders I assumed that Blaster stopped everything from even getting to me. I should add that I use ThunderBird and Firefox so I don’t have the usual MS security holes.
CPF and CAVS both working perfectly for me. Thank you Melih (and team).

Thank you mOngOd for your comments, I will keep Spyware Blaster up and running while CAVS evolves.

I has Spyware Blaster and Spyware Guardian (both by the same company) loaded. Spyware Guardian interferred with CAVS installing correctly (as it silently stops things), so I had to uninstall it.

I think Spyware Blaster is a wonderful companion product to keep installed as it is more about “training” IE / Firefox with regards to Ads, Restricted Sites, and ActiveX install control… I only foresee CAVS possibly depricating Spyware Blaster’s ActiveX controls… but there are 2 other function that Spyware Blaster can still perform for you (until COMODO makes new products that incorporate those functions).

I think it is possible for this (80% new malware defeats antivirus) to happen, considering most anti-virus softwares are using the blacklist approach. I think this will continue to be a trend until some geniuses came up with a new method on which the AV software could work on. Playing catchup is always on the losing side.

Erm Melih, I don’t get you when you said you were using the whitelist approach. Do you refer to the CPF or CAVS? I certainly think that it is the CPF, right? No way you could create a whitelist for the CAVS…

Yours truly,

I used to use Kerio PF to help in catching some rootkits when they tried to connect to the internet. Mostly it was because I could see all the information of what comes in and goes out.

Guess what? I’ve had MUCH greater success with CPF when it come to doing the same thing.

Sure a good firewall like CPF doesn’t get rid of the rootkits, and generally I haven’t really seen any AV/AS program being able to remove them, but at least I can sure tell when one is installed.

Removal usually turns out to be a manually done job… but oh well…

Hopefully CAVS will collaborate with CPF enough to have a better chance of removing these nuisances.

Besides that, you’d need a program that does thread tracing to be able to catch many/all rootkits (thread tracing=very time consuming - maybe do-able when AMD releases their 4x4 initiative).


Give me 2 months to show you what i mean :slight_smile:



Alright Melih, now you got me really curious. Hehe :slight_smile:

Yours truly,

The only effective method for removing these threats is by a comparison scan between the windows environment and a BARTPE or similar ,based bootable cd scan.


A combination of FIREWALL / AV / ANTISPYWARE in One package will be the best I think.

Hey Lewis,

It’s in the making :slight_smile:


if u doubt about the fact that a high level of new malwares are simply nit detected,
make a search on packagers to bypass antivirus on google and u’ll certainly find how it’s possible.
i often go to some wellknown bittorrent sites cause i know that the majority of keygens or cracks included are malwares.
i dl all that then i scan it with kaspersky, result : no virus.
i just have to send the file to virustotal.com and if the malware is really new, not a lot of scanners find some suspicious file, maybe 6 max, and always the same engines.
but sometimes 15 scanners detect a malware and know what? i send it to kaspersky and they reply : no malware detected !!! so i reply : really ??? excuse me but 15 scanners detected it so i doubt about you result and i tell that i will certainly change of AV solution cause i sent them a lot of files and i often receive the same answer : no malware. except when i wait a long time then scan again with kasperky, oooooh suddendly the file is detected.
so there are 2 solutions : they don’ t even look at the code and just scan it or they don’t want to reply me thanks for sending this new malware, it will be added to the base in the next hours.
that’s why i never trust my AV and always go to virustotal.com
and i got the unique logical solution named DEFENSE+, if some engine can’t detect malware so let’s see what the file wants to do with DEFENSE+ and u’ll be informed quickly about the real activity the file could start on your machine, except when u got D+ alerts showing the malware activity, u just have to kick it and it’s done, the file cant even load a bit into memory.
kaspersky said they added HIPS in their products but i have to say the level of security is far from what comodo is able to give for free… that hurts competitors ? that’s life, start first to stop lying to customers on your sites by telling your security solution is the best ever cause it’s just ■■■■.

and about the all in one, i don’t want all in one, what i need is comodo FW, scanners are the first security hole in your system and the prob is that customers are far to imagne that.
but that is just true.
u know with internet u can access any infos and u’ll find all things to even use a known malware and repack it with various methods and the known malware will bypass again your AV.
it’s packed a way that engine is unable to unpack it cause the way it’s packed send the AV from line to line code and if the AV continues to follow the game of the packager it could crash. sometimes the AV stays like 2min on a file of 20KB then it stop with result : 0 virus detected, except it just failed to scan the file cause of the method used to pack the file. so send it to virustotal.com and u’ll get your answer.
and at the end there’s always DEFENSE+ there to advise u, except it’s your own decision that will save your system or not. but if it’s a malware, DEFENSE+ will show u the first bad activity the file wants to start and if u don’t stop it u’ll see how the malware will infect your system with all the D+ alerts u will let run. so u’ll know all and how the malware infected u but if it’s a bad one, u can say goodbye to clean it.
use backup progs to save your system, use comodo FW and for the AV, do what u want. but if u find new malwares not detected by your av, go to virustotal.com and u’ll see wich engines are the best cause they’re always the same 5 or 6 engines to detect a bad file.

Interesting post there Ailef (:CLP)

While I accept the basic premise I must say that in defence of Avira it’s blocked every keygen or ■■■■■ that I’ve ever run,but it’s quite right that old methods aren’t working in the modern malware world.A combo of HIPS,behavioural,virtualization and whitelisting with some blacklisting thrown in is currently the best option but alas nothing is perfect.The sheer complexity of running a good degree of security brings problems in itself.In order to get close to 100% immunity it gets very restrictive indeed.

there’s something strange, i got tools to modify your bios and it’s recognized as malware but i think it’s more the fact that the tool is able to add slic tables to activate vista that MS and antivirus firms decided to return a malware alert to their users. is that possible ?

Quite often legitimate programs can be flagged up as potentially malicious because they exhibit similar traits to known malware,they tend to err on the side of caution.Out of the many cracks/keygens that I’ve run,the majority were from safe sources,but I’m happy to accept the FPs in such cases.

Likewise your bios modifier performs a potentially malicious action and probably shows enough coding similarities to known malware to make the AV twitchy so I’m not sure that there’s any collusion between the AV companies and Micro$oft,having said that nothing would surprise me with Bill’s mob. :THNK

When I first tired the Comodo Firewall out last year, I was amazed. I wanted to tell everybody but then I didn’t but I did anyway.

CAVS as I familiarized myself more tonight, is awesome. CIS was so good I though it was ■■■■, I really ate crow on that one and a lengthy number of apologies appear.

The main problem I had was the ■■■■ software I had been paying for, using about 5-6 apps at a time and slowing machines down to a crawl.

It was hard to take the leap to one firewall and one antivirus, malware and spyware program. I’m glad I did.

It was impossibly difficult at first and actually still is but as each day goes by, I learn a little more. When I recommend Comodo software to someone, I want to be there to install and show them what I’ve learned.

A question, is CIS considered to be an all in one, need nothing else program? Does it have to be set up by a professional to be effective in all the different areas we are finding ourselves being attacked on.

Thank you.