How does Comodo 3.0 detect malware?

Hi there,

after using comodo 2.4 for a long time I would perhaps like to update to 3.0. One of the new features is malware-detection (even a heuristics module is included according to some people :wink: ).

But does the comodo firewall access the harddisk extensively like a “real” antivirus (“On Access-Scanner”) or does commodo only protect your “data-streams” (Ingoing or outgoing).

I hope it’s the second one because for harddisk-scanning on access I use a good antivirus. The performance impact would be a little to much for my ol’ PC when there search 2 Engines for file-virusses on my harddisk.

So how does Comodo 3.0 search for malware :slight_smile:

Greetings

It prevents it rather than detects it!

Imagine you are surfing the web and all of a sudden your machine becomes sluggish and starts doing strange things…
You are infected…
then you get your av, try to update your signature definitions… still no luck… cos this is a new malware…

so the question what happened?

Well, malware injected itself into your machine using many vulnerabilites…

v3 on the other hand would have picked this instantly and alerted you to a strange activity and you would have known before it happened!

Its a prevention rather than detection! that is the paradigm shift with v3!

Melih

I like the fact that Comodo & other HIPS don’t require signatures. The real question is… can Comodo replace the need for an antivirus program, especially real time monitoring?

I trashed Avast! AV a few weeks ago… (I know that sounds nasty!), But hey… I have not had a single problem.

Defense+ ACTUALLY ALTERED ME ONCE: Malware Heuristics Analyzes possible malware behavior in C:\xxx-xxx-xxx I don’t remember the alert fully though! :smiley:

I also love the idea CFP doesn’t use signatures to detect… IT PREVENTS!

But… I still recommend Detection Technologies as backups (I have SUPERAntispyware and Spybot).
Josh.

There is a COMODO antivirus which is, as its name specifies, an anti-virus.

Link: http://antivirus.comodo.com/

CAVS 3 will be in beta hopefully soon :slight_smile:

Josh.

I think the answer is yes. What the point to allow antivirus’ resident monitor instantly scanning file system if it cannot detect new malware anyway? On the opposite HIPS doesn’t scan file system at all and it is able to detect and prevent even new malware when it will try to do it’s harmful job (I mean good HIPS like Defense+ in CFP).
So your system is faster and better protected with HIPS. It is like win/win situation.

But I also think that it is useful to scan for viruses removable drives, downloaded unknown files. And whole system once for one/two weeks (just in case).

I would be interested in the view from one of the COMODO techs regarding this…

here’s a good explanation about Prevention==>detection==>cure 8)

https://forums.comodo.com/melihs_corner_ceo_talkdiscussionsblog/detection_vs_prevention_your_first_line_of_defense-t15891.0.html

[quote author=ganda link=topic=15194.msg121466#msg121466 date=1199094974]
here’s a good explanation about Prevention==>detection==>cure 8)

Thanks… it’s a nice albeit “cute & fuzzy” explanation. I’m a little more interested in some real facts… ie… effectiveness of CPF3 in keeping my PC safe c/w an antivirus like NOD32 or Kav. Many thanks.

real facts? hmmm, how about this, CFP3 got A-VSMART technology,it can detects 60% of UNKNOWN MALWARE, sounds effective huh. if you browse thoroughly in this forum, you’ll see some posts about it.

Thanks. I am impressed with what CFP3 does… certainly it is the best of it’s type I’ve seen. But I guess it doesn’t really answer the question of whether it can replace a standard AV, or act as a second layer of security. Browsing the forum doesn’t seem to answer this… maybe it can’t be answered.

For the average home user, I suspect multi layers of security is overkill, & it does slow a PC down significantly. Nothing is 100%, but I think many users would be interested in whether or not CFP3 can be thought of as an antivirus replacement. The PC certainly runs faster with CFP3 alone.

Actually cfp should be the first layer of security. My opinion is that you don’t need an on-access virus scanner but using one on-demand wouldn’t slow your computer and you will have a backup layer of security. This way you can right click a file and click “scan with …” before you allow it in cfp to execute if you are not sure about it containing malware or not.This is not 100% though because if it is something your av doesn’t know then its up to you to decide. Thanks to cfp you will have the choice. But the best thing is to use your mind and surf the net responsibly. Anyway If one wants to run questionable programs they are probably aware of the potential risks involved.

Does CPF3 play nicely with superantispyware pro now ?
Thanks.

Was a problem with SAS’s temp file i remember, couldnt exclude from Defense+ :wink:

I 2nd that!
As a newbie I also find it difficult to know wheather CPF3 is alerting me of an actual safe process or somthing that is pretending, burying, cloning it’s self as one

The real question is... can Comodo replace the need for an antivirus program, especially real time monitoring?

Let me give you an example of how (IMHO) it can’t.

I’m running Comodo in Train with Safe mode. Only applications in Comodo’s safe list should be allowed to run without notice in that mode. One day I plugged somebody’s flash drive into my PC. The flash drive had the autorun enabled. So after I plugged it in, the rundll32.exe was executed (no alert from Comodo since both the launching and the launched processes are safe) and instructed to run a viral DLL from the flash drive (again, no alert from Comodo since rundll32.exe is safe and the dll is not considered an executable). The only thing that saved me from being infected that day was the antivirus, which caught the dll being launched and deleted it (I then got an error from rundll32.exe not being able to locate the dll).

Another example: when you run a VBS script in Windows, any script actions are carried out by wscript.exe, which is considered safe by Comodo. Place something like “wscript.exe D:\Virus.vbs” in the removable drive’s autorun.inf and Comodo will just let it do it’s business next time you put it in. And there is no way you can tell Comodo to allow wsctipt.exe to launch A.vbs but block B.vbs, even if you’re in Paranoid mode.

WOW :o can somebody confirm this ???

This sounds impressive because you are assuming it can detect 100% known malware and 60% of unknown ones.

If this was an antivirus, it would detect most of the known ones, and to see how it scores against unknown ones we would do a retrospective test.

The top AVs like NOD32 will typically detect 95-99% of known malware (the most common ones) and say 60-70% of unknown ones based on heuristics. Not too bad…

The trouble is CFP3 does not know any “known” malware, so effectively this means that if i toss 100 of the most common malware at it, the “Vsmart” will miss 40 of them!!!

While an antivirus will likely catch most of them if they are well known…

actually A-VSMART ™ is the name of the technology for v3. its not just the basic heuristic algorithm. also this basic heuristic part of A-VSMART can detect 60% of “unknown malware” (which is pretty damn good for a simple heuristic, considering that majority of AVs miss new malware cos they don’t have the signature, do check www.virustotal.com stats to see what is being caught of the new ones). Its very difficult to further quantify these stats simply because any test is limited to the malware it possesses in its database (known or unknown). That is why we have V3 with A-VSMART where Prevention is the key. Of course we will continue improving detection technologies as we believe in the layered security architecture. However it would not be prudent to rely on detection as your first line of defense. Prevention should be your first line of defense!

Hence A-VSMART is not just the “detection” engine, its the New Platform for V3 that will prevent malware infiltrating in. Hence I would go and say: A-VSMART will Prevent ~100% of known and unknown malware! Now thats hard to beat! (:NRD)

thanks
Melih

60% on your test set. Malware is designed to defeat the current heuristic detections, so the actual results for unknown malware are lower.
Also some antivirus (e.g. Antivir, NOD32) have very good heuristics with very few false positives.

However it would not be prudent to rely on detection as your first line of defense. Prevention should be your first line of defense!

detection is prevention

Hence A-VSMART is not just the "detection" engine, its the New Platform for V3 that will prevent malware infiltrating in. Hence I would go and say: A-VSMART will Prevent ~100% of known and unknown malware! Now thats hard to beat! (:NRD)

HIPS cannot prevent ~100% of known and unknown malware because that assumes that the user always make perfect decisions.