IMHO: Don't need Defence+/LeakControl if running Avira (or any other leading AV)

[Note: I have slightly changed the title of the thread to make it a “statement” (it was a “question”). I did this to not start a new thread. Everything else was left unchanged. The “statement” post appears further down the thread.]

I am a little confused. Yes, I did search and read some of the previous threads, and have also read the “layered strategry” post in the CEO section.

The following refers to Avira, but it could be substituted with any leading AV package like Kaspersky, BitDefender, etc.

I am running Avira Premium. As per the Comodo help files, “advanced” users can disable Defence+ if they are running another host intrusion prevention application.
First question: Avira Premium would qualify as a HIP application, right?

If I disable Defence+, I am then faced with the option of running firewall with or withouth leakprevention. Here again, wouldn’t Avira catch the so-call malware anyways?
Second question: the leakproof would only be usefull if some malware escapes Avira’s detection, correct?

The reason for asking these questions is that I am more paranoid about security products than I am of malware. Systerm resources are precious (yes, I know data is more precious, so please spare me the “lecture” ;)).

I will appreciate any comments.

thanks.

TO THE WONDERFULL FOLKS AT COMODO: I have done extensive research on firewalls, and your product rocks. Making it available for free is unbelievable. Many thanks!
(:CLP) :■■■■

Answer to the first question - No. Avira Premium doesn’t have HIPS.
Answer to the second question - Yes.

Avira and Comodo are 2 different programs. Avira is an anti virus. Comodo is a firewall with HIPS protection. Avira can stop virus but it cannot make you aware of suspicious activity. Use both together and you will be very much well protected.

You need a “Prevention” layer. Avira, afaik, offers “Detection” layer.

Hence my recommendation would be to use “Prevention” as your first line of defense and this is offered by CFP v3.
Also, if you want detection layer you can always use our Comodo online scanner (either daily scanning or weekly or whatever frequency you want)

Thanks
Melih

Thank you, thank you! I am very impressed by the fast and very helpfull responses. Not only you guys are putting out a superb product (did I say for free?), you are backing it up with excellent support/hand-holding to match! Please accept my sincere thanks and appreciation.

Please review the summary, and another question that arises, and I will then sign off:
Summary: If I understood you correctly: AVIRA (or any other leading consumer level AV for that matter) are not HIPS application, and only offer “detection” level protection–which I understand to mean that it will protect me from malware (which have already made it to my computer) when they try to run to do their harm. That is, they won’t stop the malware from getting to my hard drive. Comodo’s Defence+, on the other hand, is a prevention level solution, which will try to stop malware from making it to my system in the first place. Comodo is like a vaccine (or “clean air/water”, for that matter) to protect you from getting sick, and AV products are medication that doctor prescribes for you after you have gotten sick. Am I correct in my understanding?
This raises a question: if what you say is correct (which I am pretty sure is–you know your stuff!), then what is the purpose of real-time file scanning function built into [almost] all leading consumer AV products? Doesn’t the real-time file-scannig do the same thing (i.e. “prevention”) that Defence+ does?

Now the last question: Is it then correct that if I run Avira premium with default settings and Comodo in default settings (i.e. with Defence+ and LeakProtection), there is no duplication of efforts going on in my computer? I ask this because I am worried about a silent drain on my computer resources all the time (you can probably sense my paranoia by now…). I know from my little bit of computer knowledge that the real time scanning of AV, and Defence+ and LeakProtection features of these difference products all involve system hooks, inspection of packets/messages/memory events etc in real time, i.e. before the actual process gets to works with these events etc. So, I want to eliminate as much of duplication and unncessary overhead as possible. Please note that I do NOT have a casual attitude towards security, nor I do I take it lightly. But I do believe in doing it right, and avoiding as much of unnecessary overhead as possible. After all, I don’t upgrade my computer so that AV and Firewalls can run better… LOL.

By the way, I would be interested in hearing a general comment on the total draw on system resources by both of these products running at the same time.

THANKS VERY MUCH AGAIN!

You are 100% correct. There is no drain on my system,either one with Avira Premium and Comodo. Avira’s web shield slows some web pages loading for me so I switched back to NOD32. To sum things up simply :

Comodo = Prevention

Avira = Removal

Be aware that Comodo is only as good as the use behind the mouse clicking. So suppose you download and install prodcut “x”. Shorty there after Comodo’s D+ is asking you if you want product “z” to run. Yuo scratch your head and said wait a minute, I installed product “x” not “z”. So at that point you would block product “z” from running with Comodo. Then you would do a scan with Avira to remove product “z”.

Answer to the first question - Yes. You understood the idea perfectly :slight_smile:
Answer to the second question - No. Avira and Comodo are working nicely side-by-side and doing separate jobs. :slight_smile:
Answer to the third question - Comodo CFP 3 consumes about 9-11 mb of RAM (most of the time - 7 mb), Avira consumes 18 - 22 MB RAM when “idle” and it will take more when a scan is running.

Overall - Avira + Comodo CFP3 is a nice setup and it’s basically all you need as a home user for internet protection :slight_smile:

BTW - Welcome to the forums :wink:

If you want to test Avira and Comodo out after installing it download System Shutdown Simulator. Dont run the shutdown test but run the 3 tests at the bottom. The first alert you will get form D+ is asking if you if you want System Shutdown to run. You need to click allow or else the test wont run. Then once the program opens click on the “create eicar” file and you will get an loud beep and alert from Avira. Tell Avira to delete it then delete the file from within the program. Next click on the HIPS test and Comodo will be alerted. Click block on the D+ alert and you will see the test passed. Then delete the file from within the program. Last test is the firewall test. When Comodo gives you an alert that System Shutdown Simulator wants to connect to the internet then click block. You will see the test passed. After you run this test you will feel alot better about your current set up for protection. BTW its a zip file so unzip it before running it.

http://zeroday-software.110mb.com/

One last security feature to add if you dont use it already. ALWAYS SURF USING FIREFOX. Keep in mind that Commodus and Myself are not modders pushing a product. We are Comodo users like yourself who just like helping others.

Guys, thanks again.

One question remains unanswered (or may I be I am little clued out and didn’t understand some of the answers): what is the difference between “prevention” offered by Comodo Defence+, and the real-time-file-scanning feature offered by almost all leading consumer level AV products? Don’t they do the same function?

Another comment, when talking of system resources, I wasn’t worried about RAM at all. I am not worried about CPU cycles either. What I am worried about is the constant overhead at very intrusive level in the OS–whatever a process needs, it will have to be inspected by two layers of defence (AV and Defence+). And that constant drain on “resources” is what I am concerned about.

A poster made a very good observation that the security is only as good as the fingers behind mouse. Well, all I have to say about my surfing habits is that I have been using Internet for 13+ years, and I had NEVER used any AV or Firewall or malware killers up untill now. I have been so carefull in what I do and where I go is that I NEVER got infected either (except for tracking cookings that adware scanners catch as the threat). I am just wanting to start using these because I feel that I won’t be this lucky/carefull forever. Since I didn’t use these products up untill now considering them a hog on resources (boyo, do I HATE the Symantec AV and it’s real time feature at my work computer…), I am very carefull that I only use/enable what I need and don’t fall into the trap of overkill and/or duplicate/triplicate layers doing essentially the same thing.

THANKS GUYS!

AV’s are based on signatures. If an AV doesn’t have a description of a particular malware, it won’t detect it :slight_smile:
CFP 3 on the other hand will prevent almost any malware from running (new or old) It depends on the user - allow or block. If you allowed a program to run and it appears to malicious, then the AV will come up into play.
If you allow a malicious code to run and an AV cannot detect it - you’re srewed ;D

P.S. Ofcourse most of todays AV’s use heuristics to detect unknown malware, but unfortunetly it’s not effective enough right now :frowning:

One question remains unanswered (or may I be I am little clued out and didn’t understand some of the answers): what is the difference between “prevention” offered by Comodo Defence+, and the real-time-file-scanning feature offered by almost all leading consumer level AV products? Don’t they do the same function?

Your question has been answered several times. Comodo cannot cure an infection. It can olny prevent it. Avira can cure an infection. A Doctor can tell you that you have a cold(infection) but he cannot cure it. That is why you need medicine. The D+ in Comodo and the real time av scanning of Avira are 2 different programs.

Comodo doesn’t know that something is a virus. It is only making you aware of suspicious activity. It is up to you to allow or block it. If it is a virus and you allow it to run then Avira will catch it cause it knows its a virus. Hope that clears things up.

OK, I am going to go out on a limb here, but I want to share what I have gathered after doing hours of reading older posts on this forum.

The decission point I was faced with: If running comodo together with a decent consumer level AV program, do I still need to enable the Defence+ (and LeakControl, for that matter) features of Comodo. My concern about unncessary overhead/draw-on-system-resources was driving this question. According to the feedback on this forum, the initial answer was a simple “Yes”. One learns from reading this and several other threads that AV’s are good at detection, while Comodo’s HIPS is good at prevention. Also, since AV’s depend on a signature driven database, they’ll be useless in the case of day-0 threats and other malware that they don’t have a signature for. Sounds very good and promising, and I first decided to leave Avira and Comodo alone with their default settings (i.e. Defence+, LeakControl, real-time file scanning, and webguard all active). This should have been the end of my “research”, but then I started thinking… ???

Let’s think about it: Comodo’s Defence+ will alert you if a program is trying to run on your computer, or, if an exe type file is trying to get copied on your HD. Theory is that since you will be notified before it runs (or makes it to your HD), you will be able to stop it before AV kicks in to do it’s job, and that, it is theorized, could be difference between a compromised system from a day-0/unknown threat and a safe computer! Sounds good, doesn’t it? But please stop and ponder a little more over the underlined section: day-0 or unknown threats. What that means is that if your AV is not going to protect you because it didn’t have the signature of that malware in it’s database, you are ■■■■■■■. I must say that in theory, it is correct. But let’s ask ourselves a question: when was the last time you were able to find a file on your computer named as virus.exe, or passwordstealer.exe, or trojan.exe? The point I am trying to make is that when a user is faces with a allow/don’t allow questionaire from Comodo’s [I must say: excellent!] Defence+ armor, I can bet that in almost all of the cases s/he will click on Yes. And that’s the whole point. Defence+ is an excellent option to have for people who are working in a very hostile and heavily infected environment and need all the control they can have, plus who have that extra bit of knowledge that the AV’s don’t to make the call to kill a program before it starts.

I am NOT bashing down Defence+. It is an excellent option to have. But for almost all (notice that I didn’t say “most”) of the users, it is an overkill that they can very happily and safely do without. An average (read: most!) user just doesn’t have the knowledge to make effective use of HIPS. And even a fully knowledgeable power-user doesn’t have the time and resources to make full use of HIPS in their average daily computer usage. So why bother with this useless and ineffective (note: again, I am not bashing down the solution but it’s effectiveness due to real life limitations/implications) drain on system resources?

Comments?

One caveat for Legacy AV products is that they can only detect them if they know them! for example a brand new malware will more often than not won’t be detected by AVs out there. You can verify that by checking these stats http://www.virustotal.com/estadisticas.html . So AVs will mainly detect what they are aware of. That awareness can never be 100%! And there simply is no way to measure how well an AV does, because noone has all the malware to measure against! In order to measure how well the AV is at detection, the tester must have all the malware that exist. Noone has that. So tests can only be for a subset of malware that the tester has.

This very flaw of only detecting known malware is why you need Prevention as your first line of defense.
You need a “Default Deny” system (which is how our Prevention works) rather than “Default Allow” systems like legacy AVs out there.

thanks

Melih

Dear inspiron2…Your making this a bigger deal then it is. You came in here asking for assistance and we gave it to you. I don’t know how many security programs you have ever used but any firewall is based on user input. Allow or Deny. Any HIPS program is also user input based. PC Tools Threatfire is a HIPS programs like the one built into Comodo firewall. A user that has Threafire installed can also accidentally click allow instead of block. The most important thing about security is your own brain. Common sense goes along way. If you don’t know what a program is then deny/block it. People install car alarms on there cars but never arm them or forget to arm them. So why install an alarm. Stop digging so deeply into this. Using Avira and Comodo will keep you plenty safe. End of story. But then again in your eyes why go to the Dr for a physical if your just gonna get sick anyways. Answer being = PREVENTION.

A gun is only as good as the person that is puling the trigger.
A sports car is only as fast as the person behind the wheel.
Food is only as good as the person cooking it.
Directions are only as good as the person that is following them.
A house is only as good as the person that is building it.

Melih, I agree with your analysis 100%. And I don’t doubt the effectiveness of this strategy–if it’s used to it’s fullest potential. And that’s where the problem comes in. While your product implements HIPS in an excellent way, an average user is just not equiped to make much use of it. Heck, even an experienced user would be lost most of the time and a default “allow” would be the response in almsot all of the cases. Please note that it is NOT a weakness of your product, rather a fact of life in case of all HIPS.

What would be ideal to me, from not only effectiveness but computer resource conservation point of view as well, is a product which does detection and prevention in one step. That is, when an executable code attempts a run, do an AV on it right away, kill it if it fails, otherwise, let the user make the decission but telling him that AV has passed it.

The only problem (read: unncessary drain on system resources) I see from layered strategy coming from different products (Comodo w/ Defence+ and Avira AV Guard in my case) is that they both run and examine the same event/memory stream/file hook/message one after the other. And that extra “overhead” is not only not acceptable, but also wasted.

regards,

You keep complaining about unnecessary drain on system resources. Well what kind of pc do you have? I have a desktop and laptop. My desktop has a 2.4 P4 overclocked to 3.06 with 2 GIGS of ram. My laptop is a duel care 2.8 with 2 GIGS of ram. Even 5 year old pc’s with only 512 ram can run Avira and Comodo with no slow downs. If your that worried about over head then add more ram. BTW I never click allow unless I know what the program is. Then again I never install or run anything that I do not know what it is either.

Dear Vettetech, I am sorry if I stepped on a wrong foot here. Did I offend you in any ways? Or, didn’t acknowledge and thank you for your help in my earlier posts? Pardon me, but I thought that the point of an open discussion in a forum was to exchange ideas. Before I posted my last post, I changed the topic to alert readers/admins to the message contained here in. And I didn’t mind at all when they moved my thread to a more appropriate section.

If you want me to just stop thinking about, and not engage in any discussion to may be reach a better solution, please just say so.

With all due respect, I think you have failed to see where I am coming from. Never once have I put down the help I received from you and other. Never once have I put down Comodo. Never once have I denied importance of HIPS. Yes, I questioned the effectiveness coming from a layered strategy that leaves everything in the hands of the user. Excuse me, but isn’t it the same user who clicked on “click here to verify your eBay password” to begin with? You get the point.

I ask you to please read my last two posts again. Specially the one I posted in response to Melih.

I hope there are no hard feelings.

regards,

PS. By the way, my workstation is a dual socket Quad Core Xeon with 8GB of RAM, 2TB of SCSII disks in RAID-0. So, you can see that resource drain is most likely not an issue to me at all, but it’s the principal of an “overhead” that I am talking about. Note a comment made in my earlier posts: we don’t upgrade our computers just so that AV’s can run better :wink: