Latest Test Results From Virus.gr

Rotty · May 17, 2007, 4:35am

Having layered protection is the best way.

If you were to have all of the following:

Very knowledgeable in IT
NAT+SPI Hardware Firewall (Maybe with antivirus and IDS)
Comodo Firewall
Firefox
HIPS
Limited User + DEP
Anti virus+Antispyware

Then the chances of a virus gaining full control let alone executing is very very unlikely

Melih · May 17, 2007, 5:57pm

solcroft post:20:

That’s a hard question to answer, really. It depends on how the user answers prompts.

But I think the more interesting question is “why”. The thing I was really trying to say was that the Comodo “HIPS” gives the user no further information to make an informed decision on whether to run the program or not, other the fact that Comodo has no idea what the file is - ergo, it is not a “HIPS” at all, only a dumb whitelist filter. Are whitelist filters effective? Certainly, because if you flag EVERYTHING indiscriminately, INCLUDING THE BENIGN FILES, obviously you’re going to flag 100% of the malware as well. And therein lies the problem. It’s like hiring a bouncer who nabs EVERYONE who shows up at the door, takes down nothing but a list of their names, and asks you to decide who the legitimate customers and miscreants are without any further information. OR you can ask the bouncer to decide for you, but it’s going to take him days, for each and every person, to come up with an answer.

There’re a lot of ways to secure a PC, such as unplugging it, chaining it up in a safe and burying it underground in solid concrete. Unfortunately, not all of them are feasible and/or ideal.

Whitelist filters are also redundant unless you’re enforcing a security policy on a PCs that you’re not using, for reasons that should be obvious.

you are making an assumption that the average user will get a prompt when they are running majority of the programs out there. Our game plan is that they don’t get a prompt! They will only get a prompt if this program is not known or not so popular or malware. Then majority of people will be better protected using our system then using any other.

thanks
Melih

solcroft · May 18, 2007, 1:03pm

In that case then Comodo is still doing nothing but playing the signature race; and now not only do you have to play catch-up on blacklist files, you have to do the same for whitelist files as well. Not to mention that, in the end, all the protection Comodo offers is still entirely dependent signature updates, which entirely defeats the purpose of what a “HIPS” is supposed to do.

Melih · May 18, 2007, 1:26pm

Solcroft

you are making some strong assumptions which i believe are not correct:

Assumption 1)our HIPS is only based on signatures: Thats a wrong assumption.
Assumption 2)you think we are behind on safelist? who is the the leader that we are playing catch up to?

thanks
Melih

CHAOS · May 18, 2007, 1:38pm

I would agree.Prevention is a VERY good thing,however,how can you prevent what you can’t detect?On the other hand,if a user doesn’t visit sites that they know will get them in to trouble,then detection is ALMOST unimportant.All that aside,detection & prevention have to work together.Maybe when the BOClean definitions are integrated in to CAVS,we could give Kaspersky & NOD a run for the money!!!

solcroft · May 18, 2007, 1:45pm

First of all, I wouldn’t call it a “HIPS” - or, at least, I’d use quotations with it. Your “HIPS” isn’t BASED on signatures, but it’s ONLY useful with signatures. The only way a user knows a program is safe to run is is to have a signature in the whitelist that tells the user that Comodo has seen this file before and verified it to be safe. Without the signature, the user has no further information on which to proceed. While the “HIPS” still does work without signatures, it works in such a way that serves no useful purpose. Because it’s not a HIPS at all, only a safelist.

I know of no other antivirus vendor that’s using the safelist method, so by default that makes Comodo the “leader” in the field. But when you’re the only one in the playing field, saying that you’re the leader doesn’t really count for much, does it?

Andreas · May 18, 2007, 1:56pm

I prefer to see the improvements.

At first 4%, 21%, 41% and now 54%.

That is a good way.

Andreas

LeoniAquila · May 18, 2007, 4:52pm

But in the end, security is all about protection - in some kind of way - then it shouldn’t matter what other products/companies you compare to, should it? It may not be the leading position that is important here, but the protection approach. These are just some thoughts, I’m far from being an expert - hardly an experienced user. But I do believe in Comodo, however, especially the firewall and BOClean.

Rednose · May 18, 2007, 6:21pm

Yep it is But you should have a score of 90%+ if you want to be with the “Big Boys”. And that takes time

Greetz, Red.

Melih · May 18, 2007, 6:40pm

solcroft post:26:

First of all, I wouldn’t call it a “HIPS” - or, at least, I’d use quotations with it. Your “HIPS” isn’t BASED on signatures, but it’s ONLY useful with signatures. The only way a user knows a program is safe to run is is to have a signature in the whitelist that tells the user that Comodo has seen this file before and verified it to be safe. Without the signature, the user has no further information on which to proceed. While the “HIPS” still does work without signatures, it works in such a way that serves no useful purpose. Because it’s not a HIPS at all, only a safelist.
I know of no other antivirus vendor that’s using the safelist method, so by default that makes Comodo the “leader” in the field. But when you’re the only one in the playing field, saying that you’re the leader doesn’t really count for much, does it?

Thank you for agreeing with my point about there is no catch up for safelist I promise you we will lead the industry and set a good example for others to follow (:NRD) (:KWL)

thanks
Melih

Melih · May 18, 2007, 6:43pm

hi Chaos!

You prevent anything that unknown from coming and executing in your machine! You don’t need to know what they are. All you need to know is that you don’t know them.

thanks
Melih

solcroft · May 18, 2007, 9:55pm

You’re absolutely correct. Which is why I’ve spent my last few posts explaining my opinion that the approach Comodo is taking is actually no different than what other vendors are doing, they are not doing it as well as other vendors do (at least for the moment), and Melih’s claim of the level of “unsurpassed protection” that Comodo offers is in fact VERY technically unsound. By all accounts CPF and BOClean are excellent products even though I’ve never used them (I’m a HIPS user, which eliminates the need for those two types of programs), but I’ve tried the antivirus product mainly out of interest in its “HIPS” component, only to discover that it was only a marketing term and actually was nothing but a simple safelist filter. CAVS is in fact nothing but a regular signature scanner, and so far I see no solid grounds for the claims of “unsurpassed protection”.

There is nothing to thank me for; I think it’s a very obvious fact that you are the leader by default if you’re the only one playing the game, no matter how well or how badly you perform. As for setting a good example, I sincerely doubt there will be any serious vendors who will consider attacking malware from this angle, for the same reasons that I have explained so far.

Melih · May 18, 2007, 11:35pm

Solcroft

thank you for your views, we really appreciate it.
However, we have to agree to disagree.

thanks

Melih

EDIT: I just realized that you think CAVs have full HIPS in it… it doesn’t it has application control only. CFP v3 will have full HIPS in it. I thought I should clarify that.