Matousec: Comodo loses top spot to Online Armor!

http://www.matousec.com/projects/proactive-security-challenge/results.php

Still the best free product based on those tests though! But come on Comodo, let’s get back that top spot!

Any comments Egeman, Melih?

https://forums.comodo.com/feedbackcommentsannouncementsnews_cis/comodo_back_on_top_at_matousec-t37571.0.html;msg267693#msg267693

Wow I’ll switch from PCTools to Outpost free soon.
I wish it will compatible with KAV and Ad-Aware.

As always

1)we are not prepared to pay for re-tests
2)we only care about protecting the user and not passing tests.

If someone can point to realworld malware using the techniques we fail on, we would be prepared to put protection against them.

If there is no real world threats to these leak tests we fail, then why put unneccesary code into our application?

Melih

If I recall correctly OA has now also protection against taking over mouse control (Didn’t test until now). It would be nice if Comodo would have it too. Or is there already protection against modifying CIS with mouseclicks? If not it’s a theoretical leak which can be used by malware and it should be fixed.

Well, so far as now, COMODO has intercepted all the indeed threats but not every unwanted “jokes”. Some malware can injected the IM software, lock the mouse and then send some of your private information out. So mouse lockiing is just an intermediate of a malicious attack instead of the goal.
However, Comodo alerts when they intercept these POC https://forums.comodo.com/leak_testingattacksvulnerability_research/some_tests-t38189.0.html. Nice response and quick fix :-TU
But the popups just showed “access interface“ instead of nofiying” duplicate handle API" or “access functions”
Maybe in 4.0 (after designing the new GUI),we can see much more “meticulous” information in the popups, more accurate details. Hoping it is not just a “wish” :wink:

Taking over mouse control is unwated behavior and so supposed to be blocked.

Yes, OA warnings are much better than Comodo’s ones. If a programm is getting started I would like to see the parameters too.

Melih’s comments are what our approach to security really is.

If you look at the history of the tests:
Somehow they wanted to make a release and have their software retested just after CIS was on top while those tests were real threats not just jokes. If you remember we had fixed the serious bugs immediately. We would not have waited that long for fixing serious vulnerability. For us security dictates our schedules not marketing. Afterall this is a security product.

About those popups, we will make commandline processing available before version 4.0. However please do not expect us to ask users about handle duplication or virtual memory allocation, or other operating system operations… CIS is not intended to be a debugger.

First, allow me to say that I am a casual user. Secondly, being Defense+ a preventive tool, shouldn’t it be doing exactly what it suppose to do - Prevent?

OK. You ask your users to point out malware that use the techniques you guys fail.

I ask you - Do you know there isn’t any?

When will COMODO pay attention? When malware capable of doing just that does any harm to the user’s system, etc?

You say COMODO is only concerned protecting users and not pass some tests. If that’s so, why even take part of Matousec’s test? Makes no sense to me. From the moment COMODO’s Firewall and now suite started to be part of it, without any objections by COMODO, then you’re showing that you do care about tests, even if just for marketing purposes.

And, if COMODO is concerned to protect their users, then - and I’m no expert - wouldn’t be better to be able to prevent, even before such malware exists? Because I ask - Is it impossible for such malware to exist, even if right now not existing?

Thanks

We do NOT take part as per your definition. Matousec tests it without us requesting.

Melih

Then it is up to you as a CEO of a company to tell them to stop if you don’t want them doing their testing on your product.

There are a couple of tests that Matousec uses that Comodo thinks are not contributing to extra security. One of those three tests tests the ability to stop a non requested shut down. Comodo views this not as a danger in its self IIRC.

There is no black and white situation as Reklaw is trying to suggest. There is a difference of opinion about a minority of tests.

Matousec’s policy and methodology shows why Comodo is also tested. Companies are not necessarily required to pay for any testing done.
Since it is asked quite often how CIS compares against other vendors’ products, these independent tests show that.

But, being so, why didn’t COMODO never opposed? Makes no sense to be. Unless, of course, as I mentioned, it was marketing. That, for me, does make sense.

Anyway, could you, please, give me an answer on the rest of what I asked? (I’m not being rude. Just wanting to know what COMODO thinks about it.)

Comodo thinks only a small minority of tests do not represent real security problems. No need for an all or nothing approach with such a disagreement.

Sure np.

We have not seen any malware that uses that technique to cause damage.

Security is a balance of usability and security. If you try too much then you will lose practicality and usability. So its a fine balance that must be monitored and maintained.

Comodo is a proactive company, if we think any technique has a chance of being utilised for malicious activity we will protect against it.

thanks

Melih

Is there also some sort of test for CAV bundled in CIS?

The only tests I know of that can check for dynamic protection against malware its AMTSO
I am looking forward to AMTSO tests.

Melih

OA warnings are much better ? even when it asks u for a trusted app ?
if u use Defense+ in paranoid mode, u get almost all the infos about what’s going to do the app ( i say almost cause we never know, sometimes a malicious prog can bypass any security prog) but in most of cases u are warned way more about the app activities with all dlls loaded, the registry modification, etc.
i cant enumerate all cause there are so many, did u see that in OA ? now with comodo i know wich dlls are most of the time loaded to access finally my screen, wich actions are not trustable from some unknown file, like creating some dll or asking for the highest privileges, loading some unknown driver that was just created by the app, trying to acces another prog into memory to get control on it, associate dlls with MS critical processus, so comodo informations are very important when u want to know what some app needs to do to run and that helps you to choose what to do when suddendly u got a prog that is asking for things it doesnt need at all, except if it wants to take control over your machine…

Hell, yes. Comdo warning: Application xy wants to use COM interface “f*cking cryptic name”
OA warning: Application xy wants to use “useful describtion” what can result in “sending of private data (useful information)”. the same it’s with clipboard logging etc.

Do you think just telling A but keeping B a secret can be a fundament for a contrustive discussion? I don’t, so plz tell me also B: Give a concrete example, I can’t imagine anything specific after hearing ur point.

I didn’t mean that. In OA you can also disable automatically allowing events by trusted applications.

You described what all HIPS do.