Melih you don’t need to convince me that the “clean PC mode” is good, I know it and I got CFP set on it. It was a brilliant idea. I also know, and I never denied that, that when a virus goes undetected, a HIPS will be there to alarm the user that some kind of potential nasty modification is there. CFP firewall + Def+ represent indeed a first choice weapon against malware I know it. And other companies will have difficulties to outperform it. I mean that. there are more and more threads in other forums discussing CFP 3.0, people saying all kinds of things, but proving that CFP has become a major actor in the fight against malware.
But even the most advanced user won’t be able to answer yes or no to that dll that should or should not be modified by that “infected” or “not infected” process, that looks like a twin to that old good driver we’ve been downloading for years for instance, just that the new version, is safe, or is not safe… yes a white list may help…but a malware maker might be faster then the people building the white list, on new software for instance. I’m not talking about that thing that looks shiny, but about that process that looks “normal”.
Now again, I won’t complain that my Avast WebShield will intercept a virus in memory, as I explained in my above post. And of course it can fail. And if it does fail CFP will be there to block that virus at hard disk level, hopefully. If you don’t mind I’d rather keep that AV proxy as first line of defense, just in case it could work. CFP can’t detect anything in memory, it can’t detect anything actually, and it’s not its purpose. It is there to prevent files from being modified by unwanted software, and this is already very good (CFP heuristic detection doesn’t work that well, it gives many false positives, see here: https://forums.comodo.com/help_for_v3/false_positive_from_the_new_malware_heuristic_analysis-t18416.0.html;msg125772#msg125772
)
But there are other software for that, and I won’t complain about that either. In terms of prevention CFP is absolutely brilliant. Would be actually nice if you could re-implement checksum verification in it, just in case prevention would fail. And it can fail: I’ve already managed to replace executables with modified versions without getting a single alert from Def+, see here, and there are other threads from other users:
https://forums.comodo.com/help_for_v3/about_exe_files_verification_by_cfp-t18266.0.html
What worries me a bit is that according to CFP GUI, checksum verification is supposed to be implemented on the safe list, but it just doesn’t work. But there will be future releases and what’s been achieved so far is more than good, much more. The guys at Online Armor are getting nervous :SMLR, just watch their forums :SMLR
adding: I said CFP couldn’t do anything in memory and I forgot to mention protocol analysis. I probably forgot that because we hardly get alerts related to this feature, even with all related settings turned on. Although I remember I’ve had once one related to “packet checksum verification” with CFP 2.4