Quality of CAVS signatures?

It’s in my opinion that less signatures, Higher detection means more “Intelligent” Signatures (Also means that it will detect more zero day).
Comodo has more signatures, and less detection, more false positives than say Avira\Kaspersky.

What’s your opinion?

Hi Kyle,

Different AV Companies count signatures differently. Also remember CAV is yet to get real Family Signatures, Which is coming soon in v3.10 - AV Vendors such as Avira already have great generic/family signatures and fantastic heuristics which make there detection top notch, with low FP’s, I personally believe CAV’s FP’s will reduce, and as soon as family signatures hit with v3.10, Which will be the last version of the v3 series if no serious bugs come up, then v4 will hit the streets by year end or beg next year, Melih made a promise to make one of the best AV’s since launching CIS in 12 months, And that promise time line will end on October 23rd.

I really think v3.10 will be it… To really reduce FP’s and generate a whole heap of Family signatures, Not forgetting 30 min updates. Cause as soon as v3.10 is here, It’s all about generating family signatures while the developers work on v4. So Melih still has a few months left, to launch v3.10 and create these generic signatures in this time frame.

Well will see!


No propaganda please, Not interested.

Simple answer since you are not interested in complicated.

Does CAV detect more now with a large database than when it had a much smaller database :slight_smile:


No no, I am interested in a decent reply - I’ve just heard all that comodo talk for so long that it gets annoying.

It’s quite obvious that comodo detects more malware with more signatures…
Lol wtf…

Well, it’s true that CAV has now A LOT of signatures and it’s detection is 1 : 1

So I hope that it will decrease as soon as we have the family sigs, and then they work further to slim it down even more…
btw , since you’re asking ‘opinions’ you might want to add a poll…


I’ll Change the title to “Quality of CAVS signatures?”
Replies are far more valuable than Poll votes :slight_smile: so I’m not making a poll.

Lol, that’s not going to fix it. Now people will reply like: "Yeah, the signature is not detecting the malware "or so :wink:

What about : the detection range of the many signatures. Less is More ?


I agree with the above, for the moment, but, software development is a constantly on-going business. CIS will improve, as will all the others. The rate of improvement will determine who ends up with the best detection rate. IMHO, quantity of signatures is secondary to improved detection.

The likes of Kaspesky and Avira (both founded around 97-98) have been gathering samples before Comodo even released the first CFP version, even before Comodo started to develop its first AV (around 2006) and progressively increased efforts on the AV development.

But anyway care to explain whenever those “intelligent” signatures will detect 0-days? (Was it meant as synonym of .gen variants?)

Although the original question imply that Comodo has less “intelligent” signatures, FP related arguments have insofar opened the way for criticism whenever often it has not been the constructive type…

As for FP the overall enduser perception is often related to subjective standpoints whereas even Riskware is reported as FP along with some detected packers (YMMV).

Unclassified Malware signatures are more likely to trigger “FP”(in the broadest acception) but this do not mean that it provide no advantage whenever linking to CIMA reports would likely be a welcomed approach (YMMV) the likes of PrevX pages.

Anhyow whereas a test provide some results in support of CAVS detection improvements then FP are usually mentioned, though it already looks like that in case FP will not be a concern there could be the DB size to leverage upon, when nor FP and DB size will be a concern something else will pop out…

Though the argument of “intelligent” signature is interesting, there is no test that actually check how many new variants a specific brand signature will detect in relation of strictly related signature FP ratio.

Many tests usually attempt to minimize bias by sorting the collection in a way the variants presence is minimized/eliminated whereas FP tests usually leverage upon a sampleset of known applications (sorting and selection criteria may produce different results)

Yes Endymion, I meant generic signatures and all the other names they use that basicaly mean the same thing.

If Comodo is relying on alot of 1 sig per 1 variant then there is a higher chance that comodo will miss more of the newer variants - Where as Avira for example, detects multiple variants per sig giving it a higher chance of detecting the newer variant.

Apparently we both don’t know how much Comodo is relying on single definition per variant (though it is likely that at least Unclassified malware is addressed this way) but it looks like family signature are also intended to reduce overall db size along with variants.

But in case such generic signature ought to be supported could this imply that samples ought to be sorted according to some kind of correlation analysis and that generic signatures are subsequently developed to address multiple known variants (and possibly unknown variants to some degree) ?

Wouldn’t developing a generic signature on a single sample be too much of a risky bet regardless how much effort and time would be involved?

What you are referring to will be introduced as “family signatures” in CIS. These are scheduled to be introduced in V3.10 (due shortly).

This will reduce the total number of sigs, hopefully without reducing detection capabilities.

As I said before, it’s not quite there, yet. But it will be. :wink:

So it’s taken 32 months to include family signatures? ( original cavs was in beta for 2 years )


Do you have any related info about the two other AV brands you mentioned?
How many months it took for them?

Although the support for family signatures has been confirmed AFAIK this do not automatically mean that the current AV engine do not already support and use (to an undetermined extent) them whenever 3.10 will apparently set a CAVS milestone in this regard.

As a possible reminder for forthcoming topics do you know how many family signatures the two other AV brands have ATM and what is the average size of each of these .gen signatures?

as far as i know, im not sure on this but 3.9 has 1:48 family signatures, not 1:23542 this is whats comming to replace the current Family signatures.

That is correct. We had a basic generic/family detection even in the beta version of the first AV. But that was very basic. What we are launching with 3.10 is a much more advanced platform to allow us both to create these signatures as well as use it effectively at the user’s computer.


Obviously they aren’t nearly to the quality of some other competitors, As I said in the OP

Comodo has more signatures, less detection and more false positives than say Avira\Kaspersky

MS MSE seems to be spanking everyone, check out these examples:





and MSE is still in BETA, this is where comodo should be. I don’t know how MS is doing it but I think MSE will really put a hurt on all security suites.