It’s in my opinion that less signatures, Higher detection means more “Intelligent” Signatures (Also means that it will detect more zero day).
Comodo has more signatures, and less detection, more false positives than say Avira\Kaspersky.
Different AV Companies count signatures differently. Also remember CAV is yet to get real Family Signatures, Which is coming soon in v3.10 - AV Vendors such as Avira already have great generic/family signatures and fantastic heuristics which make there detection top notch, with low FP’s, I personally believe CAV’s FP’s will reduce, and as soon as family signatures hit with v3.10, Which will be the last version of the v3 series if no serious bugs come up, then v4 will hit the streets by year end or beg next year, Melih made a promise to make one of the best AV’s since launching CIS in 12 months, And that promise time line will end on October 23rd.
I really think v3.10 will be it… To really reduce FP’s and generate a whole heap of Family signatures, Not forgetting 30 min updates. Cause as soon as v3.10 is here, It’s all about generating family signatures while the developers work on v4. So Melih still has a few months left, to launch v3.10 and create these generic signatures in this time frame.
I agree with the above, for the moment, but, software development is a constantly on-going business. CIS will improve, as will all the others. The rate of improvement will determine who ends up with the best detection rate. IMHO, quantity of signatures is secondary to improved detection.
The likes of Kaspesky and Avira (both founded around 97-98) have been gathering samples before Comodo even released the first CFP version, even before Comodo started to develop its first AV (around 2006) and progressively increased efforts on the AV development.
But anyway care to explain whenever those “intelligent” signatures will detect 0-days? (Was it meant as synonym of .gen variants?)
Although the original question imply that Comodo has less “intelligent” signatures, FP related arguments have insofar opened the way for criticism whenever often it has not been the constructive type…
As for FP the overall enduser perception is often related to subjective standpoints whereas even Riskware is reported as FP along with some detected packers (YMMV).
Unclassified Malware signatures are more likely to trigger “FP”(in the broadest acception) but this do not mean that it provide no advantage whenever linking to CIMA reports would likely be a welcomed approach (YMMV) the likes of PrevX pages.
Anhyow whereas a test provide some results in support of CAVS detection improvements then FP are usually mentioned, though it already looks like that in case FP will not be a concern there could be the DB size to leverage upon, when nor FP and DB size will be a concern something else will pop out…
Though the argument of “intelligent” signature is interesting, there is no test that actually check how many new variants a specific brand signature will detect in relation of strictly related signature FP ratio.
Many tests usually attempt to minimize bias by sorting the collection in a way the variants presence is minimized/eliminated whereas FP tests usually leverage upon a sampleset of known applications (sorting and selection criteria may produce different results)
Yes Endymion, I meant generic signatures and all the other names they use that basicaly mean the same thing.
If Comodo is relying on alot of 1 sig per 1 variant then there is a higher chance that comodo will miss more of the newer variants - Where as Avira for example, detects multiple variants per sig giving it a higher chance of detecting the newer variant.
Apparently we both don’t know how much Comodo is relying on single definition per variant (though it is likely that at least Unclassified malware is addressed this way) but it looks like family signature are also intended to reduce overall db size along with variants.
But in case such generic signature ought to be supported could this imply that samples ought to be sorted according to some kind of correlation analysis and that generic signatures are subsequently developed to address multiple known variants (and possibly unknown variants to some degree) ?
Wouldn’t developing a generic signature on a single sample be too much of a risky bet regardless how much effort and time would be involved?
Do you have any related info about the two other AV brands you mentioned?
How many months it took for them?
Although the support for family signatures has been confirmed AFAIK this do not automatically mean that the current AV engine do not already support and use (to an undetermined extent) them whenever 3.10 will apparently set a CAVS milestone in this regard.
As a possible reminder for forthcoming topics do you know how many family signatures the two other AV brands have ATM and what is the average size of each of these .gen signatures?
That is correct. We had a basic generic/family detection even in the beta version of the first AV. But that was very basic. What we are launching with 3.10 is a much more advanced platform to allow us both to create these signatures as well as use it effectively at the user’s computer.