Replaced norton with comoda - trojan detected within 30 seconds!!!!

Well done to Comodo for their great free products. I have been in “discussion” with BT for quite some time regarding their security package which consists of Norton Products. They insisted it was working fine, I insisted it wasn’t.

Anyhow I decided enough was enough and have now installed Comodo products. A virus was detected on my PC within 30 seconds. Good riddance Norton, told you so BT, welcome to my PC Comodo.

Hi and welcome to the forums,

Good to know that you got rid of the trojan from your computer. CAVS is still in beta but it is already quite a good product. When it is release in its stable version during September, I am sure it will be one of the best in the market.

Anyway, who is this BT you mentioned?

Yours truly,
DoomScythe

stevejames, don’t feel to safe yet.

The Comodo Personal Firewall should make you feel safe and secure, I agree with that. But the Antivirus is still a very early version, it is very good but don’t lower your guard. (:WIN)

Hi and welcome,

That is excellent news that CAVS detected the trojan. You should be aware that the reason CAVS is beta is because it does not yet have all the necessary signatures so while using it I would recommend you also use a secondary scanner such as TrendMicros online scanner.

Anyway, who is this BT you mentioned?

DoomScythe, BT are UK telephone company.

Mike

Well it’s still a LOOOOONG way for Comodo to reach Symantec detection levels really. Plus Symantec has few best virus experts there is in their virus labs. One missed sample doesn’t mean anything (which can as well be false positive). Care to post full path and filename of that file?

Symantec are overbloated. They’re not even close to some other antivurses.

Instead of making better software to win the competition, they buy other competitive companies (aka Sygate’s PF :wink: ).

What is important is how well a system protects you from a malware

Detection is only one reactive component.
Prevention is the best proactive method.
Cure is always needed :slight_smile:

Comodo is investing heavily in Prevention techniques. We will have the first HIPS enabled AV out in the next version.

Melih

Sure, but HIPS won’t help you at all at heavy polymorphic and parasitic file infector. And from what i’ve seen Comodo has some serious problems detecting these, let alone actually desinfecting them.
Personally i think i’d be better to keep CAVS as internal developement version until levels are reached. Sure it will maybe someday become a fully functional AV that will be able to handle all kinds of threats but at the moment people are blindly beliving that Comodo AV is the best thinga fter sliced bread (which is certanly not). Sure tech support is great but other stuff that has actually to do with detection isn’t. Comodo Firewall, no problem, can be already in public as it’s already showing very good results, but AV should remain in internal dev stage for some time. Again, i’m just being realistic, not bashing Comodo or anything.

If it can’t get in, it can’t be a problem. Regardless of the type of infection (unless they are a transient, memory resident only type infection), they all require an initial hook into the file system of the host PC.

ewen :slight_smile:

If it can't get in, it can't be a problem.

Care to explain how exactly?
HIPS is USELESS against polymorphic file infectors (actually they don’t even have to be polymorphic). It’s just that polymorphic one will force Comodo not to even detect it. HIPS won’t do the job and engine is just to primitive for the task. So how?

OK - polymorphic virus (or any virus for that matter) enters a system somehow - let’s say in a packed attachment to an email. User runs the attachment, it unpacks and the released polymorphic whatever attempts to write itself somewhere to ensure replicability (one of the defining characteristics of a virus). This write op may not happen immediately, but it will happen at some point - BINGO! When it tries to write to the file system, providing of course it’s trying to write to an area of the FS protected by the HIPS, the HIPS should intercept the write op. Even if it writes the infecting code somewhere that isn’t monitored by the HIPS, a stub or triggering component would have to be referenced in somewhere like the registry to execute and make the polymorphic whatever go active.

Please understand that I’m not knocking your opinion, or saying that CAVS is bulletproof, because we all know that no anti infection software is. I just think that the traditional detect-cure cycle can be improved by incorporating prevention as the first step. We’ve all got firewalls haven’t we? Ask yourself, why is that? Could it be that having a preventative layer on our perimeter is a smart thing to do? Why not extend that same thinking to AV type products?

Imagine if an AV product did incorporate a HIPS component and then added sandpitting. While not imprevious, its certainly a harder layer to penetrate and, IMHO, a whole lot smarter than relying on how quickly an AV vendor can reverse a code segment and add a definition. Not saying that they are unnecessary - just that its not enough.

ewen :slight_smile:

Worms spread throug mail, not viruses. Besides even if you do detect the virus (which is quiet unlikely though), how will you cure it with HIPS eh? It’s a dead end no matter how you turn it.

Point taken - me bad.

[quote
Besides even if you do detect the virus (which is quiet unlikely though), how will you cure it with HIPS eh?
[/quote]
You seem to continually make the assumption that the infection is already INSIDE the affected system. The purpose of a HIPS is to prevent it obtaining a foothold in the system in the first place. HIPS don’t cure - they prevent.

In theory and only proven against worms, trojans and backdoors. It also depends how HIPS system is designed. Most of them act like behavior blockers and some might not even detect any virus like activities.

RejZor, HIPS is useless if it is installed on an infected machine. The HIPS that CAVS will employ is based on a white-list approach. Let me put it this way, when a program wants to hook up onto your system kernel or explorer, HIPS will check it against its ‘good guys list’. If the program is not in the list, it will ask your permission to install it. This way, I think it is a foolproof method.

This method requires HIPS on CAVS to integrate deeply with our OS. Their hook on the system will have to be tighter than that of viruses and trojans. This way, nothing can install into the system without your knowledge.

There is one problem though, it will be very irritating if the whitelist is not big enough. Also, if CAVS have bugs in the HIPS, kiss your PC goodbye. ;D However, please note that what I said is all on theory. If the trojan becomes very smart, god knows what it can do.

Yours truly,
DoomScythe

I, too, found a trojan shortly after installing CAVS. This trojan was not a false positive. However, it was not detected by Trojan Hunter, NOD32, or avast – all of which were the latest versions and fully updated.

(Avast was not installed while NOD32 was still installed, but was installed later as a replacement. CAVS was installed more recently still, and found a trojan which must have been present for some weeks). As CAVS is still in beta, I have a secondary virus scanner available.

Gordon

You summarised it pretty well DoomScythe.
The trick is to get a nice db of executables next… :wink:

Melih

Thanks Melih. :smiley:

Yours truly,
DoomScythe

Don’t you think number of applications is way to high to list them all, plus they all constantly change? There is litterally billions of different applications. Whitelisting them by filename is useless, same for hash. Mostly… I don’t think that’ll work in a long run…

While I agree that there are literally billions of different applications, I don’t think whitelisting is useless. Let me put it this way, when you want to install an unknown program in the whitelist, you are prompted. If it is the program that you wanted, you just allow it. However, if it is a trojan, simple - Deny it access and delete it. I remember Melih saying somewhere that there will be a reporting system integrated into CAVS.

It is in the law of nature that the one who does the assaulting will always have an advantage on the defending. Therefore, whitelist approach is one way for the good guys to attack the system before the bad guys does. :wink:

Yours truly,
DoomScythe