Support Mozilla mail archive format

I tested CIS v3.9.95478.509 with the Mozilla Thunderbird email client and found the following behavior. I enabled the “Allow anti-virus clients to quarantine individual incoming messages” option (Options|Privacy|Anti-Virus menu). I sent a mail containing a CIS false positive executable (to prevent cleaning by my ISP) to myself. CIS detected malware in the temporary file after I clicked Send. I told CIS to ignore the item once. When I received the email in my Inbox, CIS did not detect it. When I saved the malware attachment to my desktop, CIS did not detect it. When I viewed the desktop (folder), CIS did detect the malware. Manually scanning the Inbox archive (< 20MB) with CIS did not detect the malware.

I see the following problems with the CIS behavior:

  1. The user manually scans the PC, containing malware in Thunderbird mail, during the installation of CIS. CIS detects no malware, so the user decides to use Clean PC mode for Defense+. The user loses trust in Comodo when they find out CIS doesn’t scan mail archives with its manual scanner.

  2. The user saves a malware email attachment to a flash drive and then gives the flash drive to a friend. The user and friend lose trust in Comodo when they learn that CIS doesn’t protect against saving malware from emails.

  3. With the “Allow anti-virus clients to quarantine individual incoming messages” option enabled, the user expects the lack of CIS detection to indicate that the PC is clean. The user loses trust in Comodo when the malware is not detected until months later when the malware is executed, especially since the malware is now contained in several backups.

  4. Avira’s AV continues to be number one in the AV market, partly because its real-time scanner supports quarantine of individual incoming messages, its real-time scanner successfully detects malware when extracted to a file to the file system, its real-time scanner automatically excludes Mozilla mail archives, and its manual scanner gracefully scans Mozilla mail archives – treating each mail as an individual item. Since these features have negligible impact to Avira’s real-time scanner speed and memory, and each feature can be individually enabled, knowledgeable users prefer Avira AV’s superior security and usability (together with CIS’ firewall and Defense+).

I propose that CIS adds options for the above missing security features.

There have been many, many discussions on this topic, and Avira and Avast have been brought up in those discussions as well. Malware cannot infect your computer unless it’s accessed. When it is accessed, Comodo detects it and removes it. This improves performance and maintains users’ security. Scanning email on arrival would provide no added protection, nor would scanning files on write… it simply eats up resources and bloats the software.

Hi mjj09,

Thanks for responding to my post. I suspect that you are expressing a point of view of Comodo developers and many forum members. So I appreciate your dialog with me.

Is it fair to summarize your view as “Detection within mail formats does not improve security of the PC protected by CIS, and detection within mail formats would increase the resource usage of CIS”? I agree with these statements. However, I suggest additional goals for CIS:

  1. Prevent spreading malware to other computers
  2. Usability suitable for inexperienced (mainstream) users

I am pointing out that CIS fails 1) because it fails to detect malware:
a) When saving a mail attachment to removable media
b) When saving backups of mail archives

I am also pointing out that CIS fails 2) because:
c) CIS fails to detect malware in the archive format most accessed by a user, yet manual and scheduled virus scanner settings include an option to scan archives.
d) CIS delays malware detection such that the user doesn’t understand how it arrived (by email), causing distrust.
e) The user thinks the PC is clean, so he/she extracts from an archive after disabling CIS’ AV (run an incompatible application, upgrade CIS, install a different AV).

Some specific proposals to address these problems:
i) Real-time scanner detects on writes to removable media, possibly as an option enabled by default.
ii) Manual and scheduled scanners add support for most archive formats, including Mozilla mail and 7-Zip.
iii) An enable option for each archive format (tells the user what CIS supports, more granularity in security vs. speed)

I believe that the real-time scanner has the most impact on CIS’ resource usage. Proposal i) has an infrequent impact on resources for the real-time scanner. Since these proposals include options to disable them, I am hoping they would please everyone.

I look forward to our continued dialog.

I feel CIS was designed to protect my PC from becoming infected/hacked, not my neighbors PC. If they would like to be protected, they can install CIS (or another vendor they trust).

Usability is always important. I think Comodo has been working hard to improve this recently. The interface could use a redesign, but it is always a work in progress.

  1. CIS doesn’t check any write attempts (as far as I know). To get this feature, you would have to save the attachment to the C: drive and copy/move the file to the external media. CIS would scan the file as it’s being moved.

  2. I support. I’m not sure what archives the manual scanner protests against already (besides rar and zip), but it should scan the most common archive formats (including the most common mail formats).

  3. That might be overkill, but meh, why not.

Never disable both the AV and D+, you’re just asking for trouble. :smiley:

Some CIS users want to protect friends and family member’s PC from malware - even those who don’t take advice to install CIS. Some CIS users use a USB flash drive to transfer files from their home PC to their work PC, where the IS/IT department does not allow CIS to be installed (I am in this category).

It is embarrassing for Comodo and their fans when a non-CIS user’s PC detects malware in files transferred from a PC supposedly protected by CIS. A fan can explain that CIS fully protects its own PC from malware, but inexperienced users likely don’t understand enough about security to believe the explanation more than their own experience of malware undetected by CIS. I propose that preventing the spread of malware will help Comodo’s mission to spread CIS to the masses.

Couldn’t of said it better :smiley:

It does check on write for certain file types. If you download the Eicar test files, it will grab both the .com and .txt file on write.

Friends/Family members do not have to install CIS. They can choose to install any software they trust. I happen to trust Comodo.

I would pray that the IS/IT has security measures in place to deal with this type of thing. If they do not, let the whole organization’s network come to the ground. Maybe then they will learn their lesson and place more emphasis on securing their network.

CIS detects malware when being accessed. If the Comodo-protected computer is transferring files to another computer (PC to PC), Comodo is scanning everything being sent. Comodo only scans some file types (according to HeffeD) on write… that is files being placed on your computer/external drive (I don’t remember this being added in 3.8…).

3.8 would also do this. I don’t remember exactly when I tested this, so 3.5 might have done it as well.

In my test, Thunderbird wrote an EXE file to disk with no detection by CIS. The same file is detected on read by CIS. When Thunderbird writes that file directly to a USB flash drive, and then the flash drive is (safely) removed, CIS fails to detect malware transferred to another PC.

Until recently, I worked for a Fortune 500 company. They used McAfee AV and policy enforcer as the only security on each PC. The only firewalls were at the gateway and laptops (none on desktops), and there was Smart Filter at the gateway to block web sites that are not considered “business appropriate”. I talked to the lead computer security engineer, and he said that he thought that their security strategy was very vulnerable. The reason they used this strategy is because it did little to interfere with “business”. In other words, few FP and few pop-ups (McAfee is good at these aspects). Thus, managers unfamiliar with security control the security policy.

I agree that occasional viruses that spread through their network caused them to step up their security. But Comodo is trying to create a web of trust, and this involves uplifting the whole industry. Upliftment comes from leading by example, which Comodo is not doing by allowing malware to spread with this security hole.