I agree with Dark, Both should be done to give info the the users…
He’s testing an Internet Security Suite as a whole.
Will that be testing how CIS prevent?
or
a Test to see how CIS can remove an existing Malware?
As you will appreciate these are 2 different security models. If you want to design a software to clean malware, then you need to know pretty much all of the malware cos all it takes is one uknown malware to ruin everything. I haven`t seen any AV that can claim to know 100% of the malware out there… and any test that is done only represents a small subset of malware out there, as always Virus total stats) should be a sobering reminder to us all how uknown malware penetrates thru the products that has Detection as their first line of defense.
There are 2 very different model guys…
1)Keep a Clean PC Clean! (thats where Prevention is your first line of defense and a layered security architecture is good)
2)Malware Removal from your machine: that is a flawed model (look at virustotal stats) that noone can guarantee they will be able to clean all the malware from your machine as there is always uknown malware.
Prevention, today, is the only secure way forward imo! We have to work and work together to make Prevention based security easy enough for novices. And that I am sure we will achieve… Yes we can! and Yes we will!
Melih
I think I might have some news about that very soon.
Thanks in advance then 
About Secunia Research | Flexera sure looks interesting but IMHO no heuristic is assured to work flawlessly and signature based approaches aren’t an ideal solution.
Those exploits are worthy samples for BO protection and HIPS.
You’re right. But, as I mentioned, based on what they mention on such tests, security vendors do claim that they cover all sides, which does not entirely corresponds to the truth.
The only vendors, according to them (Secunia) and I corroborate, that offer such feature are Kaspersky and BitDefender. BitDefender isn’t 100% like the feature that Kaspersky and Secunia, itself, offer.
Based on that statement, from security vendors, then their security suites should protect against such, wouldn’t you agree?
Well I don’t know what to answer, I usually apply a marketing jargon translator when I read those ads. There is no way few lines of text could address all security subtleties and intended security software purposes.
I don’t know much about other solutions but there are few considerations I wish to make about BOs (This doesn’t mean I assume all advisories only pertain BO).
- BO exploits are usually tailored against specific software/components version.
- A single implementation that leverage on a specific exploit is not the only possible implementation. This means for each advisory there could be countless exploit variants with different payloads (this either mean that signature detection is not a viable alternative and to rely on a detection approach a static on demand heuristic should somewhat be able to handle possible unknown variants)
- As most researchers practice responsible disclosure, malware writers usually wait for a patch to know the details and then write an implementation to hit unpatched systems
I will ignore said statement in the first place.
No vendor is a fortune teller and I don’t expect any of them to provide a thorough explanation on an ad page to scare any potential user away.
Even in case of outstanding products (anybody can think about his product of choice) the security outcome is often a mix of safe-practices, user compliance and security specific education.
The thing I care the most about any security vendor is the effort they constantly put to improve their products.
Considering what I’ve recently read about NIS 2009 this is something Symantec has done too.
What the Pc Mag review said about Comodo is what I said a while ago in another post. Since comodo almost doesn’t have detection capabilities, in an already infected computer is just about useless. It won’t detect things that are done because Comodo is designed to detect changes not prevent infections perse either. The firewall in itself I haven’t seen it block any attack. Basically it doesn’t do anything without Defense+ Just my thoughts.
There is no gurantee any solution will work on an already infected computer (I hope this is not only my thought)
True , no guarantee. But most of the time there’s still a chance a product will work. Or at least that’s what happened with the computers I’ve fixed with hundreds of infections.
I feel in such cases the use of different AV rescue cdrom more effective and appropriate.
Besides Comodo Firewall pro focus on prevention it is obvious it is improper to use it to remove existing infections even though it may be of help in some of such cases.
so how does one remove a malware that is unknown to all AVs? (look at virustotal to see the amount of new malware that is not caught by AVs).
Why do anyone think, letting malware in, then trying to detect is better than stopping it coming in in the first place?
Melih
Mostly Superantispyware and a virus scan have done a good job for me. I do use Ultimate Boot CD for Windows sometimes as well. Those you mentioned are good. The problem is that they’re linux. In some pcs they don’t work at all. And I don’t know the reason since I don’t know much about linux. Probably it just doesn’t support all hardware.
I know it is obvious I was just pointing it out.
If a client calls me that the malware is in. Beleive me the answer won’t be install Comodo because Comodo won’t do the job. I’ll say bring the pc to me. And I’ll do a checkup with my programs. You’re just asuming that everyone will have Comodo when in reality everyone doesn’t have Comodo or should have Comodo in the first place if they can’t answer the alerts right. The truth is Comodo can’t clean an already infected system and that’s a fact. So far I haven’t had any problems at all cleaning computers with all the software and utilities available to do so. I’m a pc technician in a small company and also at home I fix a few more. I love dealing with viruses actually 
An interesting thing said in that review also was that some detected threats couldn’t be removed and you were taken to the buy pro support thing. Making you wonder if Comodo will turn like other “free” products that do the “buy to be able to remove threats” hehe
hi Jeims
I don’t believe I was making those assumption.
I will re-itereate the questions I asked
1)so how does one remove a malware that is unknown to all AVs? (look at virustotal to see the amount of new malware that is not caught by AVs).
2)Why do anyone think, letting malware in, then trying to detect is better than stopping it coming in in the first place?
Thank you for your answers
Melih
Wow, I’ve been away for less than 24 hours and there are three new pages of posts. :o
Anyway, I wouldn’t really object if anyone claimed NIS 2009 to be the best suite of 2009. I know too little to argue about it, but from what I’ve heard, NIS 2009 is great.
What I think about CIS is, that it’s a bit unfair to criticize it without mentioning its possible potential. Furthermore, you have to test it in a fair way to get proper results. I haven’t studied the test of CIS in detail, but from what I understand, it hasn’t been properly set up.
LA
PS: Here is a new outbreak: http://www.virustotal.com/de/analisis/1fe61ea9a881e8247fd44fb42d78b33b
its nasty… and only 2 out of 36 AVs detect it… which means 34 of them just let it waltz in… so how do u clean that?
Datei UPSInvoice8771.exe empfangen 2008.11.05 18:59:19 (CET)
Status: Beendet
Ergebnis: 2/36 (5.56%)
Filter Drucken der Ergebnisse
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.11.5.3 2008.11.05 -
AntiVir 7.9.0.26 2008.11.05 -
Authentium 5.1.0.4 2008.11.05 -
Avast 4.8.1248.0 2008.11.05 -
AVG 8.0.0.161 2008.11.05 -
BitDefender 7.2 2008.11.05 -
CAT-QuickHeal 9.50 2008.11.04 -
ClamAV 0.94.1 2008.11.05 -
DrWeb 4.44.0.09170 2008.11.05 -
eSafe 7.0.17.0 2008.11.05 -
eTrust-Vet 31.6.6190 2008.11.05 -
Ewido 4.0 2008.11.05 -
F-Prot 4.4.4.56 2008.11.05 -
F-Secure 8.0.14332.0 2008.11.05 -
Fortinet 3.117.0.0 2008.11.05 -
GData 19 2008.11.05 -
Ikarus T3.1.1.45.0 2008.11.05 -
K7AntiVirus 7.10.517 2008.11.05 -
Kaspersky 7.0.0.125 2008.11.05 -
McAfee 5424 2008.11.04 -
Microsoft 1.4005 2008.11.05 -
NOD32 3587 2008.11.05 a variant of Win32/Kryptik.BG
Norman 5.80.02 2008.11.05 -
Panda 9.0.0.4 2008.11.05 -
PCTools 4.4.2.0 2008.11.05 -
Prevx1 V2 2008.11.05 -
Rising 21.02.22.00 2008.11.05 -
SecureWeb-Gateway 6.7.6 2008.11.05 Trojan.Crypt.LooksLike.XPACK
Sophos 4.35.0 2008.11.05 -
Sunbelt 3.1.1783.2 2008.11.05 -
Symantec 10 2008.11.05 -
TheHacker 6.3.1.1.140 2008.11.05 -
TrendMicro 8.700.0.1004 2008.11.05 -
VBA32 3.12.8.9 2008.11.05 -
ViRobot 2008.11.5.1453 2008.11.05 -
VirusBuster 4.5.11.0 2008.11.05 -
weitere Informationen
File size: 69632 bytes
MD5…: ba1cef4b244248f6a8e8b29c4bcacc4b
SHA1…: e0b9724a57467c9823b3eac9d9daa0a437e6d56d
SHA256: 66a9661857aa25610f936ae9e69e6b1983be893ddd3243daa686bea218ab5395
SHA512: 4267e8ac78806bf30f080acdfd3f7e7537bb3cacfe695abf72cd30b655b27a40
d5e809f5cb55b181a8c464fa73ce95da52128e5e77340f64467481f7e0d0095b
PEiD…: -
TrID…: File type identification
Win32 Dynamic Link Library (generic) (65.4%)
Generic Win/DOS Executable (17.2%)
DOS Executable Generic (17.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x4010c9
timedatestamp…: 0x47fa9c7e (Mon Apr 07 22:13:18 2008)
machinetype…: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xf8f 0x1000 3.07 bb4b6197abe40b31c25e9bbaba6e2c24
.rdata 0x2000 0x16de 0x1800 5.29 d9360c586b6b9b98c081e6399b3e2d5b
.data 0x4000 0x2e3cf 0xe000 7.45 583f7d9e081f3d340cd4b4882822cc37
.rsrc 0x33000 0x3a0 0x400 2.71 cadcca17c902a0c63cb7b23f00fa92cc
( 10 imports )
user32.dll: IsMenu, GetDC, CalcMenuBar, LoadCursorA, CreateIcon, DialogBoxParamA, InsertMenuA, DialogBoxParamW, DrawTextW, DrawIconEx, DrawTextA, GetMenu, DrawIcon, AppendMenuA, CopyImage, GetDlgItem, IsWindow, CopyIcon, GetWindowTextA, CloseWindow, BlockInput, LoadMenuA
gdi32.dll: ExcludeClipRect, CancelDC, GetPixel, GetPixel, DeleteDC, ExtTextOutA, AddFontMemResourceEx, AbortPath, SetTextColor, AddFontResourceTracking, AddFontResourceExW, GetCurrentPositionEx, CloseMetaFile, AddFontResourceExA, ClearBitmapAttributes, BeginPath, GetDCOrgEx, GetBrushOrgEx, GetBitmapBits, AddFontResourceW, GetClipBox, DeleteObject
user32.dll: AppendMenuW, CopyIcon, CopyRect, GetMenu, GetWindowTextA, LoadMenuA, DrawIcon, CopyImage, LoadCursorA, GetDlgItem, GetDC, GetWindowTextLengthA, AlignRects, DrawTextW, IsWindow, DrawTextA, AppendMenuA, GetCursor, DialogBoxParamA
user32.dll: CopyImage, CopyRect, CloseWindow, BlockInput, DialogBoxParamW, DrawIconEx, LoadCursorA, AppendMenuW, AlignRects, EndDialog, DrawTextA, GetDlgItem, AppendMenuA, CopyIcon, IsMenu
advapi32.dll: RegEnumKeyExA, RegOpenKeyW, RegQueryInfoKeyW, RegQueryValueA, RegCreateKeyExW, RegFlushKey, RegDeleteValueW, RegQueryInfoKeyA, RegQueryValueExW, RegOpenKeyExA, RegReplaceKeyW, RegOpenKeyA, RegEnumValueA, RegCreateKeyExA, RegDeleteKeyA, RegDeleteKeyW, RegQueryValueW, RegDeleteValueA, RegLoadKeyW, RegEnumKeyA, RegEnumValueW, RegReplaceKeyA
advapi32.dll: RegQueryInfoKeyA, RegDeleteValueW, RegCreateKeyExW, RegDeleteValueA, RegGetKeySecurity, RegEnumValueA, RegOpenKeyA, RegQueryInfoKeyW, RegQueryValueExW, RegQueryValueA, RegLoadKeyW, RegOpenKeyW, RegEnumKeyW, RegCreateKeyW, RegReplaceKeyA
comctl32.dll: ImageList_Remove, ImageList_BeginDrag, ImageList_Read, ImageList_LoadImage, ImageList_GetImageInfo, ImageList_DrawIndirect, ImageList_Draw, ImageList_GetIconSize, ImageList_Merge, ImageList_LoadImageW, ImageList_EndDrag, ImageList_GetDragImage, ImageList_GetImageRect, ImageList_LoadImageA, ImageList_AddMasked, ImageList_Destroy, InitCommonControls, ImageList_DragMove, ImageList_Copy, ImageList_DragShowNolock, ImageList_DrawEx, ImageList_DragLeave, ImageList_GetIcon, ImageList_GetImageCount
comctl32.dll: ImageList_DragMove, ImageList_DragLeave, ImageList_Merge, ImageList_DragShowNolock, InitCommonControls, ImageList_AddIcon, ImageList_GetImageCount, ImageList_Create, ImageList_GetIconSize, ImageList_LoadImageW, ImageList_Destroy, ImageList_GetDragImage, ImageList_Remove, ImageList_BeginDrag, ImageList_GetImageInfo, ImageList_EndDrag, ImageList_DrawEx, ImageList_DragEnter, ImageList_GetImageRect, ImageList_Replace, ImageList_ReplaceIcon, ImageList_GetIcon, ImageList_LoadImageA
gdi32.dll: CloseFigure, AddFontResourceExA, GetCurrentPositionEx, AddFontResourceW, AddFontResourceExW, DeleteDC, SetTextColor, ClearBrushAttributes, BeginPath, ExcludeClipRect, AbortPath, ClearBitmapAttributes, DeleteObject, CancelDC, GetPixel, GetClipBox, AddFontMemResourceEx, CopyMetaFileA, CreateSolidBrush, CloseMetaFile, GetDCOrgEx, AddFontResourceA, GetBrushOrgEx
comctl32.dll: ImageList_GetIconSize, ImageList_GetIcon, ImageList_Draw, ImageList_EndDrag, ImageList_DragEnter, ImageList_LoadImageA, ImageList_ReplaceIcon, ImageList_DrawEx, ImageList_AddMasked, ImageList_GetImageRect, ImageList_Replace, ImageList_LoadImageW, ImageList_DragMove, ImageList_DragShowNolock, ImageList_DrawIndirect, ImageList_GetImageCount, ImageList_Copy, ImageList_GetDragImage, ImageList_Create, ImageList_DragLeave, ImageList_Destroy
( 0 exports )
And here is how CAMAS analyses it: http://camas.comodo.com/cgi-bin/submit?file=66a9661857aa25610f936ae9e69e6b1983be893ddd3243daa686bea218ab5395
I hope the point is clear that end users are totally vulnerable to new malware!
Matt tests only detection and cleaning. He did that in the past, so why CIS should be an exception ? 88) The malware he has on his machine has been generating for months (read - old) - plenty of time for an AV company to create the signatures.
I know I already said how I find your CAMAS service amazing, but I must repeat it. (R)
Well, round 2: I tested D+ against Zemana’s ClipBoardLogger (http://www.zemana.com/list/list.asp?ktgr_id=426). D+ won’t even detect it! Again. After being reported long ago.
No need for screenshots. Anyone can try it out.
Once again, I apologize for not placing this at the leaktest board, ´cos I already did in the past, and it seems no one gave it importance, so, maybe by placing it at the wrong place, Comodo staff will notice it? I believe everything’s possible.
So, bottom line, it seems D+ lets pass, at least, 2 leak tests. Something already known, for anyone who cared.
Best regards.
I can comfirm this… I can understand your point… but at the same time… is it really a threat?..
Congratulations guys…Matt gave CIS an “awesome” score.
http://remove-malware.com/uncategorized/comodo-internet-security-review-35/