The Good, The Bad and The UGLY (ugly because its unknown!!)

burebista · June 2, 2010, 7:12pm

Then don’t think do it and show us. Then we’ll bash Melih together. ;D

Tech · June 28, 2010, 5:09pm

Absolute? Well, you don’t even have with virus total on demand scanners… You will have to trust everything in virus lab analysis… and it can always fail.

All security program claims it protects more and better than any other. No exceptions

But…

I won’t discuss which is better or best. I think this is not my point of discussion.
I do not use any Symantec product. I don’t trust in the company, in the software development, in the sales/marketing policy, in the feedback and support, etc.

Lessen is always necessary. Popups are an annoying thing for common users. It the amount is huge, it’s annoying even to advanced users.

That’s the major point and the one I wish to discuss.
Seems that the advantage of a combined approach is necessary.
You can’t rely only in “deny all” or in the popup of Defense+… Users will allow, sooner or later,
and won’t wait for the answer of the Comodo labs…

CTM is one of the most interesting software technology I’ve saw in the last time. You can really test software with security and I, myself, disabled other security programs resident (ThreatFire, Winpatrol, etc.) and improve my performance.

I agree. This is the major point of discussion in the “default deny” / “default allow” policies.

I think the opposite. When we come to users errors, the default deny has a lot of weakness…

That’s the “default allow” policy. The decision is made by the antimalware team/software.

+1

More in a second post…

Tech · June 28, 2010, 5:27pm

Because you didn’t run them… it it passed by the AV and you click ok in Defense+… Against insanity or ignorance it’s hard to fight… I’m talking about myself, not others. For sure I will allow some software that I shoudn’t…

I’m not technical enough to discuss the points of Kyle and Endymion are involved. Sorry.

Summarizing my point of view:
I do trust in HIPS and Defense+ as being a layer of defense.
I also do trust in legacy antivirus as taking right decisions instead of the user.
Usability and configurability are must have in security world as I need to work with the computer, not take all my time to protect it.
I’m not a fanboy of anything (maybe only my soccer team ;D).

Melih · June 28, 2010, 5:55pm

Tech

I think Ovidiu is saying that he run them and they were sandboxed.

Of course he can conirm that himself.

thanks
Melih

Tech · June 28, 2010, 6:07pm

Melih, I think the focus (at least mine) is not what can bypass (if any) Defense+ or the protection level you can achieve, or if a legacy antivirus is better than “default deny” policy.

I’m trying to discuss how Comodo could prevent a bad user decision without a good antimalware behind. It’s not only a matter of reducing the Defense+ popups but preventing the user having to take a bad decision after 50 popups…
Seems I’m trying to defend the best of both worlds…

Melih · June 28, 2010, 6:10pm

First you need to narrow down as to when the “user decision” is required for CIS…

then analyse the alerts…and then tell us
1)how many alerts and when
2)if those alerts are not easily understood.

thanks
Melih

Tech · June 28, 2010, 6:15pm

Quite some when I install software… from the setup.exe file to invoking the .msi and saving files, etc.

They’re easy to understood.
But I want to install the software. Mostly I know the source and I’m not playing with fire. But I’m not a paradigm. People will understand the alerts and will bypass them because they want to install the software.

Melih · June 28, 2010, 6:36pm

How is that different when I receive a malware warning from a legacy AV, when, as you said:

“But I want to install the software. Mostly I know the source and I’m not playing with fire. But I’m not a paradigm. People will understand the alerts and will bypass them because they want to install the software.”

You will still tell the legacy AV, hey its trusted…I want to install the software…Mostly I know the source and I am not playing with Fire…etc etc…

It is exactly the same scenerio…

Melih

languy99 · June 28, 2010, 6:40pm

let me inject something here. My brother is now using comodo IS after using KIS 2010 for a whole year. He is fairly computer savvy, not a geek like me but not a total dud. He was telling me today that the computer works ok but he keeps getting firewall alerts and other popups the he does not know what they mean. He said he really liked kaspersky becasue it just worked and left him alone. So as far as comodo’s usability is concerned, yes it has gotten better but for some people it is still too much. Today I will use EVPN to long on his computer and set it so he does not get anymore warnings.

Melih · June 28, 2010, 6:54pm

did the kaspersky he used had an outbound firewall?
what other alerts does he get? (are they sandbox information alerts or others?)

thanks
Melih

Chiron494 · June 28, 2010, 6:57pm

I think the difficulty here is letting the user know in an alert whether it is likely malware or likely safe.

The problem is that (other than Defense+ malware heuristics) I don’t know how this can be accomplished. Perhaps the Behavioral Blocker will fill this role, but at this point I’m not sure.

languy99 · June 28, 2010, 7:15pm

yes it had an outbound firewall, but it never asked a question. Also when he used utorrent it worked automatically I had to create a rule for it to work on CIS.

He told me that he is getting lots of firewall inbound alerts. He said that he is getting an inbound firewall alert about a computer wanting to connect to his computer even though he is the only one on the network. He told me he will send some screen shots to me. No sandbox alerts.

Tech · June 28, 2010, 9:19pm

You’re right. Both could have automatic actions set, the antimalware to send to Quarantine and Defense+ to Sandbox.
It’ll be a matter of trust. I need to trust in Comodo AV or, saying better, I wish Comodo has a better AV and my antivirus to have, at least, a decent HIPS.

Manage the popups is a must have.

Exactly. For me, if we can trust in the judgment of a better antivirus, with trustable detection rates, well, we could have a previous judgment of the nature of the file.

Chiron494 · June 28, 2010, 9:35pm

So maybe if the Defense+ alerts had an option to also see what other AV’s think of this file.

It would be very nice if you could get a verdict like you get from virustotal. Perhaps an option to automatically send the file to virustotal (or a similar site) to be checked.

Thus the advanced user understands what the file is doing, but the ordinary user can merely rely on whether any other AV detects it before allowing. The user would still be protected from zero-day malware (although they still may allow it), but for malware that is already known they will be protected because they can check the results and then make their choice.

I hope I have been clear. I think this may be a good balance between Default Deny and the traditional AV protection. What do you think?

Tech · June 28, 2010, 9:44pm

Well… it will be a link to www.virustotal.com, but, in my opinion, this won’t make it better. The user won’t check each file (.exe), or library (.dll), or installer (.msi)… A better and fast response from the product is needed.

A better CAV will make a good approach, don’t you think?

Any approach is making it better and more secure.
But you can’t lose performance or making the user lose that much time, or difficult tasks to be done… But I agree with you, we could have a better approach…

Chiron494 · June 29, 2010, 12:23am

No, one lab is not as good as being able to compare the results of several. The detection rate is much higher and the ability to diagnose a false positive is much improved if you use several different labs.

Maybe Comodo could do something like run the file past Comodo, Avira, Kaspersky, Avast, Microsoft, … (or any combination). Maybe 5 or so AV’s. Also, pass on any suspicious files to these companies for analysis. In this way the users of Defense+ get the ability to better investigate a file while doing less work and the AV companies will have improved detection rates. Essentially the Comodo community becomes a honeypot for the AV’s and everyone benefits.

By the way, I’m envisioning this as another tab in Defense+ that gives the results of this analysis. Maybe something like the way Hitman Pro works.

Do you think that giving the user this type of information would make it much more likely for them to distinguish between the good files and bad files when making a decision? I think this would go a long way.

Tell me if you don’t think it’s possible or there’s a flaw in my logic.

Tech · June 29, 2010, 1:01am

I submit myself all “unknown” files I use/install to Virus Total.
I would be glad if it could be done by the interface directly.
But you will have to convince the company (and the antivirus companies) to work like that.
The honeypot is giving the community… the antivirus, the work for detection.
I think the paid antivirus won’t like the solution

Tech · June 29, 2010, 2:04am

A common complain of antivirus is the lack of detection.
Another one is the speed of updates and the improvement of the database.

What can we say of Comodo speed?

Correction of false positives: https://forums.comodo.com/beta-corner-ccs/how-to-easy-report-ccs-false-positives-t58390.0.html;msg408997#msg408997
Update the database: https://forums.comodo.com/news-announcements-feedback-cis/cis-and-avcomparativesorg-t58274.0.html;msg410243#msg410243

Room for improvement?

Melih · June 29, 2010, 12:17pm

Does perfection exist?

If not…there is always room for improvement

melih

Tech · June 29, 2010, 12:19pm

Ok, but there is improvement from 9.5 to 10 and from 1.0 to 9.5…
The response time is much away from a tolerate margin to the user and to the company image.