The good, the bad and the unknown

You can watch video here The Good, Bad, & The Ugly (aka Unknown) - YouTube

Now I understand how this default deny policy works and how it provides more protection then your general AV, this video explains everything very well.

But I think there is a problem: At about 3:30 in the video it is clearly states that unknown files are placed in a sandbox for a “short period of time” until it is identified if it’s good or bad, making the sandbox a temporary place to figure out if this unknown file is harmful or not.

But in reality, unknown files sit in the sandbox for months or years, making the sandbox more of a permanent storage place rather then temporary (as, I assume was the original idea) one. Comodo can’t keep up with amount of unknown files the same way your legacy AV can’t keep up with amount of malware created, and low size of files allowed for submission is not helping either. On the other hand increasing said size will only result in more files “Comodo lab” will have to deal with.

I know that user can manually add a file to a trusted list (or auto sandbox exclusions in the latest version), but if the user has to decide if the “unknown” file is good or bad, why in the world are we even bothering with this auto-sandbox in the first place?

Also I know of whitelisting thread on the forum, but the video gives the impression that this sandboxing business should be automated, not that users have to report every new program they install to the forums.

As for digital signatures, yeah they help, but remember there are far more unsigned legit (often obscure) programs then signed ones…unless you only use software from big corporations.

Your thoughts, ladies and gentlemen?

They really need to speed up the sorting process. In theory, no clean/safe file should be in the sandbox for more than 1 week since it was first observed by Comodo. I know there are tons of clean file in existence, but if you don’t solve it at least this fast, you kind of defeat the purpose of sandboxing if users have to wait not just months but years to get things whitelisted.

So… either everyone is fine with that or no one knows what to say I take it?

+1

I wonder if Melih has any comments on this?

yes.

There is a process started to clean up the backlog…once done, things should be much faster…

I already said that years ago…The only way to keep up with all upcoming files is using automated systems (quite powerfull) that can classify files.
The best way to decide wether a file is safe to use or not is to check some statistical informations of it : like how many users have this file, when the file was created ? digital signature (valid/invalid) and many other criterias that make this a good way to take decision.
Now we are talking about File Reputation system…

Hi Melih,

It seems that there are issues in backend systems, uploading samples from CAMAS web uploadr give no result.