White listing or black listing?

It’s a new breed of security firm all right, considering how the quality of CAVS has yet to climb out of the sewer after all this time.

Take a look at PC Tools’ antivirus product, for instance. They’re new, and they’re improving quickly. Which is a hell lot more than I can say for Comodo.

G’day solcroft,

Glad to see you stick your head round the door again.

Gotta agree - the detection rate of CAVS2 Beta has never been the best. I can’t see it getting any better than it curently is as the primary develoment focus is now on CAVS3.

Just in case you were just about to say “LOL. Couldn’t finish V3 and have started on V3” or similar, Comodo realised, after the release of CFP V3, that they needed to re-architect the CAVS product line to be able to co-operate with the new architecture used in CFP V3. As a consequence, the CAVS V3 development team has been greatly expanded and development work on CAVS V2 pretty much ground to a halt.

CAVS V3 is slated for a public beta towards the end of this month or early next month and should be worth at least a closer look.

[tongue in cheek mode on]
I’ll get someone who’s allowed to register at Wilders to let you know when it’s out. :wink: (Only kidding, every attempt I’ve ever made to register at Wilders has failed for one reason ro another. Now, I just don’t bother, but I do read there a lot.)
[/tongue in cheek mode off]

Ewen :slight_smile:

It's a new breed of security firm all right, considering how the quality of CAVS has yet to climb out of the sewer after all this time.

Take a look at PC Tools’ antivirus product, for instance. They’re new, and they’re improving quickly. Which is a hell lot more than I can say for Comodo.

I stick around every now and then and pay attention. Hey, I’d be a happy user too if Comodo decides to get its act together and release a useable product.

You may not have that much to say on this topic, but I have long been well aware of how much you have to say on other topics relating to Comodo, solcroft.


Given a recent thread started by Melih, something about “If you have CFP 3, why do you need an AV”, I was under the impression that Comodo believed blacklisting to have severe limitations compared to whitelisting, and this would explain why CAV has been on the backburner…

Is my impression incorrect, panic?

Actually, I do, but I just can’t be bothered nowadays that its common knowledge.

Yes with an “if”, no with a “but”.

There are pros and cons to both sides of the blacklist / whitelist argument. Comodo have decided that the whitelisting is the better way to go and I’m inclined to agree with them. This is akin to saying trust no-one other than those I know (which is pretty much how real world security works).

The biggest downside to whitelisting is that everything is considered black unitl it is proven to be white. Who does the proving, and what are their credentials?

A lot of it comes down to trust. Some will, some won’t. And I"ll bet you won’t get them to agree. :wink:

Ewen :slight_smile:

The Achilles heel of blacklisting is the reliance on a database; it can only get larger going forward.
Every AV has to keep signatures of viruses ten, fifteen years old, while the number of malwares grows exponentially.
Right now, both sides are somewhat balanced, so the debate regarding whitelisting vs blacklisting is sustainable, but the future of blacklisting as a defense mechanism is doomed.

AVs are dead, but they don’t even know it yet.

Or maybe the AV companies do know it, but they are just not letting their customers know until they can find a viable alternative.

IMO users like solcroft are stuck in the past.

Sure. If we can’t keep the blacklist current, let’s try whitelisting instead, and try to keep up-to-date with a database at least a thousand times as large (and that’s an optimistic estimate at best).

IMO some users are so keen to defend their biases that logic and facts take a back seat to the rhetoric they’ve been spoon-fed with. :THNK

What if the local whitelist database, rather than containing every whitelisted app known to man (and would indeed be a thousand times larger), only contained the known whitelisted apps that pre-existed on that particular PC? Then, as new apps got added to that PC, there was a lookup which cold add that app to the local whitelist DB. This would constrain the local DB down to the minimum size required to service the apps on that PC.

What think?
Ewen :slight_smile:

solcroft, when I say whitelisting I am talking about behavior monitoring.
Any kind of database is ridiculous unless it is maintained by Microsoft, which is why I never use Comodo’s trusted app database.
Get a grip.

I think there’s no such thing as a “local whitelist”.

A whitelist contains programs that have been approved by either the vendor or the user. If it is to be approved by the vendor, then the vendor has no choice but to whitelist every app known to man, unless they don’t care about identification mistakes made by their software, or if their users only use a very limited subset of other software. And if the whitelist is to be approved by the end user, I think the problems are obvious.

And I think it’s useless to debate the concepts of whitelisting and behavior monitoring with some users who clearly don’t have a clue.

The entire database concept is ridiculous.
This is all because of the poor design of Windows.
I wouldn’t be surprised given the current Vista fiasco that Microsoft makes a clean break with backward compability with the next version, ala Apple with OS/X.
Then the entire database argument will be moot, because we will finally have a properly functioning OS, and people like solcroft will understand why things are the way they are.

I guess that’s why you are still waiting to exhale looking for AV solutions, while after having not had an infection in almost a decade I am wondering why I am still running one and looking to ditch AVs permanently…

What I meant was - the vendor, remotely creates the “master” whitelist DB. When the application that’s going to utilise this DB is installed, part of the installation process is to determine what apps are already on the PC. This “apps list” is then processed against the remote vendors master whitelist DB. The resulting matches then form the local whitelist DB which is what is downloaded to the local PC. As new apps are installed or executed, they are again compared to the remote master whitelist and subsequent matches are pushed back to the local PC to be incorporated into the local whitelist DB.

Please bear in mind the above is not a declaration of what categorically be included in a future Comodo release.

And I think it's useless to debate the concepts of whitelisting and behavior monitoring with some users who clearly don't have a clue.

Debates and discussions are encouraged on these forums, but disparaging, derogatory or personal remarks are not.

All users are supposed to treat all other users with the same respect and courtesy they expect to be shown to themselves. Please, everyone, every now and again, re-read the forum policies.

Ewen :slight_smile:

The problem is how vendors are going to build that master whitelist in the first place, when they’re, according to the rhetorical claims, already struggling to keep themselves up to date on the much, much smaller blacklist. Your proposal doesn’t solve that problem as far as I can see.

Case in point: I uploaded the Sandboxie executables for verification some time ago. CAVS’ execution control module was still flagging them as unknown four months later. Comodo has displayed overwhelming incompetence in keeping up with just a blacklist, and I don’t expect them to be able to build a comprehensive whitelist anytime soon.

I made a general statement without naming anyone in particular. I do take heart in the fact, however, that the idiots who do need to feel offended by my remark are still intelligent enough to know as much. There’s hope for them yet.

That will be the telling thing, won’t it. If they have increased resources and can maintain the master whitelist adequately, and there is sufficient infrastructure behind it all, it shows a great deal of promise. If, OTH, they haven’t, we may be forced to agree. :wink:

We can both take heart from both of our generalised statements. Probably for the same reasons. :wink:

We already have threads for discussing pros & cons for black/white listing technology, but since we’re here, let me throw in my 2 cents.

I’m not in a position of really judging which one is the best. But, for me, white listing has shown to be superior. Ever since CFP 3 was released last year I even gave up antivirus, and my machine has worked flawlessly since then.

Black listing seem to be a never ending chase. Yesterday they even said at the daily news (which is not often) how the number of internet threats has increased. Symantec (one-sided, I know, but still…) said that three years ago, about 50,000 new malware was created in half a year. The last half year of 2007 - 500,000 new malware!

Maybe AV vendors can catch up with that, I don’t know, but I feel more safe with white listing / HIPS (which of course doesn’t have to exclude traditional black listing).

Now where are those screen shots for CAVS 3? :wink:


in a world where blacklisting : baddies, hides themselves, test their product against all the known AVs make sure none of them catch it and then release it…(bang… we have a day zero attack and then everyone is running around like a headless chicken trying to create a sig and then update all the millions of people out there… we do the same and and expanding of course…)

compared to whitelisting: where these publishers do not hide themselves and want to be known…

I would say: doing whitelisting is much easier and safer than blacklisting! the publishers of whitelisted products are not hiding themselves and the time it takes to add someone to whitelist is NOT a security risk like NOT adding some malware for a period of time!

Also: As Ewen pointed out: local whitelisting: well Clean PC mode is a version of that… that is why you see no material impact on system performance.

Your name is not in the list, you are not coming in!!! its as simple as that…

Sure everyone come on in… then send the search party to figure out who inside is a baddy and you only have a limited vision!!!

Its plain commonsense if you ask me…


To Ewen
It would be nice if you posted the above in some of he threads which are active at the moment.
The only problem is you would have to post it in big red letters so that they would notice it ;D