It’s not a big problem IMO. How often will you meet a “trusted malware” ? How often will others AV let unknown files go throught ? Who is responsible ? Probably some automated whitelisting systems.
It’s a problem that only COMODO has, no other AV vendor using whitelist (almost all of them) have this kind of issues, so there is something completely wrong in the whitelisting process or they are doing it on purpose.
Thanks for agree with me on this. (since you are comparing a one time thing in Kaspersky with the normal mode of operation of COMODO)
“You recall once when Kaspersky…” but every week there are dozens of malware that are whitelisted that are found and reported, plus some other of dozens that are whitelisted but nobody reports them.
But as usual the attitude by comodo mods and stuff is that they don’t do any mistake and comodo is perfect.
I mean there is something more important than this for Comodo right now?
In this same thread you have to samples of 2 mods using 2 tactics, like “others also has the same problem and nothing is perfect…”
This is the attitude that I’m criticizing. While the attitude/answer should be:
“yes, obviously we have a problem here, we are going to share this concerns with the dev team, because probably something can be done to improve the whitelisting process, and we don’t think that this volumes of malware in the whitelist are acceptable at all.”
Let’s go step by step to find the problem :
Considering that all unknown files are uploaded to cloud.
*Comodo receives an amount of about 100 000 (even more) unknown files each day from all CFW // CIS installations around the world.
*These files are unknown, thus good are bad classification is definitely done with automated systems (CIMA, Valkyrie, and others in house systems not shared to public…)
They also use automation for whitelisting, some files can get whitelisted really quickly which is great some not (which are submitted by users on forum).
Apparently, it seems like some piece of malware could be whitelisted during the process.
edit: A file detected by 20 engines on VT can completely be a FP.
Now if you got infected by a malware from virussign… ;D
You are wrong (I hope), the whitelisting is based on certs mostly, and is done manually.
Doing whitelisting based on an AV, behaviour, whatever… is like shoot in your own foot, and no other AV vendor does this.
Sorry but you are wrong, KSN does not whitelist anything its a reputation cloud http://support.kaspersky.com/7269# so if a malware gets a good raring in KSN that doesn’t mean that kaspersky allow the file automatically to access to INTERNET and modify anything in the computer like happens in COMODO
Thanks for confirming that Comodo does the whitelisting automatically it’s a pioneer in the industry and this explains perfectly the issues that I pointed out. Like I said shooting in their own foot.
If they assume that a file can be whitelisted based on the outcome of a AV cloud scanner with N engines or whatever artificial intelligence… they are assuming that the detect the 100% of malware, which normally it’s a 95% according to the test, so there is a 5% of potential malware in CIS whitelist.
I must say that I do not like that Comodo automatically whitelist files, perhaps we should have an option in CIS to not accept whitelist updates that have been automatically generated, so only whitelist updates from manually testing will be implemented?
I think automatic whitelisting is possibly acceptable, but that certainly something like this is required to balance out the danger.
Currently it seems that the only thing trying to balance this is manual user submission via the forum. I do hope that Comodo has some additional measures after the automatic whitelisting, but it appears that whatever they are, they are not potent enough.
In my opinion, something else is needed in order to counter this (albeit small risk) of the current whitelisting process. Although I’ve never heard of a very dangers piece of malware being whitelisted, I have heard of adware being whitelisted.
Why do you think we have a direct line to the dev team, we have no more access to them than any normal member, please feel free to PM them your concerns.
I believe they are concerned as if they were not concerned they would not reply to members in that topic, like I said before nothing is perfect mistakes can be made.
Sorry but it is beginning to look like you are trying to make something out of nothing, by implying what attitudes we have as Moderators.
Tread carefully. C’est le ton qui fait la musique.
The disadvantages of Trusted Software Vendor list have been discussed extensively at the introduction. I remember Siberlynx being very outspoken about it in discussions with Melih about this.
It’s up to Comodo to tell whether they think too much trusted malware gets past and if that is the case might want to decide to change the conditions under which Vendors become Trusted Vendors.
The procedure to make a Vendor a Trusted Vendor is done by an analyst. For other tasks automated processes play a role.
Other than that I agree with Dennis. Your concern is shrouded in a toxic and inflammatory tone.
Few if not many criticised CIS Whitelisting in the past… But it’s almost impossible not to white-list some malware. Plus Comodo is the only full DD system on the AV market today so you can’t really compare it to anything else. Automated system or not… Humans make errors as well…
At the end of the day… It’s rare but it can happen…
It’s up to Comodo to tell… yes right we will wait 4 years more to see if they tell something. Until now Comodo is silent about this topic.
The procedure to make a Vendor a Trusted Vendor is done by an analyst. For other tasks automated processes play a role.
Other than that I agree with Dennis. Your concern is shrouded in a toxic and inflammatory tone.
Toxic? well if you see normal to find every week several malware files trusted… and what is worst is the malware in the TVL that isn’t found, and what is even worst is Comodo devs/staff being silent about this issue.
A normal person would say that the TVL is “toxic”…
PD: just in case, I don’t consider the forum moderators comodo staff
A normal person would say that the TVL is "toxic"...
PD: just in case, I don’t consider the forum moderators comodo staff
One could ask the attention for the problem in a non abrasive fashion and get better exposure for your argument.
It has been discussed intensively in the past by Melih and Siberlynx. Until further notice the silence means Comodo has not changed their point of view on TVL.
Better exposure of the argument? what part is not clear for you?
It has been discussed intensively in the past by Melih and Siberlynx. Until further notice the silence means Comodo has not changed their point of view on TVL.
Yes, we all know they are doing it wrong, but instead of trying to get it improved lets bury the problem as you want, thanks for your useful input in this thread.