whitelist is good but blacklist is not bad either. u can’t expect evryone, even most, to be able to operate sophisticated program.
the hips and whitelisting approach for CAV will come from D+ in v3. We are whitelisting any file that can execute.
thanks
Melih
:BNC I will be very excited to help test the beta! Thanks for the update, Melih. :BNC
Except that ‘ole betsy’ doesn’t run on Vista, either. sigh (:SAD)
Yes, I am in the same boat with two Vistas. I too am using “that mechanic across town” that I am not sure I fully trust–and their restroom is not the cleanest. But, that is the choice I have to make.
:SMLR
You guys make one awesome firewall and I can’t see any reason why your Antivirus wouldn’t be just as good
I’m all up for some beta testing too just as soon as you can release one!
With the team that we have in place now, I am very confident that we will give the AV industry a good run for their money…first…
but soon after will lead it!
Melih
Actually this is false. As much as the output of malware writters is increasing, there are still way more programmers producing legitimate programs and files obviously. Even if the malware writters produce more on average, they are still swamped by their small percentage (less than 5% - i’m being generous here).
Maybe less false is
- The number of “goodies” used by EACH user is less than the number of baddies encountered by EACH user
or
- The number of “goodies” used by the TYPICAL user is less …
The problem with (1) is that while each user uses say 100 goodie programs, their 100 goodies are mostly different.
(2) is the strongest argument for whitelisting. But so far no centralized whitelist i know including comodo (which does not even include popular antivirus like antivir), is efficient enough.
What’s so exciting about whitelist in CAVS then? It’s already in D+ (not to mention a zillion other hips before D+).
They’re trying to add almost all good files so you get less pop-ups. I think in CAVS there will be far less pop-ups than in D+.
Xan
Aren’t they already trying to add all the good files for D+? Oh sure i have no doubts that CAVS will have less pop-ups cos D+ monitors a lot more than just binary files running, but i’m actually hoping for one that is actually an antivirus (you know what i mean), not one that just uses watered down D+ features and declares themselves as kings of antivirus cos of that.
Sadly i suspect comodo will do this very thing, from the way the winds are blowing with all this hype on whitelisting and the bashing of traditional antivirus technologies.
Because realistically speaking, companies new to the antivirus field, have a HUGE disadvantage cos they lack the samples for creating signatures for blacklisting… So one strategy is to not try so hard, and then try to brainwash users into thinking that whitelists is the be-all and end all of security and that they are the only ones to actually try this.
Why use technologie from the old ages ? Why use only blacklisting, if there are 2 new virusses a day, then I agree. But there are like hundreds, thousends new virusses released every day. Why use technologie that doesn’t do anything, except when it’s to late ? Now take a look at these stats here most antivirusses don’t even get 50 % off all virusses released that month !!!
So I believe in this
Look at this article.
and this
This is how I think it will be.
A file is opened : CAVS scannes in the whitelistdatabase, if it’s not in there it’s scannes in the blacklist (=signature) database. If not, it’s prompted to you. This will lower the prompts and make you the securest possible
Xan
EDIT : Change of order after short explanaition of Melih 
One thing you are not taking into consideration is: To generate a baddie, one does not need to program. Simply re-pack!! Whereas for goodies they always have to program.
Your statement would be true if I had said: unique baddies, however we both know the amount of variants (re-packed) out there multiplying at a huge rate and each variant is a baddie!
thanks
Melih
Excellent Xan…
Slight change of the order:
A file is opened, check if its in the whitelist, if not, then scan, if still uknown ask the user.
this way for all the whitelisted apps u don’t need to waste CPU time by scanning them…
thanks
Melih
You are kidding right? You can generate a goodie with exactly the same method!
Also i think we need to make a distinction between the theoretical number of goodies and baddies that can exist, and the ones that do exist and the user will encounter.
Unless a user is constantly packing malware and then running it, an average user will encounter more goodies than baddies easily.
Your statement would be true if I had said: unique baddies, however we both know the amount of variants (re-packed) out there multiplying at a huge rate and each variant is a baddie!
Define huge.
I say use BOTH. But i suspect CAVS will only have a small effort at blacklisting. Cos they don’t have the resources to do it.
I have no beef with this (also some products like PCtools,prevx do this as well). but only if the blacklisting part is as good as the average antivirus. If it isn’t, then it’s pointless,
But who does that with legitimate software?
Also i think we need to make a distinction between the theoretical number of goodies and baddies that *can* exist, and the ones that do exist and the user will encounter.Unless a user is constantly packing malware and then running it, an average user will encounter more goodies than baddies easily.
Which would seem to make whitelisting a good idea.
Define *huge*.
They probably define huge using similar methods to every other AV vendor that says there are huge numbers emerging. I’m not aware of any that say the problem is diminishing.
(****** that I’m even answering this).d Well, as you may probably not know, CAVS 1 had about 25-30% in tests, CAVS 2 in the beginning had 50 % and is now running at 75% and more. So I think they really are trying to do that. You must know, new samples come in all day. Normal companies like Kaspersky, avira, etc. only need to add them. But Comodo has to add the old ones to !!! This takes time, if you see their progress, I think their on a good way.
I say use BOTH.That's what their going to do. Check whitelist, not there --> check blacklist, not there ---> ask user (and ask to send it)
Xan
The point you are missing: How many re-packed MS word executables have you seen in the wild?
how many zlob variants you have seen re-packed?
Nobody has a reason to re-pack a goodie and distribute, but now even a 10 year old kid can spread malware by simply repacking. The barrier to introduce baddies have been reduced drastically.
Melih