Info & download here:
http://www.antivirus.comodo.com/

Now, if someone could try it and tell us a little bit more about it, that would be great (I am currently at work, so..).
I'd also like to see av-comparatives testing it sometime soon.

{QUOTE-> Info & download here:
http://www.antivirus.comodo.com/

Now, if someone could try it and tell us a little bit more about it, that would be great (I am currently at work, so..).
I'd also like to see av-comparatives testing it sometime soon. <-QUOTE}Interesting comparison table in there.

http://www.antivirus.comodo.com/comparison.html?currency=EUR&region=Europe&country=FI

McAfee, F-secure and Panda were NOT able to scan runtime packed files! :o :blink:

Best regards,
Firefighter!

I would wait on using this until they get it the way they want cause it's a little high on resources so you might want to wait for the next release for them to level it out since its their first version and all.

Ok, that comparison table is weird but overal it looks interesting.
Can anyone from the AV Experts group comment this product?
I'll try it anyway but any info is better than none ;)

Very interesting, the more free players on the market the better.

I'm just scanning a bunch of trojan downloaders detected by NOD32 with the Comodo AV. Of course, this will not be 100% professional as the samples set should not contain only files detected by one AV and just one malware type, but the preliminary results seem to be promissing. Detection ratio is currently 1:4 on behalf of NOD32.

Edit:
The scan ended up with these results:
NOD32: 12688
Comodo: 3392

{QUOTE-> Very interesting, the more free players on the market the better. <-QUOTE}

Right you are. Comodo has already released a very good firewall. If this A/V turns out to be of reasonably good quality, they just might have the best cost-free 'suite' going.

I've made a quick test over 72 ITW samples i have and it missed 24.

Samples that concern me the most are these...

SAMPLES.zip/server.exe - infected by Backdoor.Win32.Mex.b
SAMPLES.zip/wcgimail-elkern.c.bin - infected by Virus.Win32.Elkern.c
SAMPLES.zip/.nws - infected by Net-Worm.Win32.Nimda.e
SAMPLES.zip/02.exe - infected by Email-Worm.Win32.Bagle.do
SAMPLES.zip/Internet News Message.nws - infected by Net-Worm.Win32.Nimda.e
SAMPLES.zip/Lisa.bin - infected by IRC-Worm.Win32.Liza.a
SAMPLES.zip/magistr.bin - infected by Email-Worm.Win32.Magistr.b
SAMPLES.zip/Melissa.doc.txt - infected by Virus.MSWord.Melissa
SAMPLES.zip/msns.exe - infected by IM-Worm.Win32.Kelvir.cs
SAMPLES.zip/Rena.scr - infected by Email-Worm.Win32.Bagle.f
SAMPLES.zip/screensaver.scr - infected by Email-Worm.Win32.Eyeveg.l

Some of them are very ITW, yet they aren't detected.
They were tested by KAV, avast! and NOD32 before i stored them.

Though i'm overall satisfied with it. Nice interface, don't really notice any slowdowns. Only memory usage is somehow big, but i have 1,5GB RAm so i don't care :P

IBK, could you do a proper quck test? ;D

EDIT:
On-Access scanner is kinda weird. I'm used to AVs that jump on the malware as soon as it's copied/created on HDD. With this one you have to execute some to be detected or browse through the folder containing that malware in order to detect it. Hm...

I've did a quick test too, used a small collection of trojans and backdoors (all confirmed samples by Trend Micro and BitDefender). From the 23 samples it missed 14 of them. :o

However just like RejZoR said above the program itself is very nice. I sure keep an eye on this and see how they will improve their detecion. The scan engine seems pretty quick, but unpacking seems to lack a little at the moment.

Well time will tell, Its their first version.

Took Comodo Personal Firewall a few versions to get where it is right now and now its a great Firewall, Time will tell about Comodos Anti Virus.

Of course, but it's interesting to see it's initial capabilities and see how they (might) improve. I submitted the missed samples from my little test, and see when and if they get added.

I designed this AV some time ago. ::)

IC, my sarcasm detector is broken at the moment. Care to explain? ???

{QUOTE-> I designed this AV some time ago. ::) <-QUOTE}
Code/database or GUI design?

If you look at the "Virus List" in the program you'll notice it has 173112 signatures at the time of writing. Let's see how it grows...

Basically all, i was leading this company.

{QUOTE-> Basically all, i was leading this company. <-QUOTE}
Care to provide some more details ;D Anway, Comodo seems to use the same naming for their samples as Kaspersky...

Is there much different with the new Comodo AV from what it used to be?

Trustix Antivirus.

http://antivirus.trustix.com/

It has a new name, it is free, and maybe has a new GUI.

Am I missing something here? Does it have new capabilities?

edit: The new version does have a nice looking interface.

Apparently it used to be called Trustix AntiVirus 2005 http://antivirus.trustix.com/trynow.html but going to that page doesn't last long, as it dissapears ?

http://img104.imageshack.us/img104/5426/trfree16cp.png (http://imageshack.us)

The page cannot be displayed

The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.

hxxp://secure.comodo.net/products/DownloadSoftware?product=138&redirectURL=http://antivirus.trustix.com/download/setup.exe ~disabled link - Please don't post Direct Downloads - If it's necessary Do Make sure the emphasize that they're Direct DLs - dog~


This seems to be more recent http://antivirus.trustix.com/

There's talk that Trustix AntiVirus utilises the Kaspersky AV engine, or did ? But Happy Bytes/Inspector Clouseau says he had something to do with it ?

The latest AV uses their own in house engine.


StevieO

Yep,I tried to get the Comodo AV to try out but couldn't.???

Your second link Steveo,is that the dowloadable exe for the av?

Anyone tried this TrsutFix ?

{QUOTE-> Yep,I tried to get the Comodo AV to try out but couldn't.???

Your second link Steveo,is that the dowloadable exe for the av? <-QUOTE}

This is the one....

http://www.antivirus.comodo.com/

{QUOTE-> Basically all, i was leading this company. <-QUOTE}

care to blog more info on it ;D

any idea why they decided to not include Avast! Home / Pro onto theirs comparsion page?

http://www.antivirus.comodo.com/comparison.html?currency=EUR&region=Europe&country=FI

the product comparisons contains imo wrong information about some products... (e.g. regadring "On Demand Memory Scanning", "Mass Mail/Worm Blocker", "Scan Runtime Packed Files", etc. etc.).

How can they afford to maintain this software and have a support staff if they give it away for free. I just keep thinking if it sounds to good to be true.:-\

well...a little test result from me
I"ve scan just a part of my collection...100 samples

Comodo detects 26 viruses, NOD32 96! Judge by yourself its unique detection rates. ;D

{QUOTE-> well...a little test result from me
I"ve scan just a part of my collection...100 samples

Comodo detects 26 viruses, NOD32 96! Judge by yourself its unique detection rates. ;D <-QUOTE}

I am trying to learn. I hope this doesn't sound stupid.

How do you get virus samples to test?
How do you keep them from infecting your computer?
What viruses did NOD32 not detect?

{QUOTE-> How can they afford to maintain this software and have a support staff if they give it away for free. I just keep thinking if it sounds to good to be true.:-\ <-QUOTE}

Most of such companies "feed" from corporate and enterprise integrations.
avast!, AVG and AntiVir are no exception either.

Detects rprot exe as a virus'

Uninstaller appears to be the same crap as Norton uninstaller...
What a pain in the ass to remove. I uninstalled by following reboot in the end and on next start it says Comodo AV is disabled, tries to run the installer, screws loads of files back. Tried cleaning it, every 5 damn seconds i got stupid installer popping up.>:( I hope i eradicated it forever>:(

Isn't it interesting how just installer can screw up entire view on product...

{QUOTE-> Care to provide some more details ;D Anway, Comodo seems to use the same naming for their samples as Kaspersky... <-QUOTE}
Comodo is another India-based security solutions company I believe. I remember seeing a picture of Cool Dad Inspector Clouseau enjoying some coffee (???) in a restaurant with a few members of the team....

{QUOTE-> I am trying to learn. I hope this doesn't sound stupid.

How do you get virus samples to test?
How do you keep them from infecting your computer?
What viruses did NOD32 not detect? <-QUOTE}

U can find virus samples if u're searching for them, but I don't advise you start collecting.... my colllection of 5800 viri took some time to be build. ;D
And you can get infected if u're not carefull.

Viruses are kept in archives usually and they are generally extensionless files.

{QUOTE-> Uninstaller appears to be the same crap as Norton uninstaller...
What a pain in the ass to remove. I uninstalled by following reboot in the end and on next start it says Comodo AV is disabled, tries to run the installer, screws loads of files back. Tried cleaning it, every 5 damn seconds i got stupid installer popping up.>:( I hope i eradicated it forever>:(

Isn't it interesting how just installer can screw up entire view on product... <-QUOTE}

Had no trouble at all when uninstalling!

Great, cleaned every inch of my PC and god damn Comodo installer is still flashing in the background every here and there>:(
This damn thing is even harder to remove than toughest rootkit>:(

{QUOTE-> Great, cleaned every inch of my PC and god damn Comodo installer is still flashing in the background every here and there>:(
This damn thing is even harder to remove than toughest rootkit>:( <-QUOTE}

I am sorry that happen to you. I suggest using Acronis True Image once you get everything working. This way you can restore everyting easily next time.

Seems very nice on its features and because it is free, but I will wait to see its efficiency in all the AV aspects...

I'm using Gigabyte cloning tool which works great. Thing is i just restored it yesterday. Twice! ::)
Will try to install it again, this time with monitoring tool for reversal process. Wish me luck :P

They left out KAV and NOD in their comparision. Gee I wonder why. ;) They claim to be free forever. How log do you thinki forever will be? Most companies offer something free but after a few it starts to charge for a version or something like that.

{QUOTE-> I'm using Gigabyte cloning tool which works great. Thing is i just restored it yesterday. Twice! ::)
Will try to install it again, this time with monitoring tool for reversal process. Wish me luck :P <-QUOTE}

I use Rollback Rx for this reason. If something goes wrong, simply go back in seconds.

{QUOTE-> They left out KAV and NOD in their comparision. Gee I wonder why. ;) They claim to be free forever. How log do you thinki forever will be? Most companies offer something free but after a few it starts to charge for a version or something like that. <-QUOTE}
After a few years, they'll probably change the name of the product and start charging for it (and then the old Comodo is abandoned).

"After all, its Comodo thats 'forever free', not <insert product name here>!"

I say this because such things are very common in India, where companies try to take advantage of loopholes to gain more and more profits....

~For anybody interested~
Comodo AV support forum: http://forums.comodo.com/index.php?board=4.0

Firecat, not necessary. Remember what Vlk is always saying? They'll keep avast! free forever. AVG and AntiVir team said the same.
And from what i see Comodo is also financing from corporate/enterprise environments. Makes sense...

I will wait with this one until it's better than KAV, NOD32 and McAfee. :)

Thanks for the interest guys.
My name is Melih Abdulhayoglu, Founder/CEO of Comodo.

I would like to answer some of the question and issues you have raised.

1) Who is Comodo:
Headquarters in Jersey City, USA with global offices in UK, Ukraine, Japan, Italy and India. Exclusive provider of digital security services to top level domain name registrants More than 150,000 customers in more than 100 countries, securing 500,000+ businesses and individuals 4500 strong global partner network Operates one of the world's largest fastest growing Certification Authority infrastructures with the highest standards as evidenced by our KPMG annual audits World-renowned Digital Trust Lab Research and Development Center.
you can read more about Comodo here: http://www.comodogroup.com/corporate/
The engine for AV is written by our Ukrainian, Russian and Indian employees we have that are specialist in this area. Our project managers are based in the UK who manage these projects. Everybody in all our offices are full time Comodo employees.

2)Memory usage and detection rates: We have already started working on reducing the memory usage and next version will be much smallar footprint (of course we will continue to reduce it). Detection rate is improving on daily basis as we add more signatures (please send us virus samples :-) ) and keep building more unpackers. You will see the detection ratio improve drastically in upcoming weeks ahead.

3)Free for how long? Forever! Why? Cos our business model is about gaining user's trust so that they will try our innovative products like verification engine www.vengine.com and other security/trust products we have that allows us to make money from businesses (even those innovative products are free for desktops). CPF/CAV etc is brand building exercise that will provide a distribution channel for Comodo for its innovative product range.

We have created forums.comodo.com so that we can discuss issues there, by all means you are welcome to come and participate in helping us build these products (literally).

thanks

Melih
Comodo

@Melih
Hello and wellcome to wilders. I want to ask a question out of topic. Where are you from? Your name and surname is Turkish.

I am Turkish/British :)
you can read more about me here... http://www.comodogroup.com/corporate/biogs.html


{QUOTE-> @Melih
Hello and wellcome to wilders. I want to ask a question out of topic. Where are you from? Your name and surname is Turkish. <-QUOTE}

Hi then,
Merhaba :D

{QUOTE-> Thanks for the interest guys.
My name is Melih Abdulhayoglu, Founder/CEO of Comodo.

I would like to answer some of the question and issues you have raised.

1) Who is Comodo:
Headquarters in Jersey City, USA with global offices in UK, Ukraine, Japan, Italy and India. Exclusive provider of digital security services to top level domain name registrants More than 150,000 customers in more than 100 countries, securing 500,000+ businesses and individuals 4500 strong global partner network Operates one of the world's largest fastest growing Certification Authority infrastructures with the highest standards as evidenced by our KPMG annual audits World-renowned Digital Trust Lab Research and Development Center.
you can read more about Comodo here: http://www.comodogroup.com/corporate/
The engine for AV is written by our Ukrainian, Russian and Indian employees we have that are specialist in this area. Our project managers are based in the UK who manage these projects. Everybody in all our offices are full time Comodo employees.

2)Memory usage and detection rates: We have already started working on reducing the memory usage and next version will be much smallar footprint (of course we will continue to reduce it). Detection rate is improving on daily basis as we add more signatures (please send us virus samples :-) ) and keep building more unpackers. You will see the detection ratio improve drastically in upcoming weeks ahead.

3)Free for how long? Forever! Why? Cos our business model is about gaining user's trust so that they will try our innovative products like verification engine www.vengine.com and other security/trust products we have that allows us to make money from businesses (even those innovative products are free for desktops). CPF/CAV etc is brand building exercise that will provide a distribution channel for Comodo for its innovative product range.

We have created forums.comodo.com so that we can discuss issues there, by all means you are welcome to come and participate in helping us build these products (literally).

thanks

Melih
Comodo <-QUOTE}
Hello Mr. Melih. Seeing your response here, I do believe my earlier posts were quite derogatory with regards to your company. I am truly sorry for this, but I always watch new and upcoming companies with raised eyebrows due to lots of scams going on in Asian countries. I hope you understand my concern. I meant no hard feelings. :)

As for Comodo, its firewall product is good, and the AV can be improved. It would, however, be very nice if Comodo AV was sent for testing to various reputed AV-test sites such as AV-comparatives and Virus Bulletin, so that we can see how good it is.

Product development is never easy, this I understand. I wish your company all the best for the near future. :)

{QUOTE-> As for Comodo, its firewall product is good, and the AV can be improved. It would, however, be very nice if Comodo AV was sent for testing to various reputed AV-test sites such as AV-comparatives and Virus Bulletin, so that we can see how good it is. <-QUOTE}
I also would like to see this...

{QUOTE-> Hello Mr. Melih. Seeing your response here, I do believe my earlier posts were quite derogatory with regards to your company. I am truly sorry for this, but I always watch new and upcoming companies with raised eyebrows due to lots of scams going on in Asian countries. I hope you
understand my concern. I meant no hard feelings. :)

As for Comodo, its firewall product is good, and the AV can be improved. It would, however, be very nice if Comodo AV was sent for testing to various reputed AV-test sites such as AV-comparatives and Virus Bulletin, so that we can see how good it is.

Product development is never easy, this I understand. I wish your company all the best for the near future. :) <-QUOTE}


Firecat,

You are a gentleman! Thanks for kind words. Comodo has been in this business since 1998 and we are the second largest Digital Certificate provider in the world after Verisign. First we launched the personal firewall and kept immproving it and we will continue to improve it, now we are going to do the same thing for the Comodo AV and Comodo Anti spyware (soon). So please continue to support us by using our products and providing us with your valuable feedback about how we can improve our products.

thanks
Melih
Comodo

Fellow Creatures,
I will be looking to replace CA AV in a few months if interested in the "why" see my posts in this link:

http://www.wilderssecurity.com/showthread.php?t=123623

I need good detections with low resource useage for my older XP compaq machine running 800MHz Celeron 256 Ram. It's older but very solid and reliable but about all tapped out for expansion upgrades. I also do not care for suites as a genral rule.

I will keep a sharp eye out on this new AV as it is attempting to address my needs it seems. I like Firecat am cautious. :-\ .

I have done some research seems like this company is on track and there business model it makes since. Their site is informative certainly the company is approaching 10 years of life with a product line. Would like to see more tests myself.

I will watch this product with keen interest and hope to see improvements in the areas disscussed in this thread so that my comfort level is increased to the level I can give them a try. ;)

Good luck I wish you well Comodo!:thumb:

{QUOTE-> Fellow Creatures,
I will be looking to replace CA AV in a few months if interested in the "why" see my posts in this link:

http://www.wilderssecurity.com/showthread.php?t=123623

I need good detections with low resource useage for my older XP compaq machine running 800MHz Celeron 256 Ram. It's older but very solid and reliable but about all tapped out for expansion upgrades. I also do not care for suites as a genral rule.

I will keep a sharp eye out on this new AV as it is attempting to address my needs it seems. I like Firecat am cautious. :-\ .

I have done some research seems like this company is on track and there business model it makes since. Their site is informative certainly the company is approaching 10 years of life with a product line. Would like to see more tests myself.

I will watch this product with keen interest and hope to see improvements in the areas disscussed in this thread so that my comfort level is increased to the level I can give them a try. ;)

Good luck I wish you well Comodo!:thumb: <-QUOTE}

Thanks Mercurie,

You can even help us by telling us the features you would like to see in this Comodo AV. You can, if you like, install it for a short period so that you can play with it enough to give us your "order list" of your "wishes". This way you will have an AV that you effectively ordered :-). We are already well down the track with addressing mem usage, increasing detection etc, we want more feedback about how "you" would like to see AV operate. So any feedback will be greatly appreciated.

Thanks
Melih

This would be nice when it also would work on Windows 98.

{QUOTE-> This would be nice when it also would work on Windows 98. <-QUOTE}
Time to upgrade man, it really is :)

Just reinstalled it and it works well :)
So if Comodo offers nice freeware i would like to try it.

{QUOTE-> Time to upgrade man, it really is :) <-QUOTE}

Show him the money, man....really:)

Melih, can you name just few packers that are already supported by Comodo AV ? Also do you already detect Polip/Polipos? Last time i checked it was still not detected. If not, let me know and i'll send 2 samples.

{QUOTE-> Melih, can you name just few packers that are already supported by Comodo AV ? Also do you already detect Polip/Polipos? Last time i checked it was still not detected. If not, let me know and i'll send 2 samples. <-QUOTE}

RejZoR

We have a support for 4 main ones at the moment (i don't know which ones top of my head but can find out if you like (i know one is UPX :-) ). we have a team of people working on writing around 27 different unpackers but will take time.
Please do send me the samples so that we can analyse it. Much appreciate it.

We are also extending our Heruistic engine to catch viruses without signatures, any help is appreciated.

thanks
Melih

If Comodo permits me to post here the results of their AV solution against the av-comparatives test-sets), I will do that.
P.S.: I do not tell results in advance or privatly to peoples.

I'm certanly interested in results. I hope Comodo guys will grant it. 8)
Even if they don't score that well, thats ok. It's new program so there's still lots of time and room for improvements.

{QUOTE-> If Comodo permits me to post here the results of their AV solution against the av-comparatives test-sets), I will do that.
P.S.: I do not tell results in advance or privatly to peoples. <-QUOTE}


Please go ahead. We know we have to improve detection rates which we do on daily basis, especially with the next version. Our aim is to be have the best detection rate in the market and it will take us few months to get there ;-) . In order to save you some time, if you wait until the next version (by end of this month) then publish it, it will give us time to improve it further. However, please feel free to publish the current ones if you wish.

Also, you can help us by submitting us virus samples you might find/have, or even help us write some unpackers ( we have 4 in the next release and our guys are busy writing another 27 :-) ) or even have ideas about how to improve heuristic engine. All help welcome :-) Comodo AV is your AV product! You decide what goes in, you decide how it should function, literally!

thanks
Melih

Great! IBK, keep us posted :)

Thx for letting me post it.
Test-Set of February used. The scanner is a bit slow. It also crashed sometimes, maybe I will try to find out why when I have time for that.

OtherOS .......................9%
othermalware................19%
script...........................8%
worms.........................35%
windows......................34%
macro.........................12%
backdoors....................25%
trojans........................26%
dos.............................29%

TOTAL.........................27%
TOTAL without DOS.......24%

It is highly unprobably that ComodoAV will ever get the "best detection rate in the market". Currently even the little tool that Inspector C. wrote in 2 weeks is able to find more.
For good reasons, my rules do not allow to help writing your AV product or to send you samples, sorry. But I will from time to time look how your product improves ;).

Oh the harsh differences between possibilities and wishful thinking... ::)

;D

Isn't possible in a few months, but maybe in a few years...
But don't forget that other AV companies want the same... ;)

Lack of good packers support is cetanly the problem here i'd say. I mean without unpackers you're basically toasted in these days. Let alone other goodies like emulators, generic unpackers, decrypters, heuristics and stuff like that (not to mention lots of signatures!).
But i'm certanly interesting to see how it will improve.
If it manages to get up to the Standard ranking on AV-Comparatives test, that would be a very good sign.

{QUOTE-> Lack of good packers support is cetanly the problem here i'd say. I mean without unpackers you're basically toasted in these days. Let alone other goodies like emulators, generic unpackers, decrypters, heuristics and stuff like that.
But i'm certanly interesting to see how it will improve.
If it manages to get up to the Standard ranking on AV-Comparatives test, that would be a very good sign. <-QUOTE}

It is more than this. Most important thing which comes before all this are fileformats. It starts already with this - exploring fileformats ( such as Nullsoft Installer, Inno, Wise, Installshield etc ) takes a lot of time. Writing an emulator which is able to support an AV Engine in a reasonable way takes for a good team around 2 years and up. All other timeframes and "futuristic" thinking is unrealistic. Including highly complex malware detection took respected av experts sometimes months for only a single virus! Example: Zmist-based stuff. Zmist.D you can easily find - the fun starts with all other variants of this virus. Or ACG dos virus family - without detecting this you will have very bad results at Virus Bulletin ::)

@Melih-Comodo: please correct the table on http://www.antivirus.comodo.com/comparison.html?currency=EUR&region=Europe&country=IS , it contains absolutly wrong information in various points.

Lets wait until the end of the month and test it again please with the new version. We have identified few bugs that caused unpackers (there are 4 at the moment) to give wrong results and some problem with heuristic engine also.

Lets just watch and see (and also do help pls :-) ) how we can continually improve this.

(thanks for the help guys)

Melih

{QUOTE-> For good reasons, my rules do not allow to help writing your AV product or to send you samples, sorry. But I will from time to time look how your product improves ;). <-QUOTE}


Aaaahhh, you work for a competitor company who charges for AV (?) and helping us to make AV for free will cause you not to have a job.(?)
You can always come and work with us, all good people are welcome at Comodo :-)

Melih

{QUOTE-> It is highly unprobably that ComodoAV will ever get the "best detection rate in the market". <-QUOTE}


IBK, thanks for testing the product, one question i have though, on what basis do you think its highly unprobable? Do you know how how many people are working on this product or what experience they have, or even what AV product they have written before or what company they worked previously?

Again, thanks for testing and look forward to your continued support in informing everyone at every release so that they can see possible improvements.

thanks
Melih

{QUOTE-> IBK, thanks for testing the product, one question i have though, on what basis do you think its highly unprobable? Do you know how how many people are working on this product or what experience they have, or even what AV product they have written before or what company they worked previously?
<-QUOTE}

Does not matter. Even e.g. Symantec which has many employes and very good av experts and many sources where they get new samples have to work hard to stay under the tops regarding detection rate, a newcomer has a backlog of work to do to reach such a level of quality and as every day new work to do comes, it is probably that it will always stay behind the others. I do not think ComodoAV will ever beat e.g. KAV regarding e.g. detection rate. Its just not realistic imo.

{QUOTE-> Does not matter. Even e.g. Symantec which has many employes and very good av experts and many sources where they get new samples have to work hard to stay under the tops regarding detection rate, a newcomer has a backlog of work to do to reach such a level of quality and as every day new work to do comes, it is probably that it will always stay behind the others. I do not think ComodoAV will ever beat e.g. KAV regarding e.g. detection rate. Its just not realistic imo. <-QUOTE}

Ok, thank you for your opinion.


Melih

Contrary to IBK (Andreas Clementi) I am not one of the most well-known AV testers. Nevertheless, here are my 2 cents:

1.
I agree with IBK that it will be very hard (if not impossible) for a newcomer to beat Kaspersky's "detection rate".

2.
I doubt, however, that the "detection rate" (as determined by standard AV tests) is of utmost importance:

As regards replicating malware (e.g., worms) it's important that you detect the samples that are currently "in the wild". This goal can be reached (also by a newcomer). It's less important that you detect a vast number of zoo nasties.

As regards non-replicating malware the "detection rate" does not really matter. This is because non-replicating malware is usually compressed or otherwise modified. In other words, it's important that you can detect a slightly modified Bifrost trojan and it's quite irrelevant whether you can detect a rare alpha-version of an unstable Chinese keylogger.

Consequently, the size of the signature database should be considered less important than the quality of the scan engine/unpacking engine.

If you test the quality of a scanner (and not the quantity of its signature database) you may easily come to the conclusion that, for instance, the technology used by Kaspersky is far from perfect. This also applies to the static unpacking engine.

3.
Unfortunately, major AV testers like IBK or Andreas Marx do not comment on this issue. Therefore, most people solely look at the "detection rate".

I also believe that major AV developers are quite happy with this situation. Because they have already collected a huge malware archive they are in a comfortable position to compete with newcomers (i.e., it would be foolish to admit that size (of the database) does not always matter).

{QUOTE->
As regards replicating malware (e.g., worms) it's important that you detect the samples that are currently "in the wild". This goal can be reached (also by a newcomer). <-QUOTE}

not really. even in such tests with such malware only they would usually fail, because they do not have such a big network with companies (e.g. ISP, large enterprises, etc.) and million of users thru which they would get the new stuff that is currently around and therefore will release updates aginst such nasties too late or never.

1.
But such networks can be developed (takes some time though). For example, do you think that Ewido has improved in that respect?

2.
Let's assume that major developers have formed some kind of a malware pool (or frequently exchange sampes). Let's assume such pool goes beyond the "wild list". I think a newcomer might be entitled to demand access to such pool (against a reasonable fee) under the so-called "essential facilities" doctrine.

Let's wait and see how e.g. ComodoAV will improve over the next years.
OTOH, also MS has a large network, but I also doubt it will get the #1.

Even if they had access to all the malware collections - how should they add detection for that huge number of malware in a reasonable time? Including replicating the samples, of course, to detect all the dropped files etc..
Of course, you could just make a CRC of the first section and simply copy the malware name from a Kaspersky log, cough cough...

ITW, who declares what is ITW? And does 100% detection of the Wildcore set really means a user is protected well? Maybe you should ask those victims of targeted attacks. What about Win32.Polip? It was ITW - let's see if it's get added to the Wildcore set and how the detection of the products really is in the next VB test (if they have the time to replicate a huge test set).

Static unpackers, oh well that problem is known for a long time and there is no solution to this. Those who claimed they found a solution for it failed and went back to mass-adding regular detection if I am not mistaken.
But hey, I am all for repacking malware - the more weird the packers and layers the merrier. :)

So if you want to be the top - how about handling that new Word exploit from 2006/5/19?

"Even if they had access to all the malware collections - how should they add detection for that huge number of malware in a reasonable time?"

2 or 3 (semi-)automatically generated sigs for unpacked samples (e.g., search for relative calls with the help of an automatic disassembler). CRC for packed samples. This will not result in supreme signature quality (but comparable to Kaspersky ;-)

"ITW, who declares what is ITW? "

Agreed. It did not refer to the wildlist or something like that. My point is: also a newcomer should have the chance to add signatures for malware that is currently ITW (regardless of the definition). Maybe not as quick as the big players. But that's it.

I acknowledge of course that it's quite difficult to enter the market for AV scanners. But ordinary AV tests (= barrier to market entry) make it even more difficult because only the size of the signature database (and not the quality of the scan engine) is taken into account.

"Static unpackers, oh well that problem is known for a long time and there is no solution to this."

Do you think that, for example, Ewido's memory scanning technology is completely useless for an AV? If I'm not mistaken Ewido 4 beta features a nice on-access memory scanner. Of course such scanner will not protect you from logical bombs ... but they don't exist anymore. And rootkits can be blocked/detected by other means.

"So if you want to be the top - how about handling that new Word exploit from 2006/5/19?"

Let us know when you are finished ;-)

ITW vs ZOO stuff is complete bullshit.

@RejZoR

Scanner A detects 70% of IBK's trojan/samples samples (including any samples contained in the wildlist during the last 24 months). This scanner uses a sophisticated scan engine /w good heuristics and, therefore, performs very well in IBK's retrospective/ProActive tests.

Scanner B detects 96% of IBK's trojan/worm samples (including any samples contained in the wildlist during the last 24 months). This scanner does not feature any heuristics at all and, moreover, its scan technology is vulnerable to many stupid tricks like changing the entry point, rebasing, etc.

Am I right to assume that you would pick scanner B?

I do not know any scanner A or scanner B which would perform like you say...
the engine of scanner B would be too bad and therefore not be able to reach 96%.
the "sophisticated" engine of scanner A would be too good and therefore would be able to reach at least 80%.
:P

{QUOTE-> 2 or 3 (semi-)automatically generated sigs for unpacked samples (e.g., search for relative calls with the help of an automatic disassembler). CRC for packed samples. <-QUOTE}

This requires good unpacking - and you can easily bypass any solution. Ewido is not able to emulate everything, in spite their ridiculous claims. And last time I checked, they had twice the number of signatures of Kaspersky. So what was the advantage of their approach again? Funny that they don't even have 30% of KAV's detection on the other hand.

And having automated signatures added is SO boring. I want to see some Win32.Polip detection. Oh I forgot. They don't add viruses. Even if they are ITW. Duh...

On Access Memory scan... As if this would help against certain runtime packers. And didn't they had the perfect emulation, why they would need such thing anyway? I find these contradictions amusing. :)

Rebasing... Oh yes, I remember those huge waves of rebased malware that were supposed to kill us all and end the world (tm). ;-)


{QUOTE-> Let us know when you are finished ;-) <-QUOTE}

Some hours ago, so what?

Yes, i'd take scanner "B", because my infection vectors aren't email and IM.
So i need more through overall detection and not ultra fast response times and super duper heuristics.

CRC for packed samples. ... "This requires good unpacking"

???

"Ewido is not able to emulate everything, in spite their ridiculous claims."

You tell ME that?? And why do you always refer to Ewido? Do they scare the hell out of you or what?

"On Access Memory scan... As if this would help against certain runtime packers. And didn't they had the perfect emulation, why they would need such thing anyway? I find these contradictions amusing."

There is no contradiction because this is not about Ewido. The memory scanner was just an example. Didn't you tell me a few years ago that AntiVir might go that route?

I was asking a real question. Do you think mem scanners do not make any sense for AVs?

"Some hours ago, so what?"

Congrats.

Memory scanning (patterns) doesn't make much sense, you will have even more signatures that the user must download. Beside that, the malware is already active and has control over the system. A behaviour blocker is much more effective. I guess that's why everyone is adding them lately. ::)

Good thing about behavior blockers is that they don't care about packers and cryptors. So all you have to do is to make a good rollback system and good behavior "patterns", obviously.

Parite.B (which is ITW):Comodo detects only 21 of 980 samples :(
the detection of samples should be done more reliable, otherwise it's useless.

If I was to advise Comodo, I would recommend they shift focus to a more proactive security solution. I think the AV market is getting impossibly hard to gain any ground in unless you are already a player that has been around for years, and have the resources and manpower to devote to it.

I have worked for two companies where I shifted their focus from AV to Proactive systems, and helped manage the development of these tools, and I think it is paying off for them. (or will in one case of a beta product)

Just my advice, the AV world is pretty tight already.

SDS909 is right, but many AV companies are adding behaviour blockers and other pro-active features so even that feature won't be unique anymore.

{QUOTE-> SDS909 is right, but many AV companies are adding behaviour blockers and other pro-active features so even that feature won't be unique anymore. <-QUOTE}

Exactly. Besides, you need to set straight lines and priorities. Not only priorities, you have to set the correct priorities. This includes for instance to know what is important and what is trivial. Including "as much as possible" viruses isn't the way to go as long as the detection of important stuff is not reliable. And every other company would count the ItW Parite viruses into this category. A bunch of develeopers cannot make this decision, you need somehow some people with expertise in this field, otherwise you will keep focusing most of the time on stuff which just takes away resources just for the sake to bring a virus records counter up or to include feature requests from "users" what does not make any sense as long as the most important detections are not taking place. Then you need for the most important stuff proper cleaning. Otherwise your customers will "kill" you when they find out that other solutions are able to clean a virus infection and your solution is only able to delete such infected files. There are several white papers from me available in the internet for the most important ones (eg. Parite) how to do that.

Example: http://home.arcor.de/antivirus/parite.html

That shows how to do it completely without emulation, just with static code.
It even shows how to detect this virus proper ;)

This is of course no high-end solution, since you have to make a few checks more eg. if it's double infected etc. but at least you get the point where and how to start ;D And this virus is really easy - it is on a difficult scala from 1 to 10 (10 most difficult) maybe on place 3. Still some companies having problems to obtain the encrypted values to reconstruct the original binary. If you have emulator this goes even much more easier, but i always prefer to show things without emulator, because this is somehow more advanced then ;D

Hi,

Does any one have an update on Comodo Antivirus?.

Thanks,
Balaji.

pnbalaji, just download the latest version from their website and the hit Update as the latest version is not available on their website for download as far as I am concerned.

Hi Pikko,

Thanks for your reply.

However, I am asking about its current detection rate instead of its release version.

Thanks,
Balaji.

I too am currious about the development of this product. I am using their firewall, and would also like to know about the current detection rate.