Someone reported me that there's in development phase version 2 of new Comodo Antivirus.

Which are new features of this antivirus? Because I've read on their forum this sentence:

{QUOTE->
None of the other AV's in the market place can come close to CAVS 2 protection that it offers to end users. <-QUOTE}

http://forums.comodo.com/index.php?topic=6272.msg46966#msg46966

So, because it's a bit strong sentence, has anyone tried it?

Many thanks :)

But not a surprising statement on a Comodo Forum!

I guess they meant no other company on the market comes close to the level of fooling customers as they do?

Before making wild claims, they should participate in some serious tests (Marx, Clementi, VB).

"Replacing Kaspersky as the most recommended AV" ??????????????

Preaching to the choir is what you get at Comodo.

I'm thinking of getting Comodo Anvtivirus when I see how the final version is.

http://forums.comodo.com/index.php?PHPSESSID=5d24c6df6e78abea96b590d9492cc0fa&topic=6272.msg46966#msg46966

A bold claim, I'd say. Guess I am going to loose my job now that the perfect AV solution finally exists ;) ;D

// Oliver (FSI)

If Comodo AV is going to be half of what their firewall is, then KAV has no chance.
Maybe I will replace MWAV with Comodo, but I will wait for AV Comparatives results.

{QUOTE-> "Replacing Kaspersky as the most recommended AV" ??????????????

Preaching to the choir is what you get at Comodo. <-QUOTE}
you should have copied the whole post:

"replacing Kaspersky as our "Most Recommended AV"
They can recommend what they want on their forums, doesn't mean tha someone will fall for it.

Also, "customers" is a stretch;)
It's freeware, and in beta. So lets just wait untill it comes out, ok?

This is it people…the moment of truth. CAV is the only antivirus that you’ll ever need. Dang, I feel sorry for AV industry. Gotta start selling my stock shares…



tD

{QUOTE-> you should have copied the whole post:

"replacing Kaspersky as our "Most Recommended AV"
They can recommend what they want on their forums, doesn't mean tha someone will fall for it. <-QUOTE}

Trust me there was ALOT more I read I could have posted but I was laughing to hard to do it.
I dont really care what they recommend on their forum but if they're going to lay claims to the BEST AV at least have some legitimate proof/testing to do it, like I said "preaching to the choir"

Seeing as what they've done with their firewall, I'm not going to wholeheartedly embrace Comodo's claims, but I wouldn't be so quick to dismiss them either.

Have any of the skeptics in this thread actually downloaded and tried the software, by any chance?

{QUOTE-> Trust me there was ALOT more I read I could have posted but I was laughing to hard to do it.
I dont really care what they recommend on their forum but if they're going to lay claims to the BEST AV at least have some legitimate proof/testing to do it, like I said "preaching to the choir" <-QUOTE}
but isn't that a problem here too (givven not targeted at a specific AV), a lot of users recommend AVs as "best" based on personal preference, and use test links that only show a slight adavantage to competitior X, then another user posts a test where the tables are turned and av x leads by a comple of percents. Other also recommend Avs even if they are rated inferior to others in independent testing. (i'm not naming any of them)

I'm not talking about personal preference, everyone has a personal choice when it comes to deciding security programs, it would help to see some testing on this AV though to back up what they are saying.

CAV is still in its beta stage correct ?
Yet none of the other AV's can come close to its protection ?
Thats a serious statement to lay claims to.

Hey if I'm wrong, I'm wrong and I'll admit it but a beta verison of an AV that is stronger than Kaspersky, NOD32, Avira, etc., well I sure as hell would like to see the proof, thats all, nothing more, nothing less.
Not bashing Comodo I just want to see if the AV can back up what it claims thats all.

This was not an article, or white paper! Not written in stone! This is somebody personaly envolved in the development of the said AV (hell, he's the boss!), saying that on his company's forum! To Comodo's users!

Could he just not say this? Yes, it's always better to refrain from these "claims". But is it that bad, or even an issue?:D

1-beta
2-he's not talking about signatures, but HIPS too. HIPS noisy? He says they're working on ways to keep it quiet.

Let's just wait for the final release, and then for comparatives. Why not, and why the fuss?

oh no i better go switch av again not!;D
it is a big claim.
its new to the market and i dont think it would of gone from rubbish detection to beating all av's.
i want a proper test done from a professional before i believe even a word of it. (PS this is where IBK comes in!)
they cant dominate all secuirty software markets.
lodore

test results of Comodo AV will be published around the 8th-10th March. 2007.

That would be really interesting.

Thanks.

{QUOTE-> test results of Comodo AV will be published around the 8th-10th March. 2007. <-QUOTE}
I would like to see the results... :)

I want see the results too.
Comodo will beat all companies.
In the marketing area.;D

{QUOTE-> I guess they meant no other company on the market comes close to the level of fooling customers as they do?

Before making wild claims, they should participate in some serious tests (Marx, Clementi, VB). <-QUOTE}

May I remind you of the fact that their claims concerning the Comodo Firewall have become reality : it's the best protection available ! And guess what .... it's not me who is telling these things :

http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php

So, mister Kurtzhals, I suggest you give them the benefit of the doubt that they will make this stick too ???

the insider,

AV's and Firewall's are a completely different programs, so you can't compare the development and results... ;)

Remember that AV's depends on signatures, heuristics, emulating, unpackers, etc., and to have all of these the AV companies have to make a very hard job to add support, research malware and receiving samples from users...

{QUOTE-> May I remind you of the fact that their claims concerning the Comodo Firewall have become reality : it's the best protection available ! And guess what .... it's not me who is telling these things :

http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php

So, mister Kurtzhals, I suggest you give them the benefit of the doubt that they will make this stick too ??? <-QUOTE}
in my opinion leaktest protection is a joke, there will always be programs that can bypass software firewalls. stopping them like this doesn't help.
think of it, if something tries to leak it's probably a malware, if it gets to that point when it tries, then it's already running, so you are infected.

It was this sentence which irritated me : "I guess they meant no other company on the market comes close to the level of fooling customers as they do? "
Before anybody makes such statement they should give proof no ?:(

They used to recommend Kaspersky because they had a good experience with using the engine on the Trustix AV product. I suppose they think that now they have a good engine. But I think it will take more time for them to really be good.

{QUOTE-> May I remind you of the fact that their claims concerning the Comodo Firewall have become reality : it's the best protection available ! And guess what .... it's not me who is telling these things :

http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php <-QUOTE}Well, after I read that the excellence is in leak protection only I scrolled down a little further to read this:{QUOTE-> There are lots of technical mistakes, or at least misleading informations, in the second document Agnitum published. For example, the fact that user mode hooks can not be implemented securely is obscured behind proclamations that kernel mode hooks can be unhooked too. We agree that kernel mode hooks can be unhooked. However, unlike user mode hooks, it is possible to prevent their unhooking. A good personal firewall solution should be able to prevent unhooking of its kernel mode hooks. <-QUOTE}Talking about hooks, not filter drivers, this is total nonsense. How would anyone be able to prevent anything from any other entity in kernel mode? Maybe the kernel designers can to a certain extent (see PatchGuard), normal vendors just can't do it. Oh and mind you, the "funny" implementation of some of the products are risky, to say the least. Yes, I have seen more than one during debugging sessions and in a disassembler (and I mean specifically the kernel mode parts). As a kernel mode developer I hate the problems these freak-drivers cause anyone else!

And even if unhooking fails for some reason, the bluescreen will point at the hooking module, not at the one attempting to unhook it!

... not to comment ignorance of freely available OpenSource implementations, that, if being worked on, would likely perform very good in comparison to those commercial products.

{QUOTE-> Remember that AV's depends on signatures, heuristics, emulating, unpackers, etc., and to have all of these the AV companies have to make a very hard job to add support, research malware and receiving samples from users... <-QUOTE}And development has to be quick as well to keep pace with progress of malware ...

{QUOTE-> in my opinion leaktest protection is a joke, there will always be programs that can bypass software firewalls. stopping them like this doesn't help.
think of it, if something tries to leak it's probably a malware, if it gets to that point when it tries, then it's already running, so you are infected. <-QUOTE}Full ack!

{QUOTE-> It was this sentence which irritated me : "I guess they meant no other company on the market comes close to the level of fooling customers as they do? "
Before anybody makes such statement they should give proof no ?:( <-QUOTE}Hmm, and what about the statement by "the boss" of Comodo? No proof needed there?

// Oliver

{QUOTE-> in my opinion leaktest protection is a joke, there will always be programs that can bypass software firewalls. stopping them like this doesn't help.
think of it, if something tries to leak it's probably a malware, if it gets to that point when it tries, then it's already running, so you are infected. <-QUOTE}

Yes, exactly. I don't bother with them either.

[Probably dumb question:] Why are these (leak) tests not performed using actual known malware samples, like when you test AVs?

Most of these tests are done with specific software that apparently leaks. I've yet to come across software like that in my day to day use of the computer as I don't just go downloading everything in sight.

Regarding Comodo FW I want to quote the frequently referred matousec page, which also ranked comodo 1st in matters of leak tests:

{QUOTE-> The positive on the security of Comodo Firewall is its excellent ability to fight against leak-tests. It probably was a priority of its vendor to pass all leak-tests. Only the Coat test was able to bypass its protection but we have been informed that the next version of Comodo Firewall will handle this one too.

The implementation of the security design is very superficial. Today's malware creators would not have problems to bypass the protection of Comodo. The development of this firewall probably missed independent betatesting of its security features because the number and the nature of bugs we have found in it is alarming. This is why we can not recommend Comodo Personal Firewall as a personal firewall solution to anyone who require the real protection against today's malware. <-QUOTE}

Read http://www.matousec.com/projects/windows-personal-firewall-analysis/Comodo-Personal-Firewall-2.3.6.81/ for the full review. It also features a quite impressive list of critical bugs. While certainly important, leak tests are very much overrated recently and comodo is a prime example here.

Off topic post removed. Please let's remain focused on Comodo Antivirus v2. Many thanks.

Menorcaman

Anyone see the latest post on that thread?


By Melih
{QUOTE->
I have been asked to comment on this thread further as some people confuse Detection with Prevention!

CAVS v2 is all about Prevention! As Quwen or Panic has pointed out with their tests (neither works for Comodo btw) they could not "execute" the malware. eg: malware, even though malware was in your machine. Because CAVS v2 simply denied the ability to execute due to its HIPS functionality which no other AV has. And that is what gives the edge to CAVS v2 for "End User Protection"

The tests that the AV comparison sites do "DO NOT CHECK FOR THIS ABILITY". Those tests will not check to see if malware can execute on your machine or not, but merely if an AV can detect the malware's existence for a known signature. So we need a new testing technique to test effectiveness of "Prevention" (which what CAVS v2 does) rather than "detection" (which is what ordinary AV products do). Because CAVS v2 "PREVENTS" much (MUCH) more malware than any other AV can "Detect". (There is a big difference in "prevention" and "detection" and I really hope people can understand that and not naive enough to just look at detection rate as "how well this AV product will protect me"! Detection is no longer the only measurement for knowing "how well this AV product will protect me"!

We believe "stopping a malware whether it has a known or unknown signature" is the key! Not trying to find the latest virus sample so that AV vendors can create a signature hence leaving the users vulnerable to day zero attacks.

The days of trying to find a virus sample, creating a signature, letting everyting in and only stopping bad

compared to

Stopping everything and only letting good in

is well gone!

Its more secure and much easier to stop any uknown executable and only allow the certified executables to get CPU time (eg: execute).

With CAVS v2, that is what we have achieved! The AV landscape will change forever!

Melih

<-QUOTE}

http://forums.comodo.com/index.php/topic,6272.90.html


So is it more of a HIPS application?

i don't know if what they are using isn't basic execution control, which is very easy to achieve but annoying as hell and of course dependent on the "meat" component in front of the keyboard.

BTW other avs also have hips/behaviour blocking capabilities: norton 2007 - if you tweak it correctly, kaspersky has it, f-secure so they should lay down a bit on the "the only AV that has it" part.

quote "Because CAVS v2 simply denied the ability to execute due to its HIPS functionality which no other AV has"
kaspersky PDM?
it im not mistaken pdm in kaspersky is a HIPS and was implumented in kav6.0/kis6.0 months before comodo put HIPS in to there av. so the HIPS which no other av has is simply incorrect.
lodore

{QUOTE-> ... pdm in kaspersky is a HIPS and was implumented in kav6.0/kis6.0 months before comodo put HIPS in to there av. so the HIPS which no other av has is simply incorrect.
lodore <-QUOTE}



That's what I'm thinking... Or what about other HIPS programs with AV's like Online Armor Antivirus+ or Safe'n'Sec Personal+Anti-Virus.

thats a very good point also
great minds think a like=D
lodore

comodo antivirus...

well, i dont care much for results but id rather use MS ONE CARE than comodos AV.

think that stamps my thoughts on the matter :D

So, besides KAV 6 and this new Comodo AV, what other AVs have HIPS?

Ahem...... try it with Antivirs AV, not the suite. My PC is as fast as I can ask and the 2 love each other.

Or try the latest Prevx1 by itself.

If you are not a company or organization you can get a good antivirus and a good HIPS for the same price (free) instead of the Comodo AV.

{QUOTE-> So, besides KAV 6 and this new Comodo AV, what other AVs have HIPS? <-QUOTE}


F-Secure has a type of HIPS I bleieve.

Thanks NAMOR.

{QUOTE-> comodo antivirus...

well, i dont care much for results but id rather use MS ONE CARE than comodos AV.

think that stamps my thoughts on the matter :D <-QUOTE}
For that matter, neither Comodo nor Microsoft is a "gold standard" for poor quality of AntiVirus. Yes they are both mediocre but not enough test results are available to truly measure their performance at this time....Besides, there *are* worse AVs out there. Hauri Virobot, AhnLab, etc.

So don't drop the duck on any product just yet, wait for the test results and see how it does, then conclude about its performance. :)

:blink: I'm not pretty sure how's that going...so I choose "not use"...

Use your common sense and stop program bashing.

I suggest reading this info:

1. http://www.markusjansson.net/exp.html

2. http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm

After you go through that security software it's an individual matter, like I prefer driving a Skyline over an Accord. Who cares both run well and fast.

Please explain: Why do I need a HIPS to stop me from running a executable, and how do I know if it's certified? ???

{QUOTE-> Its more secure and much easier to stop any uknown executable and only allow the certified executables to get CPU time (eg: execute). <-QUOTE}

Thank you!

{QUOTE->
Its more secure and much easier to stop any uknown executable and only allow the certified executables to get CPU time (eg: execute).
<-QUOTE}

http://img217.imageshack.us/img217/7686/hipsalertml6.jpg

Well, at least you can't say it doesn't work ;D

http://forums.comodo.com/index.php/topic,7343.0.html

(just kidding a bit ;D :) )

omg ::)

Well, they've got that special kind of humor ;D ;D ;D

@EraserHW: Have you sent them the file for analysis?;) ;D

{QUOTE->
@EraserHW: Have you sent them the file for analysis?;) ;D <-QUOTE}

Oh man, not yet....I'm too busy today to send the sample ;D

Just read the comodo forums aswell, they are funny ;D

Comodo dev. team must be working very hard these days because of the latest av-comparatives tests...

Safelist is not being used in the beta nor the firewall....
Always better to ask...

{QUOTE-> None of the other AV's in the market place can come close to CAVS 2 protection that it offers to end users. <-QUOTE}
Of course no other AV can...
Comodo is lightyears behind from competitors ::)

(First of all, i'm a beta tester at CAVS. I saw how much they worked on problems we've reported and i've tested many release.)
One of the few new features is that you can work with more AV scanners. While CAVS isn't as good as the old names, i guess you should give it a try to use it as another security layer.

The HIPS will only ask to run a file IF that's not a safe file. Under safe, they mean they got it in their safe database list. The big deal is where you can't imagine examples, like: run a schedulded task with a malware executable (earlier there were some weak point at the windows schedulder and you can use it at command prompt with the AT word), many AV applicatons won't say a word regarding this file if they don't have good HIPS or an excellen heuristic. So, by my opinion, HIPS is a very good feature.
It's not like just saying it's an executable file (whatever this means, but you can find a nice tool at Trojan Hunter's page).

Incremental scan useing the safe list is another good feature: (this is from the vendor's home, my English isn't perfect, yet) The incremental scan will skip over the files that are listed as ‘safe’ in Comodo’s internal safe list. This reduces total scan time and accelerates both the identification and disinfection of corrupted files. It will also greatly enhance system performance on older computers. Incremental scanning is available as an option in both On Demand Scans and On Access scans.

Mapped network drive scanning. While at some commercial applications you must pay a fee for scanning network drives, it's free in CAVS. Ex.:
1. you got your friends machine in the nearby;
2. both of you will set up your firewalls and discuss user rights/passwords;

(In our example we will scan our friends C: drive and we will use drive letter Z:)

3. type in "net use z: \\friend-pc\c$"
or with an IP
"net use z: \\192.168.123.123\c$"

4. from now on you can scan your friend's C: drive!


Manual quarantine possibility with your own description and it can stop e-mail worms.



On the other hand:

I don't think CAVS heuristic is too good but as i saw that BOClean news, i think they are on the way to create a much better one.
I don't think the av isn't resource hungry, many of us know AVs which need less memory (i think many people will belive that the "System Resource Friendly" text will lead to low resource usage which isn't 100% right, so read all the text there).
The detection rate is still below the big ones.


So, anyway, it's always good as another layer, you don't have to uninstall your current antivirus software (far as i know). Sorry for my English guys, but i'm always trying my best :)!

Arki

{QUOTE-> The HIPS will only ask to run a file IF that's not a safe file. Under safe, they mean they got it in their safe database list. The big deal is where you can't imagine examples, like: run a schedulded task with a malware executable (earlier there were some weak point at the windows schedulder and you can use it at command prompt with the AT word), many AV applicatons won't say a word regarding this file if they don't have good HIPS or an excellen heuristic. <-QUOTE}
As far as I can tell, CAVS' so-called "HIPS" seems to be no more than a glorified whitelist, in the sense that it pops up an alert when you try to execute an unknown file, and doesn't appear to do much else. All it does is add an extra layer of annoyance for users - if it really does help in stopping malware, the digital signatures function in XP would've wiped out malware pandemics years ago.

You didn't read security issues related to scheduled security holes, did you? And it was only an example for a case the executable is running with SYSTEM rights (whatever named list we're speaking about).

{QUOTE-> You didn't read security issues related to scheduled security holes, did you? And it was only an example for a case the executable is running with SYSTEM rights (whatever named list we're speaking about). <-QUOTE}
I don't really understand what you said, but it seems like my interpretation of CAVS' "HIPS" wasn't too far off the mark.