COMODO Internet Security 5.x Thread - Page 10

Hungry Man · #**226** August 8th, 2011, 03:52 PM

How so? Isn't heuristics by definition checking behaviors?

lordraiden · #**227** August 8th, 2011, 04:24 PM

Quote:

Originally Posted by Hungry Man

How so? Isn't heuristics by definition checking behaviors?

Just saying that the "heuristics" of a BB and of an AV work in different ways.
There is no overlap btw av heuristics and any BB

IvoShoen · #**228** August 8th, 2011, 06:26 PM

https://forums.comodo.com/beta-corne...-t74771.0.html

What's new in 5.8 BETA?
At a glance, the following new fatures are the noteworthy changes in this release:
NEW! Strengtened HIPS on 64 Bit operating systems: HIPS has been architected in such a way that now many parts of it are as strong as 32 bit operating systems. Previously, it was possible to bypass some of the protections such as COM interface access etc.
NEW! Seamless integration with COMODO Endpoint Security Manager(ESM): Now any CIS endpoint can be instantly turned into a centrally managed endpoint from the clients! Requires ESM 2.0 and later.
NEW! Antivirus scanning progress: In this release, CAV now can show the percantage of the completed scanning.
NEW! CIS 5.8 has a new UI theme
IMPROVED! CAV realtime scanning performance in Stateful mode

JRViejo · #**229** August 8th, 2011, 07:24 PM

Merged Threads to Continue Same Topic!

Hungry Man · #**230** August 8th, 2011, 07:36 PM

Quote:

Originally Posted by lordraiden

Just saying that the "heuristics" of a BB and of an AV work in different ways.
There is no overlap btw av heuristics and any BB

I can't see how there couldn't be overlap considering they both check the behavior of a program. I could be confused though, I'd be happy to be wrong considering I use both.

andyman35 · #**231** August 8th, 2011, 08:57 PM

Quote:

Originally Posted by Hungry Man

I can't see how there couldn't be overlap considering they both check the behavior of a program. I could be confused though, I'd be happy to be wrong considering I use both.

Heuristics and BB actually work quite differently.In simplistic terms heuristics looks for code similarities to known malware in the database,the more aggressively it functions,the more propensity for FPs. BB doesn't compare the code,rather it assigns a rating based upon a number of "malicious-like activity" indicators,once a certain threshold is reached an alert is triggered.

There's a lot more to it of course and the term heuristics covers a broad spectrum within various AVs.

Hungry Man · #**232** August 8th, 2011, 08:58 PM

Oh, interesting. I thought heuristics emulated malware to see if it did anything suspicious. Or are the two related?

pegr · #**233** August 8th, 2011, 09:40 PM

Quote:

Originally Posted by Hungry Man

Oh, interesting. I thought heuristics emulated malware to see if it did anything suspicious. Or are the two related?

The following article from the ESET Knowledgebase contains a good description of two types of heuristics, typically used by AVs: in this case NOD32.

http://kb.eset.com/esetkb/index?page=content&id=SOLN127

What ESET calls active heuristics does involve emulation, but passive heuristics doesn't. An intelligent BB is different from either of these two types of heuristics due to the presence of a judgement module that scores behaviour and triggers an alert when a threshold has been reached, as andyman35 has already explained.

Hungry Man · #**234** August 8th, 2011, 09:47 PM

Thanks for the article, I'll give it a read.

Glad to hear that there's a significant difference. Always happy to learn something new.

>_< I am still a bit confused though. I'll just take your word on it.

pegr · #**235** August 8th, 2011, 10:10 PM

Quote:

Originally Posted by Hungry Man

Thanks for the article, I'll give it a read.

Glad to hear that there's a significant difference. Always happy to learn something new.

Actually, I think I should have been a little clearer because there are a few other points worth making.

In the broadest sense of the term, heuristic simply means the use of rule-of-thumb methods for making decisions when a deterministic algorithmic procedure isn't available. In the case of malware detection, the use of heuristics may involve analysing behaviour dynamically, although not necessarily as the ESET article shows.

Intelligent BBs such as Mamutu and ThreatFire can be said to use heuristic methods in the broad sense of the term but they operate very differently from the way a typical AV operates. An AV aims to prevent malware prior to execution. If code execution is used as part of a heuristic procedure to analyse behaviour, it takes place within a virtualized sandboxed environment. If the AV is successful at detecting a malware, no infection occurs. If unsuccessful, the AV is bypassed and the malware is free to deliver its payload.

With an intelligent BB, code execution is not emulated because it takes place within the real environment. Execution is continuously monitored as it progresses and may be terminated at any point by the BB. Unlike an AV, which is all or nothing, a BB may have partially allowed malware to execute before it is stopped, so some damage may have already occurred.

Hungry Man · #**236** August 8th, 2011, 10:24 PM

Right, so there are some similarities but when you get to the specifics they're different. That's kinda what I figured.

lordraiden · #**237** August 9th, 2011, 07:43 AM

http://forums.comodo.com/news-announ...74019.225.html

Quote:

Changes that v6 will bring are virtualization for automatic sandboxing and new solutions for reducing the COM and Global Hook alerts.

More info about v6, I guess that there will be more things to be added.

Hungry Man · #**238** August 9th, 2011, 07:56 AM

I'd hope it's more than full virtualization =p

What I'd like to see is more customization of sandboxing levels as well as full virtualization.

lordraiden · #**239** August 10th, 2011, 09:19 AM

A new test of Valkyrie

Take into account:
- Valkyrie is still on a beta/develop stage
- Valkyrie is another engine to be added to Comodo Cloud
- Most of the false positive will not appear when it will be release due to they are part of the Comodo whitelist and TVL.
- In this test only Valkyrie heuristics are being tested, not the weighing with CAMAS, CAV and the whitelist. This will probably decrease the fp's and increase the detection of the 0day malware.

- Notice that the fp's and the missing detections has been already fixed.

More details: https://forums.comodo.com/news-annou...-t75247.0.html
http://valkyrie.comodo.com/Default.aspx

Quote:

Hi.
I've just done my Valkyrie test.

I was testing 2 things:

False positives (on 150 legit exe files)
Detection test (on 200 malware samples)

1. Safe application set:

I collected 150 safe exe files. In general about 80-90% of these files were system's files.
Other was from various applications like:

- ashampoo buring studio
- wtw (IM software)
- Comodo Time Machine
- Expressivo
- FreeYouTubeToMP3Converter
- Comodo programs manager
- iSpy
- SpyShelter
- few drivers.

2. Unsafe application set.

Collected 200 unsafe files. They were fresh, some PUPs were in this set.
I was very strict in rating and Valkyrie didn't pass some of those, because only its heuristics detectors didn't catch file (AV expert or CAV, CIMA said that's malware - I didn't take this into account,I was testing only heuristic).

Results

SAFE APPLICATIONS

Total safe files: 150
Rated correctly by Valkyrie: 148
Score: 98.66%

Comment: Valkyrie is very reliable in detecing safe applications, false positives are very rare.

MALWARE APPLICATIONS:

Total malware files: 200
Rated as malware by Valkyrie: 170
Score: 85%

Comment: It's very good score, detection 85% of unknown malware. Test was strict.

Hungry Man · #**240** August 10th, 2011, 03:52 PM

85% malware corrected with 1.34% FP's. Very good.

Nizarawi · #**241** August 10th, 2011, 06:30 PM

i like to see a new real engine

not a cloud engine

jmonge · #**242** August 10th, 2011, 07:11 PM

still good results my friend

Hungry Man · #**243** August 10th, 2011, 08:38 PM

I'd much rather they spend time on the cloud engine over the local one.

SweX · #**244** August 10th, 2011, 08:57 PM

Quote:

Originally Posted by Hungry Man

I'd much rather they spend time on the cloud engine over the local one.

Nizarawi · #**245** August 10th, 2011, 10:13 PM

Quote:

Originally Posted by Hungry Man

I'd much rather they spend time on the cloud engine over the local one.

Noob · #**246** August 11th, 2011, 01:12 AM

I would like them to balance both

Hungry Man · #**247** August 11th, 2011, 02:14 AM

In an ideal world they could have development equal on both ends. But that's not always how it works.

Cloud-based scans/ heuristics are:
a) MUCH lighter on resources
b) always up to date

Realtime is heavy (even stateful, though I love the idea) and you have to update.

lordraiden · #**248** August 11th, 2011, 02:31 PM

Anyway even being just a cloud scanner it will help to the local scanner, I mean probably a few hours after a detection using valkyrie a signature will be created for CAV.
In fact valkyrie already takes into account (include) CAMAS and CAV in the verdicts so is going to be like a global solution.

blacknight · #**249** August 11th, 2011, 02:46 PM

I'm surprised that in a thread about CIS, and in this section, the most important features of a security suite seems to be the av.

cruelsister · #**250** August 11th, 2011, 04:44 PM

I guess it is because the perception that the AV is subpar keeps people away from the product. There are may here that will only use D+ and add another real time AV.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search