Free Comodo AV is out!

not really. even in such tests with such malware only they would usually fail, because they do not have such a big network with companies (e.g. ISP, large enterprises, etc.) and million of users thru which they would get the new stuff that is currently around and therefore will release updates aginst such nasties too late or never.

 

1.
But such networks can be developed (takes some time though). For example, do you think that Ewido has improved in that respect?

2.
Let's assume that major developers have formed some kind of a malware pool (or frequently exchange sampes). Let's assume such pool goes beyond the "wild list". I think a newcomer might be entitled to demand access to such pool (against a reasonable fee) under the so-called "essential facilities" doctrine.

 

Let's wait and see how e.g. ComodoAV will improve over the next years.
OTOH, also MS has a large network, but I also doubt it will get the #1.

 

Even if they had access to all the malware collections - how should they add detection for that huge number of malware in a reasonable time? Including replicating the samples, of course, to detect all the dropped files etc..
Of course, you could just make a CRC of the first section and simply copy the malware name from a Kaspersky log, cough cough...

ITW, who declares what is ITW? And does 100% detection of the Wildcore set really means a user is protected well? Maybe you should ask those victims of targeted attacks. What about Win32.Polip? It was ITW - let's see if it's get added to the Wildcore set and how the detection of the products really is in the next VB test (if they have the time to replicate a huge test set).

Static unpackers, oh well that problem is known for a long time and there is no solution to this. Those who claimed they found a solution for it failed and went back to mass-adding regular detection if I am not mistaken.
But hey, I am all for repacking malware - the more weird the packers and layers the merrier.

So if you want to be the top - how about handling that new Word exploit from 2006/5/19?

 

"Even if they had access to all the malware collections - how should they add detection for that huge number of malware in a reasonable time?"

2 or 3 (semi-)automatically generated sigs for unpacked samples (e.g., search for relative calls with the help of an automatic disassembler). CRC for packed samples. This will not result in supreme signature quality (but comparable to Kaspersky ;-)

"ITW, who declares what is ITW? "

Agreed. It did not refer to the wildlist or something like that. My point is: also a newcomer should have the chance to add signatures for malware that is currently ITW (regardless of the definition). Maybe not as quick as the big players. But that's it.

I acknowledge of course that it's quite difficult to enter the market for AV scanners. But ordinary AV tests (= barrier to market entry) make it even more difficult because only the size of the signature database (and not the quality of the scan engine) is taken into account.

"Static unpackers, oh well that problem is known for a long time and there is no solution to this."

Do you think that, for example, Ewido's memory scanning technology is completely useless for an AV? If I'm not mistaken Ewido 4 beta features a nice on-access memory scanner. Of course such scanner will not protect you from logical bombs ... but they don't exist anymore. And rootkits can be blocked/detected by other means.

"So if you want to be the top - how about handling that new Word exploit from 2006/5/19?"

Let us know when you are finished ;-)

 

ITW vs ZOO stuff is complete bullshit.

 

@RejZoR

Scanner A detects 70% of IBK's trojan/samples samples (including any samples contained in the wildlist during the last 24 months). This scanner uses a sophisticated scan engine /w good heuristics and, therefore, performs very well in IBK's retrospective/ProActive tests.

Scanner B detects 96% of IBK's trojan/worm samples (including any samples contained in the wildlist during the last 24 months). This scanner does not feature any heuristics at all and, moreover, its scan technology is vulnerable to many stupid tricks like changing the entry point, rebasing, etc.

Am I right to assume that you would pick scanner B?

 

I do not know any scanner A or scanner B which would perform like you say...
the engine of scanner B would be too bad and therefore not be able to reach 96%.
the "sophisticated" engine of scanner A would be too good and therefore would be able to reach at least 80%.

 

This requires good unpacking - and you can easily bypass any solution. Ewido is not able to emulate everything, in spite their ridiculous claims. And last time I checked, they had twice the number of signatures of Kaspersky. So what was the advantage of their approach again? Funny that they don't even have 30% of KAV's detection on the other hand.

And having automated signatures added is SO boring. I want to see some Win32.Polip detection. Oh I forgot. They don't add viruses. Even if they are ITW. Duh...

On Access Memory scan... As if this would help against certain runtime packers. And didn't they had the perfect emulation, why they would need such thing anyway? I find these contradictions amusing.

Rebasing... Oh yes, I remember those huge waves of rebased malware that were supposed to kill us all and end the world (tm). ;-)

Some hours ago, so what?

 

Yes, i'd take scanner "B", because my infection vectors aren't email and IM.
So i need more through overall detection and not ultra fast response times and super duper heuristics.

 

CRC for packed samples. ... "This requires good unpacking"



"Ewido is not able to emulate everything, in spite their ridiculous claims."

You tell ME that?? And why do you always refer to Ewido? Do they scare the hell out of you or what?

"On Access Memory scan... As if this would help against certain runtime packers. And didn't they had the perfect emulation, why they would need such thing anyway? I find these contradictions amusing."

There is no contradiction because this is not about Ewido. The memory scanner was just an example. Didn't you tell me a few years ago that AntiVir might go that route?

I was asking a real question. Do you think mem scanners do not make any sense for AVs?

"Some hours ago, so what?"

Congrats.

 

Memory scanning (patterns) doesn't make much sense, you will have even more signatures that the user must download. Beside that, the malware is already active and has control over the system. A behaviour blocker is much more effective. I guess that's why everyone is adding them lately.

 

Good thing about behavior blockers is that they don't care about packers and cryptors. So all you have to do is to make a good rollback system and good behavior "patterns", obviously.

 

Parite.B (which is ITW):Comodo detects only 21 of 980 samples
the detection of samples should be done more reliable, otherwise it's useless.

 

If I was to advise Comodo, I would recommend they shift focus to a more proactive security solution. I think the AV market is getting impossibly hard to gain any ground in unless you are already a player that has been around for years, and have the resources and manpower to devote to it.

I have worked for two companies where I shifted their focus from AV to Proactive systems, and helped manage the development of these tools, and I think it is paying off for them. (or will in one case of a beta product)

Just my advice, the AV world is pretty tight already.

 

SDS909 is right, but many AV companies are adding behaviour blockers and other pro-active features so even that feature won't be unique anymore.

 

Exactly. Besides, you need to set straight lines and priorities. Not only priorities, you have to set the correct priorities. This includes for instance to know what is important and what is trivial. Including "as much as possible" viruses isn't the way to go as long as the detection of important stuff is not reliable. And every other company would count the ItW Parite viruses into this category. A bunch of develeopers cannot make this decision, you need somehow some people with expertise in this field, otherwise you will keep focusing most of the time on stuff which just takes away resources just for the sake to bring a virus records counter up or to include feature requests from "users" what does not make any sense as long as the most important detections are not taking place. Then you need for the most important stuff proper cleaning. Otherwise your customers will "kill" you when they find out that other solutions are able to clean a virus infection and your solution is only able to delete such infected files. There are several white papers from me available in the internet for the most important ones (eg. Parite) how to do that.

Example: http://home.arcor.de/antivirus/parite.html

That shows how to do it completely without emulation, just with static code.
It even shows how to detect this virus proper

This is of course no high-end solution, since you have to make a few checks more eg. if it's double infected etc. but at least you get the point where and how to start And this virus is really easy - it is on a difficult scala from 1 to 10 (10 most difficult) maybe on place 3. Still some companies having problems to obtain the encrypted values to reconstruct the original binary. If you have emulator this goes even much more easier, but i always prefer to show things without emulator, because this is somehow more advanced then

 

Hi,

Does any one have an update on Comodo Antivirus?.

Thanks,
Balaji.

 

pnbalaji, just download the latest version from their website and the hit Update as the latest version is not available on their website for download as far as I am concerned.

 

Hi Pikko,

Thanks for your reply.

However, I am asking about its current detection rate instead of its release version.

Thanks,
Balaji.

 

I too am currious about the development of this product. I am using their firewall, and would also like to know about the current detection rate.