COMODO Internet Security 5.x Thread

Discussion in 'other anti-malware software' started by Mops21, Jul 4, 2011.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    How so? Isn't heuristics by definition checking behaviors?
     
  2. guest

    guest Guest

    Just saying that the "heuristics" of a BB and of an AV work in different ways.
    There is no overlap btw av heuristics and any BB
     
  3. IvoShoen

    IvoShoen Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    788
    COMODO Internet Security 5.8.199581.2037 BETA Released

    https://forums.comodo.com/beta-corn...rity-581995812037-beta-released-t74771.0.html

    What's new in 5.8 BETA?
    At a glance, the following new fatures are the noteworthy changes in this release:
    NEW! Strengtened HIPS on 64 Bit operating systems: HIPS has been architected in such a way that now many parts of it are as strong as 32 bit operating systems. Previously, it was possible to bypass some of the protections such as COM interface access etc.
    NEW! Seamless integration with COMODO Endpoint Security Manager(ESM): Now any CIS endpoint can be instantly turned into a centrally managed endpoint from the clients! Requires ESM 2.0 and later.
    NEW! Antivirus scanning progress: In this release, CAV now can show the percantage of the completed scanning.
    NEW! CIS 5.8 has a new UI theme
    IMPROVED! CAV realtime scanning performance in Stateful mode
     
  4. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    60,148
    Location:
    U.S.A.
    Merged Threads to Continue Same Topic!
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I can't see how there couldn't be overlap considering they both check the behavior of a program. I could be confused though, I'd be happy to be wrong considering I use both.
     
  6. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Heuristics and BB actually work quite differently.In simplistic terms heuristics looks for code similarities to known malware in the database,the more aggressively it functions,the more propensity for FPs. BB doesn't compare the code,rather it assigns a rating based upon a number of "malicious-like activity" indicators,once a certain threshold is reached an alert is triggered.

    There's a lot more to it of course and the term heuristics covers a broad spectrum within various AVs.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Oh, interesting. I thought heuristics emulated malware to see if it did anything suspicious. Or are the two related?
     
  8. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    The following article from the ESET Knowledgebase contains a good description of two types of heuristics, typically used by AVs: in this case NOD32.

    http://kb.eset.com/esetkb/index?page=content&id=SOLN127

    What ESET calls active heuristics does involve emulation, but passive heuristics doesn't. An intelligent BB is different from either of these two types of heuristics due to the presence of a judgement module that scores behaviour and triggers an alert when a threshold has been reached, as andyman35 has already explained.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Thanks for the article, I'll give it a read.

    Glad to hear that there's a significant difference. Always happy to learn something new.

    >_< I am still a bit confused though. I'll just take your word on it.
     
    Last edited: Aug 8, 2011
  10. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    Actually, I think I should have been a little clearer because there are a few other points worth making.

    In the broadest sense of the term, heuristic simply means the use of rule-of-thumb methods for making decisions when a deterministic algorithmic procedure isn't available. In the case of malware detection, the use of heuristics may involve analysing behaviour dynamically, although not necessarily as the ESET article shows.

    Intelligent BBs such as Mamutu and ThreatFire can be said to use heuristic methods in the broad sense of the term but they operate very differently from the way a typical AV operates. An AV aims to prevent malware prior to execution. If code execution is used as part of a heuristic procedure to analyse behaviour, it takes place within a virtualized sandboxed environment. If the AV is successful at detecting a malware, no infection occurs. If unsuccessful, the AV is bypassed and the malware is free to deliver its payload.

    With an intelligent BB, code execution is not emulated because it takes place within the real environment. Execution is continuously monitored as it progresses and may be terminated at any point by the BB. Unlike an AV, which is all or nothing, a BB may have partially allowed malware to execute before it is stopped, so some damage may have already occurred.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Right, so there are some similarities but when you get to the specifics they're different. That's kinda what I figured.
     
  12. guest

    guest Guest

  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'd hope it's more than full virtualization =p

    What I'd like to see is more customization of sandboxing levels as well as full virtualization.
     
  14. guest

    guest Guest

    A new test of Valkyrie

    Take into account:
    - Valkyrie is still on a beta/develop stage
    - Valkyrie is another engine to be added to Comodo Cloud
    - Most of the false positive will not appear when it will be release due to they are part of the Comodo whitelist and TVL.
    - In this test only Valkyrie heuristics are being tested, not the weighing with CAMAS, CAV and the whitelist. This will probably decrease the fp's and increase the detection of the 0day malware.

    - Notice that the fp's and the missing detections has been already fixed.

    More details: https://forums.comodo.com/news-announcements-feedback-cis/valkyrie-test-t75247.0.html
    http://valkyrie.comodo.com/Default.aspx

     
    Last edited by a moderator: Aug 10, 2011
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    85% malware corrected with 1.34% FP's. Very good.
     
  16. Nizarawi

    Nizarawi Registered Member

    Joined:
    May 26, 2008
    Posts:
    137
    i like to see a new real engine

    not a cloud engine :thumbd:
     
  17. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,678
    Location:
    Canada
    :D still good results my friend:cool:
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'd much rather they spend time on the cloud engine over the local one.
     
  19. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    :thumb:
     
  20. Nizarawi

    Nizarawi Registered Member

    Joined:
    May 26, 2008
    Posts:
    137
    :thumb:
     
  21. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    I would like them to balance both :D
     
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    In an ideal world they could have development equal on both ends. But that's not always how it works.

    Cloud-based scans/ heuristics are:
    a) MUCH lighter on resources
    b) always up to date

    Realtime is heavy (even stateful, though I love the idea) and you have to update.
     
  23. guest

    guest Guest

    Anyway even being just a cloud scanner it will help to the local scanner, I mean probably a few hours after a detection using valkyrie a signature will be created for CAV.
    In fact valkyrie already takes into account (include) CAMAS and CAV in the verdicts so is going to be like a global solution.
     
  24. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,060
    Location:
    Europe, UE citizen
    I'm surprised that in a thread about CIS, and in this section, the most important features of a security suite seems to be the av. o_O
     
  25. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,489
    Location:
    Paris
    I guess it is because the perception that the AV is subpar keeps people away from the product. There are may here that will only use D+ and add another real time AV.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.