COMODO Internet Security 5.x Thread

How so? Isn't heuristics by definition checking behaviors?

 

Just saying that the "heuristics" of a BB and of an AV work in different ways.
There is no overlap btw av heuristics and any BB

 

COMODO Internet Security 5.8.199581.2037 BETA Released

https://forums.comodo.com/beta-corn...rity-581995812037-beta-released-t74771.0.html

What's new in 5.8 BETA?
At a glance, the following new fatures are the noteworthy changes in this release:
NEW! Strengtened HIPS on 64 Bit operating systems: HIPS has been architected in such a way that now many parts of it are as strong as 32 bit operating systems. Previously, it was possible to bypass some of the protections such as COM interface access etc.
NEW! Seamless integration with COMODO Endpoint Security Manager(ESM): Now any CIS endpoint can be instantly turned into a centrally managed endpoint from the clients! Requires ESM 2.0 and later.
NEW! Antivirus scanning progress: In this release, CAV now can show the percantage of the completed scanning.
NEW! CIS 5.8 has a new UI theme
IMPROVED! CAV realtime scanning performance in Stateful mode

 

I can't see how there couldn't be overlap considering they both check the behavior of a program. I could be confused though, I'd be happy to be wrong considering I use both.

 

Heuristics and BB actually work quite differently.In simplistic terms heuristics looks for code similarities to known malware in the database,the more aggressively it functions,the more propensity for FPs. BB doesn't compare the code,rather it assigns a rating based upon a number of "malicious-like activity" indicators,once a certain threshold is reached an alert is triggered.

There's a lot more to it of course and the term heuristics covers a broad spectrum within various AVs.

 

Oh, interesting. I thought heuristics emulated malware to see if it did anything suspicious. Or are the two related?

 

The following article from the ESET Knowledgebase contains a good description of two types of heuristics, typically used by AVs: in this case NOD32.

http://kb.eset.com/esetkb/index?page=content&id=SOLN127

What ESET calls active heuristics does involve emulation, but passive heuristics doesn't. An intelligent BB is different from either of these two types of heuristics due to the presence of a judgement module that scores behaviour and triggers an alert when a threshold has been reached, as andyman35 has already explained.

 

Thanks for the article, I'll give it a read.

Glad to hear that there's a significant difference. Always happy to learn something new.

>_< I am still a bit confused though. I'll just take your word on it.

 

Actually, I think I should have been a little clearer because there are a few other points worth making.

In the broadest sense of the term, heuristic simply means the use of rule-of-thumb methods for making decisions when a deterministic algorithmic procedure isn't available. In the case of malware detection, the use of heuristics may involve analysing behaviour dynamically, although not necessarily as the ESET article shows.

Intelligent BBs such as Mamutu and ThreatFire can be said to use heuristic methods in the broad sense of the term but they operate very differently from the way a typical AV operates. An AV aims to prevent malware prior to execution. If code execution is used as part of a heuristic procedure to analyse behaviour, it takes place within a virtualized sandboxed environment. If the AV is successful at detecting a malware, no infection occurs. If unsuccessful, the AV is bypassed and the malware is free to deliver its payload.

With an intelligent BB, code execution is not emulated because it takes place within the real environment. Execution is continuously monitored as it progresses and may be terminated at any point by the BB. Unlike an AV, which is all or nothing, a BB may have partially allowed malware to execute before it is stopped, so some damage may have already occurred.

 

Right, so there are some similarities but when you get to the specifics they're different. That's kinda what I figured.

 

http://forums.comodo.com/news-annou...ecurity-551957861383-released-t74019.225.html

More info about v6, I guess that there will be more things to be added.

 

I'd hope it's more than full virtualization =p

What I'd like to see is more customization of sandboxing levels as well as full virtualization.

 

A new test of Valkyrie

Take into account:
- Valkyrie is still on a beta/develop stage
- Valkyrie is another engine to be added to Comodo Cloud
- Most of the false positive will not appear when it will be release due to they are part of the Comodo whitelist and TVL.
- In this test only Valkyrie heuristics are being tested, not the weighing with CAMAS, CAV and the whitelist. This will probably decrease the fp's and increase the detection of the 0day malware.

- Notice that the fp's and the missing detections has been already fixed.

More details: https://forums.comodo.com/news-announcements-feedback-cis/valkyrie-test-t75247.0.html
http://valkyrie.comodo.com/Default.aspx

 

85% malware corrected with 1.34% FP's. Very good.

 

i like to see a new real engine

not a cloud engine

 

still good results my friend

 

I'd much rather they spend time on the cloud engine over the local one.

 

I would like them to balance both

 

In an ideal world they could have development equal on both ends. But that's not always how it works.

Cloud-based scans/ heuristics are:
a) MUCH lighter on resources
b) always up to date

Realtime is heavy (even stateful, though I love the idea) and you have to update.

 

Anyway even being just a cloud scanner it will help to the local scanner, I mean probably a few hours after a detection using valkyrie a signature will be created for CAV.
In fact valkyrie already takes into account (include) CAMAS and CAV in the verdicts so is going to be like a global solution.

 

I'm surprised that in a thread about CIS, and in this section, the most important features of a security suite seems to be the av.

 

I guess it is because the perception that the AV is subpar keeps people away from the product. There are may here that will only use D+ and add another real time AV.