CF with CS - Good Enough Alone?

[cruelsister]

Hi Guys! I'm glad that there is no current issue with Avast and CF. I tried it when they initially came out which there new Build and it caused a great deal of issues. That was too bad as I have a great deal of respect for Avast (or as much respect as I can have for an AV). So I am glad that things work now- if I ever have any free time (not likely, as least very soon) I'll have to give it an extensive go...

Momus- Although you have answered the issue yourself, let me expand on the Eicar- AV-Cf thingy:

Let's say you are using a really good AV that will detect 98/100 malware files- when you run malware the AV will catch 98, and CF the remaining 2 (so 98+2=100).
If you use a crappy AV (say it only catches 50/100), then when you run the 100 malware files the AV will detect 50, and CF will either detect (via the Cloud AV) or contain the other 50 (so 50+50=100)

This is what is called in the trade a Zero-Sum Game: with a junk AV CF has more work to do; with a really good AV it will be called on less. But at the end of the day you will be protected.

ps- you will also hear that old Chesnut "nothing is 100%!!!!!!!!". Probably true, but CF is a Hell of a Lot closer to 100% than anything else.

Finally (really)- I'm very happy you guys are using my settings for CF. You humble me.

 

[AtlBo]

Might be I am a little bit paranoid or Avast is just a straight forward and honest company )

The remarketing policy statement sure is very straightforward. I am impressed how Avast explains what happens when you pass from one platform to the next. That's more than I would have hoped for and expected and gives me alot of confidence for using their product, especially considering how much avast has been so reliable over the years. Thankyou for taking the time to post this information...

 

[Momus]

Thanks for your feedback and explanation, Cruelsister and AtIBo!
Reading through your reply, Cruelsister, I guess I now finally understood no av is required running CF with your settings. It must be a psychological thing that makes me believe I can not rely on WD, Microsoft. I assume, the first OS that will be hacked sooner or later will be Windows 10 and its WD. That’s why I thought I will need a good av to kind of double my security. Anyway, I learnt a lot once again and I will keep running Comodo FW with avast Premium Version. Just because it makes me happy

 

[128BPM]

Hi,

If the AV does not detect it, how can I know if the file that runs inside the sandbox is malicious?

 

[cruelsister]

It must be a psychological thing

Very well put! Yeah, it is really a psychological thing which is totally understandable. Since the conception of the PC people have been told that they need an ANTIVIRUS, so the AV is ingrained as being a necessity that telling folks that it isn't needed is as easy as telling them to change their religious beliefs.

As an example, ask a stranger about an AV and they will know what you are asking; talk about a behavior Blocker or HIPS and they have a blank stare. Talk about virtualization and they will think you are totally Crazy.

But if there is a need for a supplementary AV it really would depend on what type of Computer User a person is. For me (been around the Block once or twice), ANYTHING UNSIGNED is a cause for great suspicion. CF will immediately always sandbox this stuff (which is a good thing because running an unsigned program is like taking candy from a Stranger). I would then run this application virtually to understand what it does. But that's just me. What about a person that may be new to computing?

This is where a supplementary AV (like Avast) comes into play- essentially it will act as a second opinion scanner that will operate in real time. Yes, CF does have VirusScope, but being honest Avast has the better definitions against current threats. But even if Avast says an unsigned application is fine but CF still sandboxes it I personally would never (never ever) take it out of Containment and run it- the Risk will outweigh any benefit.

Which brings us to to this:

If the AV does not detect it, how can I know if the file that runs inside the sandbox is malicious?

You don't. But you must assume (unless you are a Super-geek) that it MAY be malicious and just trash it. Taking something out of the Sandbox without extensive research is just like disregarding an AV alert that a file is malware. Any doubts? That's why God (and Jack) has created MalwareTips. If unsure, Ask Us!!!

Really finally, about WD- I use Win10 and have not bothered to shut WD off. However I can tell you for a fact that when former colleagues send me a TRUE ZERO DAY sample and I unzip the file on my main system I am always amazed if WD detects it (I'm being kind when if I say the detection is maybe 10%). This is why I always feel like vomiting whenever I see a professional AV report giving WD (and other AV's for that matter) a 90% plus rating.


Sorry if I rambled- this is why I don't talk on my videos...

 

[illumination]

Really finally, about WD- I use Win10 and have not bothered to shut WD off. However I can tell you for a fact that when former colleagues send me a TRUE ZERO DAY sample and I unzip the file on my main system I am always amazed if WD detects it (I'm being kind when if I say the detection is maybe 10%). This is why I always feel like vomiting whenever I see a professional AV report giving WD (and other AV's for that matter) a 90% plus rating.

The underlined states it all. Any of the AV's mentioned in this forum and or used, would have a difficult time with True Zero days. Virtualization is definitely one way to respond to such, although i find disabling commonly known vulnerable processes, and setting strict policies has become my go to for an answer. Lock it down, and call it a day.

 

[Nightwalker]

I really dont see the value of running a "traditional" antivirus along with "Cruel Comodo", IMO it just add system impact, complexity and the risk of conflicts.

I would rather use VirusTotal Uploader, it doesnt have any drawback.

Example of a file that was auto sandboxed by Comodo:

While VT isnt perfect it is still useful, but just remember to exercise caution with a file that was auto sandboxed.

 

[show-Zi]

Minor free software is almost a prey of automatic sandbox. I am using them a lot, so I am getting used to handling sandbox (unblocking).
Someday it will be a little uneasy if the day like 'Wolf and the shepherd ' comes.
Japan's minor software seems to be ambiguous in VT as well.

 

[ForgottenSeer 58943]

I've switched back to CF with WD. For me personally it makes no sense to disable WD when it is a very capable AV. So rather than disabling WD I keep it enabled, max the settings out in GPE and add CF. Plus I use an SUA and SRP and that is more than enough protection for anyone along with an AD blocker and changing a few Flags in Chrome. Oh, And keeping backups of files and system images. For me this is the perfect setup.

I'd MUCH prefer running FortiClient with only the AV or AV+WF enabled along with CF rather than WD. Not only because WD seems to always add some fairly significant system weight but it's protection isn't stellar IMO against newer threats.

 

[ForgottenSeer 58943]

I really dont see the value of running a "traditional" antivirus along with "Cruel Comodo", IMO it just add system impact, complexity and the risk of conflicts.

I would rather use VirusTotal Uploader, it doesnt have any drawback.

Example of a file that was auto sandboxed by Comodo:

While VT isnt perfect it is still useful, but just remember to exercise caution with a file that was auto sandboxed.

W10Privacy is a false positive. It routinely flags on a few less than stellar products like Cylance.

 

[Tiny]

I'd MUCH prefer running FortiClient with only the AV or AV+WF enabled along with CF rather than WD. Not only because WD seems to always add some fairly significant system weight but it's protection isn't stellar IMO against newer threats.

Are there any significant conflicts with CF/CS when using Forticlient?

 

[Nightwalker]

W10Privacy is a false positive. It routinely flags on a few less than stellar products like Cylance.

I know, I was just showing that VirusTotal Uploader is better than a real time protection to evaluate unknow files that were automatically sandboxed by Comodo.

By the way there are very few security vendors that I trust, most solutions are false positive galore that dont do their job properly in the signature/heuristic departament.

 

[ZeroDay]

I'd MUCH prefer running FortiClient with only the AV or AV+WF enabled along with CF rather than WD. Not only because WD seems to always add some fairly significant system weight but it's protection isn't stellar IMO against newer threats.

I switched backed to KIS instead last night. I'm currently running KIS 2019 fully tweaked for best protection.

 

[francis de lorraine]

Hello, is the forum forticlient working well with the comodo firewall?

 

[francis de lorraine]

and I would like to know where to download the free version of forticlient without the firewall? thank you

 

[Av Gurus]

and I would like to know where to download the free version of forticlient without the firewall? thank you

Forticlient - Next Generation Endpoint Protection

 

[francis de lorraine]

thanks but which I have to download I actually want a free version without firewall

 

[francis de lorraine]

Forticlient - Next Generation Endpoint Protection

the first version 5.6 I am under windows 10

 

[ZeroDay]

For me, personally my system felt lighter with WD+CF than it did with Forti+CF. I realise WD is heavy for some people, but I don't even notice it on my system. And, to add to that - If you're using Comodo FW it makes zero sense to disable WD to install a third party AV. WD will do the job nicely and CF will take care of everything else. WD tweaked+ Windows 10 mitigations is pretty powerful so adding CF is a rock solid setup. If someone only want a Sig AV to complement CF why disable one that's built in and doing very well in tests just to install a third party AV? Before anyone says because WD will be a bigger target, remember you're already using Windows OS and I think CF has more than proved itself. Add to that the fact that on most test I see people have to allow malware past both UAC AND Smartscreen before they can even test third party security and I think that makes the case for WD+ All of Windows 10 security features +CF a pretty strong one.

 

[illumination]

I see people have to allow malware past both UAC AND Smartscreen before they can even test third party security

I have said this very same thing many times in the last few years, and it gets over looked every time, as if it does not sink in fully.

It was rare, that a sample bypassed UAC and Smartscreen in all the testing i did, i almost always had to allow them through.