Comodo Cloud AV -- only 3 MB--- with full containment and sandboxing included

[Deleted member 2913]

For the moment it is just a screenshot...we are not even sure it will become real.

And they mention coming soon...
When infact on Comodo forum, Melih mention alpha & further mention CEO edition with his favourites emoticons.
Their coming soon... means anywhere from a week/month to years to no further info for years to abandoned with no info, etc...

Melih is kind of unlucky for their upcoming software coz couple upcoming software died with the CEO edition

 

[Deleted member 178]

"Coming soon" for Comodo can be translated as "let see if we will do it or not"

 

[Anupam]

"Coming soon" for Comodo can be translated as "let see if we will do it or not"

Agreed.

 

[hjlbx]

Yes, yes... Comodo is the Land of Abandoned Softs. Most of us know that and yes, it is frustrating.

I just adopt the attitude of "wait-and-see." If Cloud AV is brought to market that will be welcome. If not, oh well, another flash in the pan...

 

[hjlbx]

Sorry, but a product based only on "unrecognized file" detection system is incomplete and misleading... What if I download 2 executables: game.exe and virus.exe... Both are unrecognized but game.exe is a legit game and virus.exe is a malicious file??? Maybe I don't know who to trust and I remove game.exe and execute virus.exe? Virus detection is EXTREMELY important to have, even classic signatures are good, not to mention HIPS-like things, behavioral modules and so on...

So the statement: "Why even worry about detection when Comodo can be configured to either contain and\or block any Unrecognized files ?" is a great joke.

I subscribe to the default-deny model of protection =

• Clean install OS
• Clean install carefully chosen applications
• Install anti-executable
• Lock-Down system

This protection model works best for those that do not change their systems very often. It is independent of any signatures or file ratings.

IF I make change to system I do manual analysis of files...

Over-reliance upon signatures and file ratings will result in eventual infection.

This is the protection model that works for me and a few others here at MT... and it does work. Of course, others will not find it very user friendly if they are constantly downloading and running apps.

 

[Alex BK]

I subscribe to the default-deny model of protection =

• Clean install OS
• Clean install carefully chosen applications
• Install anti-executable
• Lock-Down system

This protection model works best for those that do not change their systems very often. It is independent of any signatures or file ratings.

IF I make change to system I do manual analysis of files...

Over-reliance upon signatures and file ratings will result in eventual infection.

This is the protection model that works for me and a few others here at MT... and it does work. Of course, others will not find it very user friendly if they are constantly downloading and running apps.

I don't find this viable because there are updaters, updates, and these kinds of things interfere with your lockdown method. I would not recommend this, because everyone downloads, everyone updates programs and so on.

 

[Deleted member 178]

I don't find this viable because there are updaters, updates, and these kinds of things interfere with your lockdown method. I would not recommend this, because everyone downloads, everyone updates programs and so on.

i dont see problems with that, the only restriction is that you have to know what you are downloading and installing.

 

[hjlbx]

I don't find this viable because there are updaters, updates, and these kinds of things interfere with your lockdown method. I would not recommend this, because everyone downloads, everyone updates programs and so on.

Comodo, NoVirusThanks Exe Radar Pro, AppGuard, VooDooShield... all solve this problem in one way or another - and it does eliminate most of the inconvenience; user has the ability to define exceptions based upon path, file rating, vendor, hash, etc - dependent upon which anti-executable one is using.

On one system I use NVT ERP in Alert Mode with Sandboxie. After clean install OS, all files are whitelisted in ERP. When a file changes via update, NVT ERP alerts that the file has changed. I know it is legitimate so I Allow. No problems, no real inconvenience whatsoever...

I am able to test and evaluate softs, test malwares, etc in sandbox by Allowing Once in NVT ERP.

The perceived inconvenience is unjustified and lingers from earlier times... the AE vendors have made their programs much more user friendly.

Of course, it's not going to work for everyone... it is just one of the many options. Everyone has to determine which protection model will work best on their specific system and for them personally...

 

[Deleted member 178]

Yep.

You are lazy or/and not an expert in security? Use classical AV suites.

You are advanced user or not afraid of investigate about potentials errors you made? Use anti-exec and other alternatives security softs.

 

[illumination]

Yep.

You are lazy or/and not an expert in security? Use classical AV suites.

You are advanced user or not afraid of investigate about potentials errors you made? Use anti-exec and other alternatives security softs.

Lets see if we can get Umbra's assessment correct here

Definition of Security Pro = One who spends more time tweaking and making rules for their system instead of actually using it for what it was intended.

Definition of a Lazy Person or not an expert = One who uses their system for what it was intended while maintaining simple security...

Sound about right @Umbra

 

[Deleted member 178]

Hahaha exactly !

In fact, the security Pro really enjoy his system when ALL is done and set.

 

[Amiga500]

Comodo offers the best free security package available for windows without question,Great firewall and virtualised browser functions are the creme de la creme of security.

 

[hjlbx]

One can make Comodo as simple or as complicated as they so wish. The settings and rules can be nothing more than that provided by the default internet security configuration or one can go to the extent of replicating AppGuard & NVT ERP type behavior - and beyond.

It's all about your perspective of what constitutes adequate protection...

 

[Solarquest]

There is already cloud componenet in CIS:

Perform cloud based behavior analysis of unrecognized files – When checked, any file that is marked as unrecognized and is sent to the Comodo Instant Malware Analysis (CIMA) server for behavior analysis. Each file is executed in a virtual environment on Comodo servers and tested to determine whether it contains any malicious code. The results will be sent back to your computer in around 15 minutes. Comodo recommends users leave this setting enabled (Default=Enabled).

More details. The behavior analysis system is a cloud based service that is used to help determine whether an unknown file is safe or malicious. Once submitted to the system, the unknown executable will be automatically run in a virtual environment and all activities, host state changes and network activity will be recorded. The list of behaviors recorded during this analysis can include information about processes spawned, files and registry keys modified, network activity, and other changes. If these behaviors are found to be malicious then the signature of the executable is automatically added to the antivirus black list. If no malicious behavior is recorded then the file is placed into 'Unrecognized Files' (for execution within the sandbox) and will be submitted to our technicians for further checks. The behavior analysis system takes around 15 minutes to report its results back to CIS. If the executable is deemed a threat then it will be automatically quarantined or deleted. This threat report is also used to update the global black list databases and therefore benefit all CIS users.

Automatically scan unrecognized files in the cloud – Selecting this option will automatically submit unrecognized files to our File Lookup Server to check whether or not they are on the master Comodo white list or black-list (White list = files that are known to be safe. Black list = files that are known to be malware) and the files are rated accordingly. The important features of the cloud based scanning are:

• Cloud based Whitelisting: Safe files and trusted vendors and trusted publishers can be easily identified;

• Cloud based Antivirus: Malicious files can be detected even if the users do not have an up-to-date local antivirus database or a local antivirus database at all;

• Cloud Based Behavior Analysis: Zero-day malware can be instantly detected by Comodo’s cloud based behavior analysis system, CIMA.

The cloud scanning, complemented by automatic sandboxing and application isolation technologies, is very extremely fast and powerful in preventing PC infection even without a traditional antivirus signature database while keeping the user interaction at minimal levels.

Comodo recommends users leave this setting enabled (Default = Enabled).

I personally like the idea and hope many other AV vendors will update their software and provide a similar option too, a automatic scan in the cloud and execution in a behavioral analysis environment of all unknown files. Only when the AV scanned the file and analyzed it's behavior and determined it's safe it should be able to run on the user's device.
At least users should have an easy way to submit unknown as undetected files. This would incredibly increase the security as the detection ability of AVs.

 

[vivid]

Sorry, but a product based only on "unrecognized file" detection system is incomplete and misleading... What if I download 2 executables: game.exe and virus.exe... Both are unrecognized but game.exe is a legit game and virus.exe is a malicious file??? Maybe I don't know who to trust and I remove game.exe and execute virus.exe? Virus detection is EXTREMELY important to have, even classic signatures are good, not to mention HIPS-like things, behavioral modules and so on...

In your example nothing happens with a true deny-by-default schema. But fine, let's say you're right and then == why would you trust vendor verdict? As example try to submit adware sample to multiple vendors : some will report it as clean, some will blacklist it. Tsk, tsk.

Simply put, detection cannot be absolute. There is no standard either.

 

[Janl92l]

Melih: To answer some of the other questions asked in this thread

Q-Question is will this only use CAV or will it be like VT and scan the file with other AV scanners from other vendors?
A- No its not like VT scan, it will use our own AV labs and backend.

Q-Melih what is being done to reduce the amount of unknown files in the Comodo cloud?
A- Valkyrie is a whole new verdicting system. It can verdict not only if a file is bad or not but if a file is good or not as well. We are continuing to invest on a whole new infrastructure so that unknowns will be reduced drastically, as well as to verdict an unknown will be reduced. we are on it, just matter of time.

Q- Do you think they should have made this a pure AV i.e no autosandbox, etc... but full online/cloud databases, smart offline databases/cache like Panda cloud & Bd free, local/cloud heur/ViruScope/BB, local/cloud whitelists (option to disable), web protection & Valkyrie?
A- a BIG NO!! You will get infected without automatic sandboxing. Its just silly to allow an unknown file to run with unfettered access..just silly!! Anyone recommending just an AV is either using a time machine and they travelled from 1980s or haven't got a clue about today's threats.

 

[Deleted member 178]

Melih: To answer some of the other questions asked in this thread

A- a BIG NO!! You will get infected without automatic sandboxing. Its just silly to allow an unknown file to run with unfettered access..just silly!! Anyone recommending just an AV is either using a time machine and they travelled from 1980s or haven't got a clue about today's threats.

Ummmm... even doesnt trust its own AV mwahahaha.

my advice for Melhi:

stop doing AVs , just firewalls like old time and do sandbox softwares, because you failed at everything else.

 

[Atlas147]

I personally think that this project is going to turn up like Qihoo or Panda security where they are just using cloud signatures, they talk about "Valkyrie" like it's some super advanced AI system that can immediately determine what file is bad and block it real time. This is just not feasible because it takes too long to analyse for a real time solution, and the analysis might be wrong, and require a human to double check it, which bring me back to the point that it's just going to become another qihoo or panda.

I don't get why they can't just add on this cloud feature to their already robust products, rather than create this product and add on the other bloating features, aren't cloud AVs suppose to be light on resources? Hopefully they allow for custom installation so that users can install the features that they need and not the entire package which would definitely slow down the entire computer.

Not saying that all their features are bad, I was a faithful user of Comodo firewall in the past, but trying to upgrade to internet security caused a lot of issues on my PC and overall removing both internet security and the firewall component made me realize how much it was actually slowing down my PC in terms of boot time and execution.

 

[Wisdom]

I believe in default-deny protection because that's the best solution, of course not the only solution. That means detection is important too, but not enough.

You said:

What if I download 2 executables: game.exe and virus.exe... Both are unrecognized but game.exe is a legit game and virus.exe is a malicious file?

OK, Imagine you have an AV which doesn't have default-deny system, alright, your AV doesn't detect the malware (virus.exe) and then your AV says no threat found, therefore you execute both of them, what will happen? lol

So the most important question is: What's your AV plan for unknown files?
You know, many AV vendors have some plans for unknown files, like Kaspersky, Emsisoft, etc...

 

[Deleted member 2913]

It seems this is going to be pure Cloud AV + Autosandbox i.e no junk included in installer, no FW, no HIPS, no Virtual Kiosk, no tools like CCE, system rescue, etc...

The GUI will have ample space. I hope good autosandbox options are there & well placed.

Hope it has options like "Sandboxed Programs" & "Sandboxed Files". And individual sandbox for individual programs. These options will make it easy to know what all programs are installed sandbox & what all files are running sandboxed. And will make it easy to remove individual/all sandboxed programs & move individual/all sandboxed files.

Hope it will have option to ask instead of autosandboxing files.

Comodo has quite a big whitelist now. I have proposed anti-executable in Cloud AV in Comodo forum. Avast hardened mode is easy enough for average users to use i.e it doesn't blocks anything permanently & so doesn't require users to go into the GUI to unblock things. Its simple either close the programs trying to execute or add it to exclusion to run. But Avast whitelist seems not good & big enough. Comodo whitelist is good & big enough so I have proposed anti-executable with Avast hardened mode like options. And offcoz with the option to enable/disable whitelist, manual/users whitelist, etc... The options should be like "Use Autosandbox", "Use Anti-executable" i.e users choose either autosandbox or antiexecutable for the security.

As there is no Firewall..hope there is some kind of network protection feature.

And hope there is something for data protection/feature.


And finally a query to know if its possible or how easy/hard is to make sandbox on-the-fly?
i.e is it possible or how easy/hard is it for Comodo to make sandbox on-the-fly?
i.e if you run a program & get an alert..you can choose to run the program in sandbox or out of sandbox i.e normal..I am not talking about this.

I am talking about sandbox installed programs & sandboxed files.
i.e sandboxed files - you can move it to trusted & the job is done..you can do this in CIS.
Sandbox installed programs - you install a program & get an alert..you choose to run in sandbox..you find the program is safe..you go to "sandboxed programs"..select the program..move/install on the real system.......is it possible or how easy/hard is it to implement the function for Comodo?