App Review Comodo Internet Security 11 Review | Test vs Malware

[shmu26]

It's interesting that AppGuard was dropped from Comodo's Trusted Vendors List.
There are tens of thousands of vendors on that list, lots of names in Chinese characters and stuff like that, but no AppGuard.
Was AppGuard removed because they are spamming the Internet with adware? I doubt it.
Or maybe it's because the new owners of AppGuard didn't want to pay their annual "fee" to Comodo in order to be approved?

 

[AtlBo]

No, others Avs don't whitelist the malicious files. and it is not just an error it's a Horror Story.

Understand what you mean but it's really that their cloud didn't update the blacklist after the human test. It was an "unrecognized" that was tested mechanically to be "trusted" and then by human to be malware. Yes at first it was trusted. This is true and a mystery in itself I guess. However, they had done the work to correct the trust rating, yet the file was not changed on the cloud to malicious. For me, I think the question is, "Does this show that Comodo should work over their cloud?" Looks to me personally like that might be the case.

With regards to other companies, most of the security companies don't use a sandbox like Comodo, so it's different. They look for malware, blacklist them, and block them. Comodo sandboxes "unrecognized" that aren't whitelisted ("trusted" rating) on the cloud (by testing from human or computer). Files that are blacklisted on the cloud (from testing-human or computer) are then blocked via Viruscope (I believe Viruscope but maybe Valkyrie not sure).

File shouldn't have ever had a Trusted rating but I agree with this:

It is a false negative, All AV have had some in their life.
It is not something to go crazy either. The important thing is that they changed it before it was dangerous for domestic users.

Even if you have this error, it is normal to stop the malware 0 day.

and this:

Most and maybe all forum members would agree that Comodo, when properly configured, does a lot to protect home users.
The disagreements begin when it is expected to be as infallible as the Catholics once believed the Pope to be.

Out of the 504 malwares that were run tested, 1 got by the sandbox. That's bad that one got by, but Comodo has a track record going back about 5 years I guess with great performance with blocking malware. All the while, it provides a satisfactory performance against false positives with the TVL (trusted vendors). This video from Leo should be a wake up to them though imo. Whatever is going on with the cloud, it looks bad when this happens. Maybe that's partly because it hardly ever does, though.

 

[BoraMurdar]

Understand what you mean but it's really that their cloud didn't update the blacklist after the human test. It was an "unrecognized" that was tested mechanically to be "trusted" and then by human to be malware. Yes at first it was trusted. This is true and a mystery in itself I guess. However, they had done the work to correct the trust rating, yet the file was not changed on the cloud to malicious. For me, I think the question is, "Does this show that Comodo should work over their cloud?" Looks to me personally like that might be the case.

This hits the target of this whole case.

 

[AtlBo]

This hits the target of this whole case.

Hate to say it, but I feel kind of bad about my original comments. I thumped Leo too hard. Not a fan of the testing and oversimplified review tactics of the majority of the testers or of Leo, but still more reservation was called for. There was a bypass. I actually think I was angry about how one harmless malware out of 504 shotgunned samples could bring down the review so much. Comodo forum is taking over my mind I am afraid...two years of Comodo.

Anyway, think I should consider the purpose of the video more before I get such an attitude :emoji_grimacing: now that all the facts are in about the file and all. I just now realized this isn't the Leo of "Ask Leo". I thought it was one in the same until now.

 

[Windows Defender Shill]

The first computer course I took in college, the professor kept written on the white board through out the semester "recommedended free AV - Comodo." This was also during the Windows 8 dark times, so I would say it's less relevant now, unless you are on the cutting edge of malware exposure.

 

[Bushman]

Many comments are excessive.
No software is reliable at 100%. The first line of security is the user.
Zero default doesn't exist.But it's true that TVL should be examined par the user and Cut down the Trusted Vendors List drastically .
We see by leo's test and many comments that may be this point is not sufficiently highlighted.
Since two years the CS settings have avoided my OS be infected.
These judicious advices must not however avoid all vigilance by the user.
For me Comodo is much better than many security software I think

 

[Morphius]

In my opinion this was a very simple scenario. This file was wrongly classified as trusted few years earlier. Now Comodo has tightened their whitelisting policy and it's a rare case to have malware on a white list. It has nothing to do with the TVL - this file was not signed and TVL was thoroughly reviewed few times in the past to exclude suspicious vendors and their policy to add vendors to TVL is different too (from my knowledge it doesn't require a fee to be a part of it). This happened and will happen - there will be no 100% default allow solution and no 100% default deny solution which operates using whitelist - it will have both false positives and negatives. Accepting that fact I still believe that Deafult Deny policy based on white-listing is still the most secure and convenient out there.

 

[cruelsister]

why not just reset comodo to default-setting (because it was on Leo test), cut internet, and set the sample as trusted (because it was)?

The reason is that I wanted to do the least amount of manipulation possible. I was already using CF and not CIS (I didn't have a baseline CIS VM), and I had set up that CF machine already to my settings, so I had to change the sandbox from Restricted to PL.

As this machine was from June (I verified that I did not do anything subsequent on it by checking file dates in Windows, temps, etc). I thought that this would be then valid as the original potential malware was a few years old and this machine that I used predated the August change in status, and without network access there would be no updating.

 

[mamamia]

The reason is that I wanted to do the least amount of manipulation possible. I was already using CF and not CIS (I didn't have a baseline CIS VM), and I had set up that CF machine already to my settings, so I had to change the sandbox from Restricted to PL.

CF with your settings, is it necessary to enable HIPS?.

 

[In2an3_PpG]

CF with your settings, is it necessary to enable HIPS?.

Her response has always been no. No need to enable HIPS although i believe @Umbra has commented before saying its enabled regardless.

 

[shmu26]

although i believe @Umbra has commented before saying its enabled regardless.

In Comodo 10 and up, they moved some of the protections out of the "HIPS" category, and reclassified them as "advanced protection". For all intents and purposes, I think that HIPS is really disabled, if you disable it. But the advanced protections will still run, unless you disable them, too.
Maybe @Umbra can shed some light on what he meant, but I suspect that he was maybe talking about the old categorization?

 

[klaken]

No, others Avs don't whitelist the malicious files and it is not just an error it's a Horror Story.

Let's not forget the windows files classified as malware .. Other false positives.
Malware not detected by antivirus or not detected in time by the automatic systems ..

Klaken: clean signatures = no detected malware by signatures = not detected by any av.
Sunshine-boy : Other Avs have System watcher, Hardened Mode, Smart screen or... to avoid these errors(?!).

The detection by signatures of valkyria is the same as the antivirus Comodo, therefore they are not comparable.

But if you could have this error because the classification systems are not 100% effective in these.

 

[Deleted member 178]

@shmu26 @In2an3_PpG

On v8 Comodo acted this way:
Comodo Internet Security's Auto-Sandbox (Containment) & HIPS interaction explanation

Maybe you can redo the procedure, and post the result.

I bet it won't be different, I didn't heard that the core mechanism changed.

 

[shmu26]

@shmu26 @In2an3_PpG

On v8 Comodo acted this way:
Comodo Internet Security's Auto-Sandbox (Containment) & HIPS interaction explanation

Maybe you can redo the procedure, and post the result.

I bet it won't be different, I didn't heard that the core mechanism changed.

Thanks, Umbra. I took a look at your thread over there, I will quote a line:
"The HIPS will activate only on unrecognized files that do not enter in the BB rules. "
When you say BB, you mean the thing that is now called autosandbox or autocontainment, correct?
Could you please explain what kind of unrecognized files do not enter in the autocontainment rules?

 

[Deleted member 178]

"The HIPS will activate only on unrecognized files that do not enter in the BB rules. "
When you say BB, you mean the thing that is now called autosandbox or autocontainment, correct?

yes

Could you please explain what kind of unrecognized files do not enter in the autocontainment rules?

Long time i didn't used Comodo , but if i recall , those not listed in the containement rule table.
if you look at my settings (under the spoiler at the Auto-Sandbox part), i had a lot of "rules".

 

[shmu26]

yes


Long time i didn't used Comodo , but if i recall , those not listed in the containement rule table.
if you look at my settings (under the spoiler at the Auto-Sandbox part), i had a lot of "rules".

Okay, I took a look. So it seems that when you say "do not enter in the autocontainment rules", you mean that an "ignore" rule was made.
If that's what you mean, in the recent versions of Comodo it works differently. If you "ignore" in autocontainment, and you also disable HIPS, you will not get any prompt at all.

 

[Deleted member 178]

Okay, I took a look. So it seems that when you say "do not enter in the autocontainment rules", you mean that an "ignore" rule was made.
If that's what you mean, in the recent versions of Comodo it works differently. If you "ignore" in autocontainment, and you also disable HIPS, you will not get any prompt at all.

Really? I don't have Comodo under hands, can you post a screen of the default Containment rules?

 

[shmu26]

Really? I don't have Comodo under hands, can you post a screen of the default Containment rules?

Here ya go, the default autocontainment rules for Proactive Security config:

 

[509322]

If you rely upon software to tell you what to do or to do it for you automatically, this is what can happen. File reputation systems are apt to fail considering the volumes are in the many millions and can and do change over time. So stop complaining "How could this happen ?" as the issue cannot be fixed. There is no such thing as a perfect file rating system that is going to get it right 100 % every single time with 100 % of all files and vendors.

If you don't want it happen to you, then use a block-by-default solution and learn the basics of automated and manual analysis. There's enough resources on the web that with a little bit of effort a person can learn and get good at it. It's easy enough that children and grandmas can do it.

 

[cruelsister]

It's easy enough that children and grandmas can do it.

Excellent! This is actually the one totally and indisputable strength of Comodo. Set it up with my settings, put in Password protection, and both Grandma and the Kids can go to town.