Comodo - New advertisement from Melih

imuade

Level 12
Thread author
Verified
Top Poster
Well-known
Jul 29, 2018
566
Lockdown or Vaccine.png

This is a new message from Melih, Comodo's CEO, on their forum.
I personally think this message is really astonishing.
That statement goes completely against the concept of containment that Comodo has always advertised...

Default Deny with Auto-sandboxing
The Jail House Method of Containment

So, containment is like placing a virus into a jail house (so, like the lockdown in the picture) so that it can't harm the PC, while traditional AVs are like killing an already spread virus (you can make a vaccine only after you discover something unknown is a virus)... but now they advertise Comodo like a vaccine...

What do you think about this?
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Comodo's R&D engineers, who have developed an extraordinary application that allows you to run your critical application, such as POS System, safely when the platform has already been compromised.

This is what we call securing a Good file in a Container operation in a Bad environment. But we can also contain a Bad (or unknown) file operating in a Good (clean) environment and keep a device clean!
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,632
@cruelsister

Great to see you! I wanted to get your thoughts on a couple of things, purely out of curiosity and also for a potentially interesting discussion on friendly terms (I am not dissing Comodo at all, it is an amazing product).

To me, global whitelists are nothing more than a repository for pre-analyzed files. Our WhitelistCloud is extremely accurate, but it is certainly not perfect, and it would be difficult to imagine any global whitelist with an efficacy of > 99.9% or so. To me, the only item that should be allowed is what is on the tiny, customized whitelist snapshot of the processes that were previously running. I mean, if you want to be super safe.

I was also curious what you thought about anti-sandboxing mechanisms. At some point, the code needs to run for real, or it never needed to run at all.

Just curious… I am certain you have some amazing insights.
 

imuade

Level 12
Thread author
Verified
Top Poster
Well-known
Jul 29, 2018
566
@cruelsister

Great to see you! I wanted to get your thoughts on a couple of things, purely out of curiosity and also for a potentially interesting discussion on friendly terms (I am not dissing Comodo at all, it is an amazing product).

To me, global whitelists are nothing more than a repository for pre-analyzed files. Our WhitelistCloud is extremely accurate, but it is certainly not perfect, and it would be difficult to imagine any global whitelist with an efficacy of > 99.9% or so. To me, the only item that should be allowed is what is on the tiny, customized whitelist snapshot of the processes that were previously running. I mean, if you want to be super safe.

I was also curious what you thought about anti-sandboxing mechanisms. At some point, the code needs to run for real, or it never needed to run at all.

Just curious… I am certain you have some amazing insights.
Hi Dan,
Thanks for your questions, I'm also looking forward to reading cruelsister's answers, but I'd like to write my notes too, if you don't mind :)

Whitelist
Many Comodo users complained about the length of their whitelist, even because actually there are two whitelists, one local and one on cloud.
Now the user can modify the local whitelist and can choose to either check or not the cloud one.
Having a huge whitelist can lead to false negatives (malware whitelisted by mistake) and that actually happened to Comodo. But a short whitelist will surely lead to many false positives (I experienced a lot of them when I tried VS), so it's not easy to find a balance.

Anti-sandbox
I'm not a fan of the sandbox approach, that's why I prefer to use Comodo containment as an anti-exe and block unknowns instead of virtualizing them

Have a nice day :)
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,632
Hi Dan,
Thanks for your questions, I'm also looking forward to reading cruelsister's answers, but I'd like to write my notes too, if you don't mind :)

Whitelist
Many Comodo users complained about the length of their whitelist, even because actually there are two whitelists, one local and one on cloud.
Now the user can modify the local whitelist and can choose to either check or not the cloud one.
Having a huge whitelist can lead to false negatives (malware whitelisted by mistake) and that actually happened to Comodo. But a short whitelist will surely lead to many false positives (I experienced a lot of them when I tried VS), so it's not easy to find a balance.

Anti-sandbox
I'm not a fan of the sandbox approach, that's why I prefer to use Comodo containment as an anti-exe and block unknowns instead of virtualizing them

Have a nice day :)
Hi imuade, yeah, that is one of the great things about Comodo... you can configure it pretty much however you want, and I would certainly opt for blocking unknows as well. That is the funny thing about whitelists, they need to be large enough to reduce false positives, and small enough to reduce false negatives ;).
 

Chri.Mi

Level 7
Well-known
Apr 30, 2020
337
Hi imuade, yeah, that is one of the great things about Comodo... you can configure it pretty much however you want, and I would certainly opt for blocking unknows as well. That is the funny thing about whitelists, they need to be large enough to reduce false positives, and small enough to reduce false negatives ;).
I am not a programmer or smth like that,
but is not possible to use process and parent process signer for reduce the database size?
 

show-Zi

Level 36
Verified
Top Poster
Well-known
Jan 28, 2018
2,463
About the comodo message.
The infected person gets rid of the virus by treatment. People who have had contact with infected people or who have a slight tendency to become infected are isolated and monitored.
I interpret it this way.

I like the idea of a whitelist, but I don't think that list is provided by anyone else. I think it is basic that each user makes it by trial and error.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,632
I am not a programmer or smth like that,
but is not possible to use process and parent process signer for reduce the database size?
Yeah, I think a lot of whitelists (and AV's for that matter) rely heavily on signatures, which is for the most part safe, and can be made super safe if there are other checks in place as well.
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Think Melih is saying that other methods are inferior and leave the customer imprisoned with malware, while Comodo with its HIPS detects everything happening under the surface. In other words, even an infected system could be cured by installing Comodo, because all infection activity would be detected by HIPS.

So I guess Comodo is the vaccine in this scenario and in Melih's presentation. If the software were combined with good network and control monitoring software, I suppose this could be true of Comodo really. As it is it is good on machines on a one by one basis where the operator understands what is happening. Don't think Comodo has great network control software at this point (STILL :)).
 

fabiobr

Level 12
Verified
Top Poster
Well-known
Mar 28, 2019
561
Hi imuade, yeah, that is one of the great things about Comodo... you can configure it pretty much however you want, and I would certainly opt for blocking unknows as well. That is the funny thing about whitelists, they need to be large enough to reduce false positives, and small enough to reduce false negatives ;).
For full protection whitelisting is not enough.

As we saw here at MT and showed by Bitdefender researches, a good behavior blocker is needed to block suspicious behavior that a healthy process might be having.

Ransomware and financial malware are already using trusted Windows process to bypass AVs protections/whitelists.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Are there any new Comodo software products?
 

koloveli

Level 4
Well-known
Sep 13, 2012
191
comodo protect and prevent leak data...
1. detection antivirus, if fail...
2. auto containment prevent data collect (cyber criminous see dark screen and nothing password o user), but;
3. firewall block or ask connections for out...
4. the user can activat e hips and to stay still more safe...
 

klaken

Level 3
Verified
Well-known
Oct 11, 2014
112
I as someone who knows the immune system.
It seems ridiculous to me, a vaccine cannot be comfortable and in theory the closest thing to a vaccine is the cloud (all AVs have it).

Vaccine: - Enter an infection for the immune system to detect. Nube AV: detects an infected PC so that all PCs receive.

In universal terms it would be like this:
- Vaccine: Cloud (Receive instructions against unknown threats)
-HIP: Skin and others (first line of defense against external elements)
- Signatures: Lymphocytes and antibodies (detect known threats)
-Viruscop (similar): Macrophage. (remove and present threats)
-Sandbox: Intestines (it is not full of bacteria, I don't think there is something like it XD).
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top