It's so funny how people scream how antiviruses are dead and how signatures are useless. Reality is nowhere near that.
Take a look at avast!'s technology, since it nicely showcases it on their tech site:
Avast Technology
People still think signature detection is crude static pattern matching. Where in reality (I can only speak for avast! because I know it in depth, but I know others use this as well). The so called "signatures" are rarely a static thing these days. In most cases they are algorithm based detections. And since everything is automatic on the backend, with data collection and feeding it back in form of protection through cloud feature, baddies are now limited to timeframes of 10-15 minutes before they get discovered and cure distributed between users protected by given product. Sure, there is bunch of stuff still floating around, but baddies are having a very hard time writing things and making them effective. They can't even test malware if it goes undetected, because if they don't use the cloud in AV's, they can't be sure if their brand new malware is already being detected from get go. And as soon as it touches the cloud backend, they will know, but then the race against time begins. The longer they wait, the less time they'll have to spread malware and profit from it.
Not to mention it's not file scanning anymore. Protection stages, in case of avast! goes like this (from top to bottom in order of entry):
- HTTP/HTTPS URL blocking of fast morphing web polymorphic threats (Web Shield)
- HTTP/HTTPS file scanning (Web Shield)
- File scanning (signature, algorithm, emulation and heuristics) (File System Shield)
- DeepScreen (local sandbox behavior analysis)
- CyberCapture (server side static and behavior analysis)
- Behavior Shield (local live host behavior analysis)
Pretty much all of these technologies are aided by the cloud backend, either in terms of whitelist to eliminate false positives or in terms of aiding individual modules making better decisions or just feeding straight detections straight from the cloud.
As for the "Default Deny" which Comodo likes to push so much, it's load of BS if you don't have spectacular whitelist. Which is also clearly presented by Comodo. Sure, product throws everything unknown into Sandbox. Which in theory sounds awesome. In reality, 99% of stuff dropped into sandbox doesn't function properly or it ends there because their whitelist is rubbish. And we all know users want to use stuff. They will just allow/unblock whatever it was "default denied" and you basically negate the whole purpose of it. I know how infuriating Comodo can be with its stupid "Default Deny" because of their less than great whitelist and how all the burden of decision falls on user's shoulders. I could see Default Deny approach used by Comodo working with avast!'s whitelist. Anyone who has every used Hardened Mode (Aggressive) knows what I'm talking about. It's just that avast! doesn't use sandbox. Either due to patents held by others or for some other reasons. But the core idea is the same, with far better whitelist which allows nearly problem free use of system with neraly 100% perfect protection. I've been running sister's computers in password protected Hardened Mode in Aggressive mode. She never called me to unblock something. Granted, she isn't a heavy program downloader and user. Which also means she doesn't know much about computers. Which is exactly why Hardened Mode is perfect. It just works and it has phenomenal protection for casual users.